chore(release): use own GH app for releasing (#958)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Co-authored-by: semantic-release <semantic-release>
Co-authored-by: cyclonedx-internal-release-bot[bot] <275040549+cyclonedx-internal-release-bot[bot]@users.noreply.github.com>
Co-authored-by: cyclonedx-releases[bot] <275040549+cyclonedx-releases[bot]@users.noreply.github.com>

Author: jkowalleck

.github/workflows/release.yml

@@ -103,11 +103,28 @@ jobs:
       id-token: write
       contents: write
     steps:
+      - name: Generate GitHub App Token
+        id: release-bot-token
+        # see https://github.com/actions/create-github-app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          # see https://github.com/organizations/CycloneDX/settings/apps/cyclonedx-releases
+          app-id: 3335294
+          private-key: ${{ secrets.CDX_RELEASE_BOT_PRIVATE_KEY }}
+      - name: Get GitHub App User ID
+        id: release-bot-user-id
+        run: |
+          set -xeu
+          echo "user-id=$(gh api "/users/${{ steps.release-bot-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.release-bot-token.outputs.token }}
+
       - name: Checkout code
         # see https://github.com/actions/checkout
         uses: actions/checkout@v6
         with:
           fetch-depth: 0
+          token: ${{ steps.release-bot-token.outputs.token }}
 
       - name: Setup python
         # see https://github.com/actions/setup-python
@@ -134,7 +151,9 @@ jobs:
         # see https://github.com/python-semantic-release/python-semantic-release
         uses: python-semantic-release/python-semantic-release@v10.0.2
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          git_committer_name: ${{ steps.release-bot-token.outputs.app-slug }}[bot]
+          git_committer_email: ${{ steps.release-bot-user-id.outputs.user-id }}+${{ steps.release-bot-token.outputs.app-slug }}[bot]@users.noreply.github.com
+          github_token: ${{ steps.release-bot-token.outputs.token }}
           force: ${{ github.event.inputs.release_force }}
           prerelease: ${{ github.event.inputs.prerelease }}
           prerelease_token: ${{ github.event.inputs.prerelease_token }}
@@ -151,5 +170,5 @@ jobs:
         # see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html#python-semantic-release-publish-action
         uses: python-semantic-release/publish-action@v10
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ steps.release-bot-token.outputs.token }}
           tag: ${{ steps.release.outputs.tag }}

pyproject.toml

@@ -115,8 +115,7 @@ jsonschema = { version = "*", extras = ["format"], optional=true }
 logging_use_named_masks = true
 commit_parser = "conventional"
 commit_parser_options = { parse_squash_commits = true, ignore_merge_commits = true }
-commit_author = "semantic-release <semantic-release@bot.local>"
-commit_message = "chore(release): {version}\n\nAutomatically generated by python-semantic-release\n\nSigned-off-by: semantic-release <semantic-release@bot.local>"
+commit_message = "chore(release): {version}\n\nAutomatically generated by python-semantic-release"
 upload_to_vcs_release = true
 build_command = """
   pip install poetry