feat(release): Replace release bot with GH app (#621)

The `getsentry-release` is a GitHub bot account that is used in various automation, and the `${{ secrets.GH_RELEASE_PAT }}` is a personal access token from that bot account. We are using a regular GitHub account as a bot while it should be a non-human account since there are no humans behind it. Hence, we are replacing it with a GitHub App. Functionality wise, there will be no difference. More details: https://www.notion.so/sentry/DACI-Replace-GitHub-bot-accounts-with-GitHub-Apps-getsentry-release-15109965d1204a91b9be71c49e8b66e0?pvs=4 #skip-changelog
getsentry · Dec 11, 2024 · af4de8c · af4de8c
1 parent f0bb9a9
commit af4de8c
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/.github/workflows/prepare-publish.yml b/.github/workflows/prepare-publish.yml
@@ -25,6 +25,13 @@ jobs:
       - name: Setup dependencies
         run: pnpm install
 
+      - name: Get auth token
+        id: token
+        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+        with:
+          app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
+
       - name: Create Release Pull Request
         id: changesets
         uses: changesets/action@v1
@@ -33,4 +40,4 @@ jobs:
           commit: 'meta(changelog): Update package versions'
           title: 'meta(changelog): Update package versions'
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_RELEASE_PAT }}
+          GITHUB_TOKEN: ${{ steps.token.outputs.token }}