From 84c3b66e6f7abfcd819bbd0d5cb3bd9dbd10ceec Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <sebastian.gumprich@telekom.de>
Date: Tue, 7 Nov 2023 15:41:27 +0100
Subject: [PATCH 1/2] use github app in release workflow

---
 .github/workflows/release.yml | 15 ++++++++++++++-
 README.md                     |  3 +++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 62f29a9..8e5a419 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,6 +14,9 @@ jobs:
     name: create release draft
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
 
       - name: 'Get Previous tag'
         id: previoustag
@@ -39,10 +42,20 @@ jobs:
           name: ${{ inputs.files }}
         if: ${{ inputs.files != '' }}
 
+      # the token is needed so the github app can push to the repository
+      # the github app can bypass the branch protection rule (need a PR to merge)
+      # this way it can directly commit to main
+      - name: Obtain a GitHub App Installation Access Token
+        id: githubAppAuth
+        run: |
+          TOKEN="$(npx obtain-github-app-installation-access-token ci ${{ secrets.GH_BRANCH_PROTECTION_APP_TOKEN }})"
+          echo token=${TOKEN} >> $GITHUB_OUTPUT
+
       - name: update and push due to new release
         uses: github-actions-x/commit@722d56b8968bf00ced78407bbe2ead81062d8baa # v2.9
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          # use the token obtained in the step before
+          github-token: ${{ steps.githubAppAuth.outputs.token }}
           push-branch: 'main'
           commit-message: 'update due to new release'
           force-add: 'true'
diff --git a/README.md b/README.md
index 9005178..0c1b7f3 100644
--- a/README.md
+++ b/README.md
@@ -174,6 +174,9 @@ It should only run on `push` to master/main branch.
 The action creates a new *draft* release and updates the changelog. Furthermore it adds defined files (e.g. created in other workflows) to the release.
 The user then has to publish the new release.
 
+The push step of this action used the [Github app](https://github.com/organizations/telekom-mms/settings/installations) "MMS branch protection as code"
+to push to the main branch, bypassing branch protection rules.
+
 #### Inputs
 
 | inputs | description                                   | type   | required |

From b22a069a22ff742debbfbfb1f3ddc938af781805 Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <sebastian.gumprich@telekom.de>
Date: Tue, 7 Nov 2023 16:26:31 +0100
Subject: [PATCH 2/2] mask token

---
 .github/workflows/release.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8e5a419..e4423c9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -49,6 +49,7 @@ jobs:
         id: githubAppAuth
         run: |
           TOKEN="$(npx obtain-github-app-installation-access-token ci ${{ secrets.GH_BRANCH_PROTECTION_APP_TOKEN }})"
+          echo "::add-mask::$TOKEN"
           echo token=${TOKEN} >> $GITHUB_OUTPUT
 
       - name: update and push due to new release