From ac16f9e9ed8b8e2eec4cfba37ee3ea1c2f719cb6 Mon Sep 17 00:00:00 2001
From: Urmzd Mukhammadnaim <hello@urmzd.com>
Date: Wed, 25 Mar 2026 20:15:55 -0500
Subject: [PATCH] ci: use sr-releaser GitHub App for release workflow

Switch from GITHUB_TOKEN to sr-releaser app token for release
commits, enabling signed commits and branch ruleset bypass.
---
 .github/workflows/release.yml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d03d111f..025f5912 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -26,10 +26,19 @@ jobs:
     outputs:
       released: ${{ steps.sr.outputs.released }}
     steps:
+      - name: Generate app token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.SR_RELEASER_APP_ID }}
+          private-key: ${{ secrets.SR_RELEASER_PRIVATE_KEY }}
+          repositories: ${{ github.event.repository.name }}
+
       - name: Checkout code
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Setup Rust toolchain
         uses: dtolnay/rust-toolchain@stable
@@ -43,7 +52,7 @@ jobs:
         id: sr
         uses: urmzd/sr@v2
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ steps.app-token.outputs.token }}
           force: ${{ inputs.force }}
 
   publish: