From 3f70b0ac31520885c39fd79d18750e2701a22b28 Mon Sep 17 00:00:00 2001
From: ST-DDT <ST-DDT@gmx.de>
Date: Thu, 25 Jul 2024 18:14:54 +0200
Subject: [PATCH] infra(release): use PAT for releases (#3029)

---
 .github/workflows/prepare-release-pr.yml | 11 +++++------
 .github/workflows/publish-release.yml    |  4 ++--
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/prepare-release-pr.yml b/.github/workflows/prepare-release-pr.yml
index 4ad0a78b4e5..62e671df149 100644
--- a/.github/workflows/prepare-release-pr.yml
+++ b/.github/workflows/prepare-release-pr.yml
@@ -14,9 +14,7 @@ on:
           - beta
           - rc
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {} # we use a personal access token to push the branch and create the PR
 
 jobs:
   prepare_release_pr:
@@ -29,6 +27,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
+          token: ${{ secrets.GH_TOKEN }}
 
       - name: Install pnpm
         uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
@@ -46,8 +45,8 @@ jobs:
 
       - name: Run release
         run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config user.name "FakerJS Bot"
+          git config user.email "github-bot@fakerjs.dev"
           if [ $RELEASE_TYPE = 'stable' ]; then
             pnpm run release
           else
@@ -82,4 +81,4 @@ jobs:
           - Checklist: TODO add link to issue
           "
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index 69398bb0b42..1b6a80505e0 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -4,8 +4,7 @@ on:
   release:
     types: [published]
 
-permissions:
-  contents: write # to push the release branch
+permissions: {} # we use a personal access token to push the release branch
 
 jobs:
   publish:
@@ -17,6 +16,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0 # we want to push the release branch later
+          token: ${{ secrets.GH_TOKEN }}
 
       - name: Install pnpm
         uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0