need to use the token with the workflow permissions (#91)

derekmisler · web-flow · commit 61cd1a7532c8 · 2026-03-12T14:04:06.000-04:00
Signed-off-by: Derek Misler &lt;derek.misler@docker.com&gt;
diff --git a/.github/workflows/pr-describe.yml b/.github/workflows/pr-describe.yml
@@ -275,15 +275,19 @@ jobs:
       - name: Post summary
         if: always()
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        env:
+          PR_TITLE: ${{ steps.pr_details.outputs.title }}
+          PR_BRANCH: ${{ steps.pr_details.outputs.branch }}
+          PR_BASE: ${{ steps.pr_details.outputs.base }}
+          PR_CONCLUSION: ${{ steps.generate.conclusion }}
         with:
           github-token: ${{ steps.app-token.outputs.token || github.token }}
           script: |
-            // Use context.issue.number directly - always available, doesn't depend on previous steps
             const prNumber = context.issue.number;
-            const title = '${{ steps.pr_details.outputs.title }}' || 'Unknown';
-            const branch = '${{ steps.pr_details.outputs.branch }}' || 'Unknown';
-            const base = '${{ steps.pr_details.outputs.base }}' || 'Unknown';
-            const conclusion = '${{ steps.generate.conclusion }}' || 'failure';
+            const title = process.env.PR_TITLE || 'Unknown';
+            const branch = process.env.PR_BRANCH || 'Unknown';
+            const base = process.env.PR_BASE || 'Unknown';
+            const conclusion = process.env.PR_CONCLUSION || 'failure';
 
             const summary = [
               '## 📝 PR Description Generator',
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -174,19 +174,11 @@ jobs:
       group: update-pinata
       cancel-in-progress: false
     steps:
-      - name: Generate GitHub App token
-        id: app-token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
-        with:
-          app_id: ${{ secrets.CAGENT_REVIEWER_APP_ID }}
-          private_key: ${{ secrets.CAGENT_REVIEWER_APP_PRIVATE_KEY }}
-          repository: docker/pinata
-
       - name: Checkout pinata
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: docker/pinata
-          token: ${{ steps.app-token.outputs.token }}
+          token: ${{ secrets.RELEASE_TOKEN }}
 
       - name: Update cagent-action reference
         id: update
@@ -224,15 +216,15 @@ jobs:
       - name: Create or update PR
         if: steps.update.outputs.skip != 'true'
         env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          GH_TOKEN: ${{ secrets.RELEASE_TOKEN }}
           VERSION: ${{ needs.release.outputs.version }}
           SHA: ${{ needs.release.outputs.sha }}
         run: |
           BRANCH="auto/update-cagent-action"
           RELEASE_URL="https://github.com/docker/cagent-action/releases/tag/$VERSION"
 
-          git config user.name "docker-agent[bot]"
-          git config user.email "259137750+docker-agent[bot]@users.noreply.github.com"
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
 
           git checkout -B "$BRANCH"
           git add .github/workflows/pr-review.yml
