ci: Use RELEASE_TOKEN instead of GITHUB_TOKEN for release jobs

ckyrouac · ckyrouac · commit e67eafefba1f · 2025-08-06T10:25:32.000-04:00
The automated release workflow is broken due to insufficient permissions. This allows fine grained control over the permissions by using a generated token instead of the default one.

Signed-off-by: ckyrouac &lt;ckyrouac@redhat.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -21,7 +21,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.RELEASE_TOKEN }}
       
       - name: Extract version
         id: extract_version
@@ -88,7 +88,7 @@ jobs:
         id: create_release
         uses: actions/create-release@v1
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
         with:
           tag_name: ${{ steps.extract_version.outputs.TAG_NAME }}
           release_name: Release ${{ steps.extract_version.outputs.TAG_NAME }}
@@ -109,7 +109,7 @@ jobs:
       - name: Upload vendor archive
         uses: actions/upload-release-asset@v1
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
         with:
           upload_url: ${{ steps.create_release.outputs.upload_url }}
           asset_path: ./target/bootc-${{ steps.extract_version.outputs.version }}-vendor.tar.zstd
@@ -119,7 +119,7 @@ jobs:
       - name: Upload source archive
         uses: actions/upload-release-asset@v1
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
         with:
           upload_url: ${{ steps.create_release.outputs.upload_url }}
           asset_path: ./target/bootc-${{ steps.extract_version.outputs.version }}.tar.zstd
diff --git a/.github/workflows/scheduled-release.yml b/.github/workflows/scheduled-release.yml
@@ -26,7 +26,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.RELEASE_TOKEN }}
       
       - name: Mark git checkout as safe
         run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
