ci: fix protected branch error in release workflow

matejchalk · matejchalk · commit c4677436f3bb · 2025-09-24T13:47:56.000+02:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,36 +2,44 @@ name: Release
 
 on:
   push:
-    branches:
-      - main
+    # TODO: revert
+    # branches:
+    #   - main
 
 concurrency:
   group: release
   cancel-in-progress: false
 
-permissions:
-  contents: write
-  id-token: write
-
-env:
-  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  NX_NON_NATIVE_HASHER: true
-  NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
-
 jobs:
   release:
     name: Publish packages
     runs-on: ubuntu-latest
+    environment: release
+    env:
+      NX_NON_NATIVE_HASHER: true
+      NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
     steps:
+      - name: Authenticate as "Code PushUp Bot" GitHub App
+        uses: actions/create-github-app-token@v2
+        id: app-token
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - name: Fetch GitHub App's user ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+      - name: Configure Git user
+        run: |
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
       - name: Clone the repository
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Configure Git user
-        # https://github.com/actions/checkout/blob/main/README.md#push-a-commit-using-the-built-in-token
-        run: |
-          git config user.name github-actions[bot]
-          git config user.email 41898282+github-actions[bot]@users.noreply.github.com
+          token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: false
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
@@ -40,4 +48,8 @@ jobs:
       - name: Install dependencies
         run: npm ci
       - name: Version, release and publish packages
-        run: npx nx release --yes
+        # TODO: revert
+        # run: npx nx release --yes
+        run: npx nx release publish
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
