From 4a1f77da5a6ba4e01487dc6a32519e581080c52c Mon Sep 17 00:00:00 2001
From: pbio <10051819+paulbalaji@users.noreply.github.com>
Date: Wed, 3 Dec 2025 13:14:23 +0000
Subject: [PATCH] fix(ci): use GitHub App token for workflow triggering and
 authorship
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Configure both prepare-release and publish-release jobs to use the
hyper-gonk GitHub App token. This fixes two issues:

1. CI workflows not triggering on commits pushed by the release workflow
   - `actions/checkout` configures git credentials at checkout time
   - Previously, checkout used default GITHUB_TOKEN which cannot trigger workflows
   - Now, token is generated first and passed to checkout

2. Commits authored by github-actions[bot] instead of hyper-gonk[bot]
   - The publish-release job was missing `setupGitUser: false`
   - It was running version step which creates commits as github-actions[bot]
   - Now uses same git config and token as prepare-release

Changes:
- release.yml: Add token generation, git config, and setupGitUser to both jobs
- rust-release.yml: Same fix for release-pr job

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/release.yml      | 41 ++++++++++++++++++++++++------
 .github/workflows/rust-release.yml | 15 ++++++-----
 2 files changed, 42 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 728d3203357..0b46e1add53 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -40,12 +40,22 @@ jobs:
       pull-requests: write
     runs-on: depot-ubuntu-latest
     steps:
+      # Generate token first so checkout configures git credentials with it
+      # This allows subsequent pushes to trigger workflows
+      - name: Generate GitHub App Token
+        id: generate-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.HYPER_GONK_APP_ID }}
+          private-key: ${{ secrets.HYPER_GONK_PRIVATE_KEY }}
+
       - name: Checkout Repo
         uses: actions/checkout@v5
         with:
           # check out full history
           fetch-depth: 0
           submodules: recursive
+          token: ${{ steps.generate-token.outputs.token }}
 
       - name: Setup Node.js
         uses: actions/setup-node@v6
@@ -55,13 +65,6 @@ jobs:
       - name: Install Dependencies
         run: yarn install --immutable
 
-      - name: Generate GitHub App Token
-        id: generate-token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.HYPER_GONK_APP_ID }}
-          private-key: ${{ secrets.HYPER_GONK_PRIVATE_KEY }}
-
       - name: Get GitHub App User ID
         id: get-user-id
         run: echo "user-id=$(gh api /users/${{ steps.generate-token.outputs.app-slug }}[bot] --jq .id)" >> "$GITHUB_OUTPUT"
@@ -155,12 +158,22 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
+      # Generate token first so checkout configures git credentials with it
+      # This allows subsequent pushes to trigger workflows
+      - name: Generate GitHub App Token
+        id: generate-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.HYPER_GONK_APP_ID }}
+          private-key: ${{ secrets.HYPER_GONK_PRIVATE_KEY }}
+
       - name: Checkout Repo
         uses: actions/checkout@v5
         with:
           # check out full history
           fetch-depth: 0
           submodules: recursive
+          token: ${{ steps.generate-token.outputs.token }}
 
       - name: Setup Node
         uses: actions/setup-node@v6
@@ -170,13 +183,25 @@ jobs:
       - name: Install Dependencies
         run: yarn install --immutable
 
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api /users/${{ steps.generate-token.outputs.app-slug }}[bot] --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+
+      - name: Configure Git for Hyper Gonk
+        run: |
+          git config user.name "${{ steps.generate-token.outputs.app-slug }}[bot]"
+          git config user.email "${{ steps.get-user-id.outputs.user-id }}+${{ steps.generate-token.outputs.app-slug }}[bot]@users.noreply.github.com"
+
       - name: Publish Release to NPM
         id: changesets
         uses: changesets/action@v1
         with:
           version: yarn version:prepare
           publish: yarn release
+          setupGitUser: false
         env:
           NPM_CONFIG_PROVENANCE: true
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/rust-release.yml b/.github/workflows/rust-release.yml
index ed3cc90dd02..0b1a0454387 100644
--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -104,9 +104,18 @@ jobs:
       needs.check-release-status.outputs.has_changes == 'true' &&
       needs.check-release-status.outputs.should_release == 'false'
     steps:
+      # Generate token first so checkout configures git credentials with it
+      # This allows subsequent pushes to trigger workflows
+      - name: Generate GitHub App Token
+        id: generate-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.HYPER_GONK_APP_ID }}
+          private-key: ${{ secrets.HYPER_GONK_PRIVATE_KEY }}
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          token: ${{ steps.generate-token.outputs.token }}
       - uses: dtolnay/rust-toolchain@stable
       - name: Determine next version from conventional commits
         id: next_version
@@ -170,12 +179,6 @@ jobs:
           cd ../sealevel
           cargo update --workspace --offline 2>/dev/null || cargo update --workspace
           echo "Updated rust/sealevel/Cargo.lock"
-      - name: Generate GitHub App Token
-        id: generate-token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.HYPER_GONK_APP_ID }}
-          private-key: ${{ secrets.HYPER_GONK_PRIVATE_KEY }}
       - name: Create or update release PR
         env:
           GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}