From c6d288f16acba4e156c9f3ffbf2eae47a4718226 Mon Sep 17 00:00:00 2001
From: Mahmoud Elmorabea <mahmoud.elmorabea@gmail.com>
Date: Fri, 8 May 2026 13:46:29 +0300
Subject: [PATCH] ci: migrate deploy workflow to GitHub App for ruleset bypass

Prepare the repo to be locked down with a GitHub Ruleset on main where
the cio-mobile-release App is the only bypass actor for release pushes.

- Replace deprecated tibdex/github-app-token (Node 20) with
  actions/create-github-app-token@v3.1.1, SHA-pinned. Use the new
  client-id input (deprecates app-id) backed by a new repo secret
  CIO_APP_CLIENT_ID.
- Pass the App token to actions/checkout via with.token. Without this,
  checkout's persist-credentials default writes GITHUB_TOKEN
  (github-actions[bot]) into git config, which is what semantic-release
  would actually push with -- guaranteeing GH013 once the ruleset is
  active even though the App token is generated.
- Add the skip-ci marker to the @semantic-release/git commit template
  so App-pushed release-prep commits don't recursively retrigger
  workflows. (App-installation pushes don't get GitHub's GITHUB_TOKEN
  recursion guard.)

Follow-up manual steps (not in this PR): add CIO_APP_CLIENT_ID secret,
confirm App is installed on this repo with Contents/Workflows write,
create the ruleset on main with cio-mobile-release in the bypass list
(Mode: Always), then remove the legacy classic branch protection rule
after a verified release.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/deploy-sdk.yml | 8 +++++---
 .releaserc.json                  | 2 +-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/deploy-sdk.yml b/.github/workflows/deploy-sdk.yml
index 04bbdaa0..624f4722 100644
--- a/.github/workflows/deploy-sdk.yml
+++ b/.github/workflows/deploy-sdk.yml
@@ -24,12 +24,14 @@ jobs:
       
       - name: 'Generate token'
         id: generate_token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
-          app_id: ${{ secrets.CIO_APP_ID }}
-          private_key: ${{ secrets.CIO_APP_SECRET }}
+          client-id: ${{ secrets.CIO_APP_CLIENT_ID }}
+          private-key: ${{ secrets.CIO_APP_SECRET }}
 
       - uses: actions/checkout@v4
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
 
       # If using sd on macos, "brew install" works great. for Linux, this is the recommended way.
       - name: Install sd CLI to use later in the workflow
diff --git a/.releaserc.json b/.releaserc.json
index b6db428d..11d0875e 100644
--- a/.releaserc.json
+++ b/.releaserc.json
@@ -25,7 +25,7 @@
           "package.json",
           "android/src/main/res/values/customer_io_config.xml"
         ],
-        "message": "chore: prepare for ${nextRelease.version}\n\n${nextRelease.notes}"
+        "message": "chore: prepare for ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
       }
     ],
     ["@semantic-release/github", {