fix: Use GitHub App token for prerelease workflow dispatch (#913)

aaronsteers · devin-ai-integration[bot] · web-flow · commit 9f3c70759fd5 · 2025-12-13T16:47:47.000-08:00
Co-authored-by: Devin AI &lt;158243242+devin-ai-integration[bot]@users.noreply.github.com&gt;
diff --git a/.github/workflows/prerelease-command.yml b/.github/workflows/prerelease-command.yml
@@ -72,12 +72,20 @@ jobs:
     needs: [resolve-pr]
     runs-on: ubuntu-latest
     steps:
+    - name: Authenticate as GitHub App
+      uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+      id: get-app-token
+      with:
+        owner: "airbytehq"
+        repositories: "PyAirbyte"
+        app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }}
+        private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }}
     - name: Trigger pypi_publish workflow
       id: dispatch
       uses: the-actions-org/workflow-dispatch@v4
       with:
         workflow: pypi_publish.yml
-        token: ${{ secrets.GITHUB_CI_WORKFLOW_TRIGGER_PAT }}
+        token: ${{ steps.get-app-token.outputs.token }}
         ref: main  # Run from main so OIDC attestation matches trusted publisher
         inputs: '{"git_ref": "refs/pull/${{ github.event.inputs.pr }}/head", "version_override": "${{ needs.resolve-pr.outputs.prerelease-version }}", "publish": "true"}'
         wait-for-completion: true
