feat: configure semantic release with GitHub App token for branch protection bypass

Zvi Fried · Zvi Fried · commit 315cb379fb1b · 2025-08-30T19:58:06.000+03:00
- Add GitHub App token generation using tibdex/github-app-token@v2
- Use app token for checkout and semantic release operations
- Enables semantic release to bypass branch protection rules
- App ID: 1870077 configured in repository secrets
- Maintains security while allowing automated releases
diff --git a/.github/workflows/semantic-release.yml b/.github/workflows/semantic-release.yml
@@ -21,11 +21,18 @@ jobs:
       id-token: write
 
     steps:
+    - name: Generate GitHub App Token
+      id: generate_token
+      uses: tibdex/github-app-token@v2
+      with:
+        app_id: ${{ secrets.APP_ID }}
+        private_key: ${{ secrets.APP_PRIVATE_KEY }}
+
     - name: Checkout code
       uses: actions/checkout@v5
       with:
         fetch-depth: 0
-        token: ${{ secrets.GITHUB_TOKEN }}
+        token: ${{ steps.generate_token.outputs.token }}
 
     - name: Install uv
       uses: astral-sh/setup-uv@v6
@@ -49,7 +56,7 @@ jobs:
 
     - name: Run semantic-release
       env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
         PYPI_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
       run: |
         npx semantic-release
