From b6709aaf6510219c5fea1d3d21987d7d13d65fdd Mon Sep 17 00:00:00 2001
From: aa638 <alfred.tovsen.mo@intility.no>
Date: Wed, 10 Jun 2026 10:00:26 +0200
Subject: [PATCH] ci: use org release-bot app token for release-please
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PRs opened with the default GITHUB_TOKEN don't trigger workflows, so the
required validate check never ran on release PRs. Mint a token from the
org's release-bot GitHub App instead — same pattern as bifrost-mkdocs,
json-api-toolkit, and hashicorp-vault-backup.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 .github/workflows/release-please.yml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index b76ee24..4ac30f8 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -4,15 +4,18 @@ on:
   push:
     branches: [main]
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
+      - name: Generate token
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        id: app-token
+        with:
+          app-id: ${{ vars.RELEASE_BOT_APP_ID }}
+          private-key: ${{ secrets.RELEASE_BOT_PRIVATE_KEY }}
       - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
         with:
+          token: ${{ steps.app-token.outputs.token }}
           config-file: .release-please-config.json
           manifest-file: .release-please-manifest.json