From ac290aea95db635e6f470f5c1f9d131c7f910254 Mon Sep 17 00:00:00 2001
From: ckohen <chaikohen@gmail.com>
Date: Sat, 16 Aug 2025 14:05:36 -0700
Subject: [PATCH] ci(release): use app user (#11038)

* ci(release): set git user

* ci(release): refactor to use app

* ci(release): use only app token

---------

Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com>
---
 .github/workflows/release.yml                        | 12 +++++++++---
 .../actions/src/releasePackages/releasePackage.ts    |  7 +++----
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3dd6d1c06..089bd43ef 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -42,17 +42,23 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
-      contents: write
     env:
       TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
       TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
     if: github.repository_owner == 'discordjs'
     steps:
+      - uses: actions/create-github-app-token@v2
+        id: app-token
+        with:
+          app-id: ${{ vars.DISCORDJS_APP_ID }}
+          private-key: ${{ secrets.DISCORDJS_APP_KEY_RELEASE }}
+          permission-contents: write
+
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
+          token: ${{ steps.app-token.outputs.token }}
           ref: ${{ inputs.ref || '' }}
-          ssh-key: ${{ secrets.DEPLOY_KEY_CI_RELEASE_TAGS }}
 
       - name: Install Node.js v22
         uses: actions/setup-node@v4
@@ -74,4 +80,4 @@ jobs:
           dry: ${{ inputs.dry_run }}
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
diff --git a/packages/actions/src/releasePackages/releasePackage.ts b/packages/actions/src/releasePackages/releasePackage.ts
index 6a1dab232..4c42a828a 100644
--- a/packages/actions/src/releasePackages/releasePackage.ts
+++ b/packages/actions/src/releasePackages/releasePackage.ts
@@ -18,20 +18,19 @@ async function checkRegistry(release: ReleaseEntry) {
 
 async function gitTagAndRelease(release: ReleaseEntry, dry: boolean) {
 	const tagName = `${release.name === 'discord.js' ? `` : `${release.name}@`}${release.version}`;
-	// Don't throw, if this exits non-zero it's probably because the tag already exists
-	await $`git tag ${tagName}`.nothrow();
 
 	if (dry) {
-		info(`[DRY] Tag "${tagName}" created, skipping push and release creation.`);
+		info(`[DRY] Release would be "${tagName}", skipping release creation.`);
 		return;
 	}
 
-	await $`git push origin ${tagName}`;
+	const commitHash = (await $`git rev-parse --short HEAD`.text()).trim();
 
 	try {
 		await octokit?.rest.repos.createRelease({
 			...context.repo,
 			tag_name: tagName,
+			target_commitish: commitHash,
 			name: tagName,
 			body: release.changelog ?? '',
 			generate_release_notes: release.changelog === undefined,