From 34b405b770137b81e4e53208705f5f3a74b0fd8e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Aveiro?= <joao@ethiack.com>
Date: Mon, 26 Jan 2026 15:04:36 +0000
Subject: [PATCH] ci: use GitHub App for semantic release authentication

This enables the release bot to bypass branch protection rulesets
by using a GitHub App token instead of the default GITHUB_TOKEN.
---
 .github/workflows/release.yaml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 00961b4..7e455d4 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -27,6 +27,13 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+      - name: Generate GitHub App token
+        id: app-token
+        if: ${{ secrets.ETHIACK_RELEASE_BOT_APP_ID != '' && secrets.ETHIACK_RELEASE_BOT_APP_PRIVATE_KEY != '' }}
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.ETHIACK_RELEASE_BOT_APP_ID }}
+          private-key: ${{ secrets.ETHIACK_RELEASE_BOT_APP_PRIVATE_KEY }}
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -42,5 +49,5 @@ jobs:
         run: npm audit signatures
       - name: Release
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
         run: npx semantic-release