From 39b7de8edc2131aef23fcdacc52576c1b47196d7 Mon Sep 17 00:00:00 2001
From: Alex Bucknall <alex.bucknall@gmail.com>
Date: Fri, 29 May 2026 13:45:14 +0100
Subject: [PATCH] chore: use GitHub App token for Homebrew tap in release
 workflow

Replaces the fine-grained PAT (TAP_GITHUB_TOKEN secret) with a
short-lived token minted at runtime via a GitHub App, to comply with
the Blues org policy restricting fine-grained PAT lifetimes to 7 days.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/release.yml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b573bfc..e36246e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -22,6 +22,15 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: '1.24.0'
+      -
+        name: Generate Homebrew tap token
+        uses: actions/create-github-app-token@v2
+        id: tap-token
+        with:
+          app-id: ${{ secrets.TAP_APP_ID }}
+          private-key: ${{ secrets.TAP_APP_PRIVATE_KEY }}
+          owner: blues
+          repositories: homebrew-note-cli
       -
         name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v6
@@ -31,7 +40,7 @@ jobs:
           args: release -f .goreleaser.yaml --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          TAP_GITHUB_TOKEN: ${{ secrets.TAP_GITHUB_TOKEN }}
+          TAP_GITHUB_TOKEN: ${{ steps.tap-token.outputs.token }}
       -
         name: Upload assets
         uses: actions/upload-artifact@v4