chore(release): use GitHub App token for releases

Author: kruton

.github/scripts/create-release-branch.sh

@@ -27,12 +27,12 @@ fi
 require_missing_remote_branch "${maintenance_branch}"
 require_remote_branch "${source_branch}"
 
-configure_git_credentials
 git fetch origin "+refs/heads/${source_branch}:refs/remotes/origin/${source_branch}" --tags
 git rev-parse --verify --end-of-options "${source_ref}^{commit}" >/dev/null
 if ! git merge-base --is-ancestor -- "${source_ref}^{commit}" "origin/${source_branch}"; then
   echo "Source ref ${source_ref} is not reachable from origin/${source_branch}."
   exit 1
 fi
+configure_git_credentials
 git push origin "${source_ref}^{commit}:refs/heads/${maintenance_branch}"
 gh issue comment "${ISSUE_NUMBER}" --body "Created ${maintenance_branch} from ${source_ref}."

.github/scripts/prepare-release.sh

@@ -24,7 +24,6 @@ require_remote_branch "${target_branch}"
 require_missing_remote_branch "${work_branch}"
 
 configure_git_author
-configure_git_credentials
 git fetch origin "+refs/heads/${target_branch}:refs/remotes/origin/${target_branch}" --tags
 git checkout -B "${work_branch}" "origin/${target_branch}"
 
@@ -34,6 +33,7 @@ git checkout -B "${work_branch}" "origin/${target_branch}"
   -Prelease.releaseVersion="${release_version}" \
   -Prelease.newVersion="${next_version}"
 
+configure_git_credentials
 git push origin "HEAD:refs/heads/${work_branch}"
 
 {

.github/scripts/publish-release.sh

@@ -62,7 +62,6 @@ fi
 gh pr checks "${pr_number}" --required --fail-fast
 
 configure_git_author
-configure_git_credentials
 git fetch origin \
   "+refs/heads/${target_branch}:refs/remotes/origin/${target_branch}" \
   "+refs/heads/${work_branch}:refs/remotes/origin/${work_branch}" \
@@ -106,5 +105,6 @@ if [[ "$(git cat-file -t "${tag_name}")" != "tag" ]]; then
   exit 1
 fi
 
+configure_git_credentials
 git push --atomic --follow-tags origin "refs/remotes/origin/${work_branch}:refs/heads/${target_branch}"
 gh issue comment "${ISSUE_NUMBER}" --body "Published ${tag_name} to ${target_branch}."

.github/workflows/release-branch.yml

@@ -5,7 +5,7 @@ on:
     types: [labeled]
 
 permissions:
-  contents: write
+  contents: read
   issues: write
 
 jobs:
@@ -18,7 +18,6 @@ jobs:
       GH_TOKEN: ${{ github.token }}
       ISSUE_BODY: ${{ github.event.issue.body }}
       ISSUE_NUMBER: ${{ github.event.issue.number }}
-      PUSH_TOKEN: ${{ github.token }}
       RELEASE_ACTOR: ${{ github.event.sender.login }}
     steps:
       - name: Checkout
@@ -28,11 +27,27 @@ jobs:
           fetch-tags: true
           persist-credentials: false
 
+      - name: Authorize release actor
+        run: bash -c 'source .github/scripts/release-common.sh; require_maintainer'
+
+      - name: Create release app token
+        id: release-app-token
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        with:
+          app-id: ${{ secrets.RELEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: ${{ github.event.repository.name }}
+
       - name: Create branch
+        env:
+          PUSH_TOKEN: ${{ steps.release-app-token.outputs.token }}
         run: |
           set -o pipefail
           bash .github/scripts/create-release-branch.sh 2>&1 | tee "${RUNNER_TEMP}/release-branch.log"
 
       - name: Comment on failure
         if: failure()
+        env:
+          PUSH_TOKEN: ${{ steps.release-app-token.outputs.token }}
         run: bash .github/scripts/comment-issue-failure.sh "${RUNNER_TEMP}/release-branch.log" "Create release branch"

.github/workflows/release-prepare.yml

@@ -5,9 +5,8 @@ on:
     types: [labeled]
 
 permissions:
-  contents: write
+  contents: read
   issues: write
-  pull-requests: write
 
 jobs:
   prepare:
@@ -19,7 +18,6 @@ jobs:
       GH_TOKEN: ${{ github.token }}
       ISSUE_BODY: ${{ github.event.issue.body }}
       ISSUE_NUMBER: ${{ github.event.issue.number }}
-      PUSH_TOKEN: ${{ github.token }}
       RELEASE_ACTOR: ${{ github.event.sender.login }}
     steps:
       - name: Checkout
@@ -29,6 +27,9 @@ jobs:
           fetch-tags: true
           persist-credentials: false
 
+      - name: Authorize release actor
+        run: bash -c 'source .github/scripts/release-common.sh; require_maintainer'
+
       - name: Set up JDK
         uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
         with:
@@ -40,13 +41,26 @@ jobs:
         with:
           validate-wrappers: true
 
+      - name: Create release app token
+        id: release-app-token
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        with:
+          app-id: ${{ secrets.RELEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: ${{ github.event.repository.name }}
+
       - name: Prepare release branch
         id: release
+        env:
+          PUSH_TOKEN: ${{ steps.release-app-token.outputs.token }}
         run: |
           set -o pipefail
           bash .github/scripts/prepare-release.sh 2>&1 | tee "${RUNNER_TEMP}/release-prepare.log"
 
       - name: Open or update release pull request
+        env:
+          GH_TOKEN: ${{ steps.release-app-token.outputs.token }}
         run: |
           set -o pipefail
           bash .github/scripts/upsert-release-pr.sh \
@@ -59,4 +73,6 @@ jobs:
 
       - name: Comment on failure
         if: failure()
+        env:
+          PUSH_TOKEN: ${{ steps.release-app-token.outputs.token }}
         run: bash .github/scripts/comment-issue-failure.sh "${RUNNER_TEMP}/release-prepare.log" "Prepare release"

.github/workflows/release-publish.yml

@@ -30,6 +30,9 @@ jobs:
           fetch-tags: true
           persist-credentials: false
 
+      - name: Authorize release actor
+        run: bash -c 'source .github/scripts/release-common.sh; require_maintainer'
+
       - name: Create release app token
         id: release-app-token
         uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4