fix(ci): use RELEASE_TOKEN to bypass protected branch in semantic-release (#152)

* fix(ci): use RELEASE_TOKEN to bypass protected branch in semantic-release

GITHUB_TOKEN cannot push to a branch protected by PR requirement.
RELEASE_TOKEN (PAT with repo scope) must be created as a repository
secret and added to branch protection bypass rules.

Closes #151

* fix(ci): replace RELEASE_TOKEN PAT with GitHub App token for protected branch push

Uses actions/create-github-app-token to generate a short-lived token
from a GitHub App that has branch protection bypass permissions.
Secrets required: RELEASE_APP_ID, RELEASE_APP_PRIVATE_KEY.

Author: TheMeinerLP

.github/workflows/release.yml

@@ -16,11 +16,18 @@ jobs:
     if: github.repository_owner == 'OneLiteFeatherNET'
     runs-on: ubuntu-latest
     steps:
+      - name: Generate bot token
+        id: app-token
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713a63b1132f8e3a # v2
+        with:
+          app-id: ${{ secrets.RELEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+
       - name: Checkout repository
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
-          persist-credentials: false
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Setup Java
         uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
@@ -44,7 +51,7 @@ jobs:
       - name: Run semantic-release
         run: npx --no-install semantic-release
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           ONELITEFEATHER_MAVEN_USERNAME: ${{ secrets.ONELITEFEATHER_MAVEN_USERNAME }}
           ONELITEFEATHER_MAVEN_PASSWORD: ${{ secrets.ONELITEFEATHER_MAVEN_PASSWORD }}
           GIT_AUTHOR_NAME: "github-actions[bot]"