Merge pull request #299 from backstage/use-app-token-for-semantic-release

ci: use app token for semantic release workflow

Author: alexlorenzi

.github/workflows/manual-versioning.yml

@@ -16,26 +16,31 @@ jobs:
   release:
     runs-on: ubuntu-latest
     concurrency: release
-    permissions:
-      id-token: write
-      contents: write
 
     steps:
+      - name: "Generate token"
+        id: generate_token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.RELEASE_BOT_APP_ID }}
+          private-key: ${{ secrets.RELEASE_BOT_PRIVATE_KEY }}
+
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          token: ${{ steps.generate_token.outputs.token }}
 
       - name: Python Semantic Release (Automatic)
         if: github.event.inputs.levelBump == 'auto'
         uses: python-semantic-release/python-semantic-release@master
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ steps.generate_token.outputs.token }}
           verbosity: 2
 
       - name: Python Semantic Release (Manual)
         if: github.event.inputs.levelBump != 'auto'
         uses: python-semantic-release/python-semantic-release@master
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ steps.generate_token.outputs.token }}
           force: ${{ github.event.inputs.levelBump }}
           verbosity: 2