diff --git a/.github/workflows/bump-api-schema-sha.yml b/.github/workflows/bump-api-schema-sha.yml index 43581520d038a..850a2bc89c593 100644 --- a/.github/workflows/bump-api-schema-sha.yml +++ b/.github/workflows/bump-api-schema-sha.yml @@ -12,13 +12,19 @@ jobs: name: 'Bump API Schema SHA' steps: - uses: actions/checkout@v4.1.1 + - name: Get auth token + id: token + uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 + with: + app-id: ${{ vars.SENTRY_INTERNAL_APP_ID }} + private-key: ${{ secrets.SENTRY_INTERNAL_APP_PRIVATE_KEY }} - name: 'Bump API Schema SHA' shell: bash env: # An elevated token is necessary because with plain github.token # GitHub does not recursively call workflows, which means CI does not # kick off for the PR we're about to create. - GITHUB_TOKEN: ${{ secrets.GH_RELEASE_PAT }} + GITHUB_TOKEN: ${{ steps.token.outputs.token }} run: | set -euo pipefail diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml index 2ada031babfa1..e6a92579e6ba7 100644 --- a/.github/workflows/prepare-release.yml +++ b/.github/workflows/prepare-release.yml @@ -13,14 +13,20 @@ jobs: runs-on: ubuntu-latest name: "Release a new version" steps: + - name: Get auth token + id: token + uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 + with: + app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} + private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - uses: actions/checkout@v4.1.1 with: - token: ${{ secrets.GH_RELEASE_PAT }} + token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Prepare release uses: getsentry/action-prepare-release@v1 env: - GITHUB_TOKEN: ${{ secrets.GH_RELEASE_PAT }} + GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: version: ${{ github.event.inputs.version }} force: ${{ github.event.inputs.force }}