From 2112a7c18e5a8410baa5fc6caada60342424bf56 Mon Sep 17 00:00:00 2001
From: Michael Price <1845029+michael-pr@users.noreply.github.com>
Date: Tue, 16 Jun 2026 21:07:00 -0400
Subject: [PATCH 1/2] ci(release): open Version Packages PR via qa-wolf-ops App
 token
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The default GITHUB_TOKEN cannot create pull requests under the org policy, so
the changesets action failed at the "Create Release PR or Publish" step. Mint a
short-lived qa-wolf-ops App token (same pattern as wolf-ops CI) and hand it to
the changesets action so it can open the Version Packages PR — and so that PR
triggers CI, which GITHUB_TOKEN-authored PRs do not.
---
 .github/workflows/release.yml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8f5001041..11ecc3a28 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -33,6 +33,16 @@ jobs:
 
       - run: bun run build
 
+      # Mint a short-lived token for the qa-wolf-ops App so the changesets action can
+      # open the "Version Packages" PR. The default GITHUB_TOKEN cannot create PRs (org
+      # policy), and PRs it opens would not trigger CI; the App token does both.
+      - name: Generate qa-wolf-ops token
+        id: app-token
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        with:
+          client-id: ${{ secrets.QA_WOLF_OPS_CLIENT_ID }}
+          private-key: ${{ secrets.QA_WOLF_OPS_PRIVATE_KEY }}
+
       - name: Create Release PR or Publish
         id: changesets
         uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1.8.0
@@ -40,7 +50,7 @@ jobs:
           version: bun run version-packages
           publish: bunx changeset publish
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           NPM_CONFIG_PROVENANCE: true
 

From 1e250d665917d0ee5299eaf65ccf5d03effd842a Mon Sep 17 00:00:00 2001
From: Michael Price <1845029+michael-pr@users.noreply.github.com>
Date: Tue, 16 Jun 2026 21:14:53 -0400
Subject: [PATCH 2/2] docs(release): tighten App-token rationale comment

---
 .github/workflows/release.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 11ecc3a28..cea289bbf 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -33,9 +33,8 @@ jobs:
 
       - run: bun run build
 
-      # Mint a short-lived token for the qa-wolf-ops App so the changesets action can
-      # open the "Version Packages" PR. The default GITHUB_TOKEN cannot create PRs (org
-      # policy), and PRs it opens would not trigger CI; the App token does both.
+      # GITHUB_TOKEN can't create PRs under org policy, and PRs it opens don't
+      # trigger CI; the App token does both.
       - name: Generate qa-wolf-ops token
         id: app-token
         uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0