From 1514595fbe87c4d853032e4189147e1d6d8f80bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Roch=C3=A9=20Compaan?= <roche@sixfeetup.com>
Date: Fri, 27 Feb 2026 15:52:16 -0400
Subject: [PATCH] feat(github): use scaf release bot to run semantic release

---
 .github/workflows/semantic-release.yaml | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/semantic-release.yaml b/.github/workflows/semantic-release.yaml
index 47dcdf9..9280402 100644
--- a/.github/workflows/semantic-release.yaml
+++ b/.github/workflows/semantic-release.yaml
@@ -14,22 +14,21 @@ jobs:
     runs-on: ubuntu-latest
     environment: dev
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.RELEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          token: ${{ steps.app-token.outputs.token }}
+          # Prevent checkout from persisting the GitHub App token in local git config
           persist-credentials: false
 
-      - name: Setup SSH
-        uses: webfactory/ssh-agent@v0.8.0
-        with:
-          ssh-private-key: ${{ secrets.GA_DEPLOY_KEY }}
-
-      # use SSH url to ensure git commit using a deploy key bypasses the main
-      # branch protection rule
-      - name: Configure Git for SSH Push
-        run: git remote set-url origin "git@github.com:${{ github.repository }}.git"
-
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -44,4 +43,4 @@ jobs:
       - name: Run Semantic Release
         run: npx semantic-release
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}