fix: use GitHub App token for pinata PR updates

derekmisler · derekmisler · commit 4cf419673e0a · 2026-03-24T15:20:56.000-04:00
Assisted-By: docker-agent
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -174,11 +174,19 @@ jobs:
       group: update-pinata
       cancel-in-progress: false
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
+        with:
+          app_id: ${{ secrets.CAGENT_REVIEWER_APP_ID }}
+          private_key: ${{ secrets.CAGENT_REVIEWER_APP_PRIVATE_KEY }}
+          repositories: ["pinata"]
+
       - name: Checkout pinata
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: docker/pinata
-          token: ${{ secrets.RELEASE_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Update cagent-action reference
         id: update
@@ -216,15 +224,15 @@ jobs:
       - name: Create or update PR
         if: steps.update.outputs.skip != 'true'
         env:
-          GH_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
           VERSION: ${{ needs.release.outputs.version }}
           SHA: ${{ needs.release.outputs.sha }}
         run: |
           BRANCH="auto/update-cagent-action"
           RELEASE_URL="https://github.com/docker/cagent-action/releases/tag/$VERSION"
 
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git config user.name "docker-agent[bot]"
+          git config user.email "docker-agent[bot]@users.noreply.github.com"
 
           git checkout -B "$BRANCH"
           git add .github/workflows/pr-review.yml
