From 29349aa2dfbeb080ec35b46eb656604648eeba2d Mon Sep 17 00:00:00 2001
From: David Sanders <dsanders11@ucsbalum.com>
Date: Wed, 28 Aug 2024 13:57:01 -0400
Subject: [PATCH] ci: use GitHub app to tag new release (#122)

---
 .github/workflows/release.yml | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index dc518c9..70dc309 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,9 +7,6 @@ on:
           description: Electron version to use with "v" prefix (e.g. v30.0.0)
           required: true
 
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
 jobs:
   test:
     uses: ./.github/workflows/test.yml
@@ -17,11 +14,17 @@ jobs:
       electron-version: ${{ github.event.inputs.version }}
   tag_new_version:
     runs-on: ubuntu-latest
+    environment: deps-releaser
     needs: test
-    permissions:
-      contents: write # for pushing new tag
     steps:
+      - name: Generate GitHub App token
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        id: generate-token
+        with:
+          creds: ${{ secrets.DEPS_RELEASER_GH_APP_CREDS }}
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
       # Tag here, the publish-npm.yml workflow will trigger on the new tag and do the CFA publish
       - name: Push New Tag
         run: |