need to use the token with the workflow permissions

[derekmisler]

Summary

Switches the update-pinata job in the release workflow from a GitHub App token (via tibdex/github-app-token) to the RELEASE_TOKEN secret for authenticating with the docker/pinata repository. This is required because editing workflow files (.github/workflows/) demands a token with the workflow scope, which a standard GitHub App token may not provide.

Changes

• .github/workflows/release.yml: Removes the Generate GitHub App token step and replaces all references to steps.app-token.outputs.token with secrets.RELEASE_TOKEN for both the checkout step and the GH_TOKEN env var used when creating/updating the PR. Also updates the git commit identity from docker-agent[bot] to github-actions[bot] to match the new token's identity.

How to Test

• Trigger a release and confirm the update-pinata job completes successfully, checking out docker/pinata and opening/updating a PR without permission errors on the workflow file change.
• Verify the resulting PR in docker/pinata shows github-actions[bot] as the commit author.

Closes: https://github.com/docker/gordon/issues/204

[derekmisler]

/describe

[docker-agent]

✅ PR description has been generated and updated!

[docker-agent]

Review Summary

Assessment: 🔴 CRITICAL

This PR replaces a scoped GitHub App token with an undocumented RELEASE_TOKEN secret in the release workflow. While this change may be necessary for editing workflows (as mentioned in the PR title), it introduces security and operational concerns that should be addressed.

Critical Issues

1 HIGH severity issue found: The token change removes explicit repository scoping and permission transparency, potentially increasing security risk if the token is compromised.

2 MEDIUM severity issues found: Git identity change may affect downstream automation; lack of permission verification could cause operational failures.

Findings

The following issues were identified in the changed code:

---

Recommendation: Before merging, please:

1. Document the permissions and scope of RELEASE_TOKEN in the repository documentation
2. Verify that RELEASE_TOKEN has only the minimum required permissions (checkout, push, PR operations on docker/pinata)
3. Confirm that docker/pinata's branch protection rules and automation work with github-actions[bot] identity
4. Consider whether the GitHub App pattern was deliberately chosen for security reasons and if this change aligns with security policies

[derekmisler]

/review

[docker-agent]

Review Summary

Assessment: 🟢 APPROVE

Summary

This PR makes two sets of changes:

1. release.yml: Switches the update-pinata job from a GitHub App token to RELEASE_TOKEN secret. This is the correct approach since GitHub App tokens lack the workflows permission needed to push changes to .github/workflows/ files. The RELEASE_TOKEN (classic PAT with repo + workflow scopes) is already used elsewhere in this workflow and provides the necessary permissions.

2. pr-describe.yml: Moves step outputs into environment variables before using them in the GitHub Script action. This is a security improvement that prevents script injection via untrusted PR metadata.

Both changes are technically sound with no bugs detected in the modified code.

Findings

No issues found. The code changes are correct and follow established patterns in the repository.