fix: use hyper-gonk bot for release PRs

[paulbalaji]

Summary

Use GitHub App token (Hyper Gonk) instead of GITHUB_TOKEN for creating release PRs. This fixes the issue where CI workflows wouldn't trigger on PRs created by the release workflows.

Problem

GitHub's security model prevents workflows triggered by GITHUB_TOKEN from triggering other workflows. This means:

• When the NPM release workflow creates a "Version Packages" PR, CI doesn't run
• When the Rust release workflow creates a release PR, CI doesn't run

Solution

Use a GitHub App token instead. The Hyper Gonk GitHub App has been configured with:

• Contents: Read & Write
• Pull requests: Read & Write

Changes

• .github/workflows/release.yml: Use Hyper Gonk token for changesets action
• .github/workflows/rust-release.yml: Use Hyper Gonk token for PR creation

Setup Required

The following secrets need to be added to the repository:

• HYPER_GONK_APP_ID: The App ID
• HYPER_GONK_PRIVATE_KEY: The private key

Test plan

• Verified CI triggers on release PRs (tested with Rust release workflow)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Improved release process authentication and token management to ensure secure and reliable package deployment workflows.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 7fb8a0d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Warning

Rate limit exceeded

@paulbalaji has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 0 minutes and 48 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 90b74d3846aba0b3f503a90c326e217e3a7a2a13 and 7fb8a0d.

📒 Files selected for processing (2)

• .github/workflows/release.yml (1 hunks)
• .github/workflows/rust-release.yml (1 hunks)

📝 Walkthrough

Walkthrough

The release workflows are getting a security upgrade, mate. Both the npm and Rust release workflows now generate a GitHub App token instead of relying on the default repository token for creating release PRs. The npm workflow also gets a proper title on the changesets action run.

Changes

Cohort / File(s)	Summary
GitHub App Token Authentication in Release Workflows ​.github/workflows/release.yml, ​.github/workflows/rust-release.yml	Added a new step to generate a GitHub App token using actions/create-github-app-token@v1 and wired it into the release PR creation steps, replacing repository token authentication. The npm workflow also adds a title to the changesets action run.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify that the GitHub App token generation step is configured correctly with proper permissions
• Confirm the token output is correctly passed to subsequent steps in both workflows
• Check that the changesets action title update in release.yml doesn't affect any downstream processes

Possibly related PRs

• hyperlane-xyz/hyperlane-monorepo#7339: Adjusts release-pr job conditions and downstream triggers in the Rust release workflow, working alongside these authentication changes
• hyperlane-xyz/hyperlane-monorepo#7194: Earlier modifications to the Rust release workflow that provide context for these authentication enhancements

Suggested reviewers

• Mo-Hussain
• kamiyaa
• xeno097

Poem

🔐 Your workflows, they needed some care,
GitHub App tokens, now flowing through air,
No more secrets left gathering dust,
Authentication proper—the kind you can trust!

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: switching to use a GitHub App token (Hyper Gonk) for release PR creation instead of GITHUB_TOKEN.
Description check	✅ Passed	The description covers the main objective, problem statement, and solution. All required template sections are addressed with substantive content.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.00%. Comparing base (c4f3d33) to head (7fb8a0d).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@     Coverage Diff      @@
##   main   #7472   +/-   ##
============================
============================

Components	Coverage Δ
core	∅ <ø> (∅)
hooks	∅ <ø> (∅)
isms	∅ <ø> (∅)
token	∅ <ø> (∅)
middlewares	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.