fix: github token on release workflow (#6)

Signed-off-by: Cesar Berrospi Ramis <[email protected]>

Author: ceberam

.github/workflows/build.yaml

@@ -34,7 +34,7 @@ jobs:
 
   create-release:
     needs: build
-    name: Semantic-Release
+    name: Semantic Release
     if: "github.ref_name == 'main' && github.event_name != 'pull_request'"
     runs-on: ubuntu-latest
     permissions:
@@ -43,18 +43,11 @@ jobs:
       pull-requests: write # to be able to comment on released pull requests
       id-token: write # to enable use of OIDC for npm provenance
     steps:
-      - name: Create GitHub token
-        uses: actions/create-github-app-token@v1
-        id: app-token
-        with:
-          app-id: ${{ vars.CI_APP_ID }}
-          private-key: ${{ secrets.CI_PRIVATE_KEY }}
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          token: ${{ steps.app-token.outputs.token }}
-          fetch-depth: 0  # for fetching tags, required for semantic-release
           persist-credentials: false
+          fetch-depth: 0  # for fetching tags, required for semantic-release
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -69,7 +62,13 @@ jobs:
           npm install
       - name: Verify the integrity of provenance attestations and registry signatures
         run: npm audit signatures
+      - name: Create GitHub token
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.CI_APP_ID }}
+          private-key: ${{ secrets.CI_PRIVATE_KEY }}
       - name: Run semantic-release
         env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
         run: npm run semantic-release