From d4e16f1ea9cd168dc27f80f6351c46304bd77d6f Mon Sep 17 00:00:00 2001
From: Cody Olsen <81981+stipsan@users.noreply.github.com>
Date: Thu, 2 May 2024 14:49:59 +0200
Subject: [PATCH] refactor(CI): enable strict branch rules for code review
 (#1269)

---
 .github/renovate.json      |  2 ++
 .github/workflows/main.yml | 14 ++++++++++----
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/.github/renovate.json b/.github/renovate.json
index 8d1f40dea..1649fbaea 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -5,9 +5,11 @@
     "github>sanity-io/renovate-config:studio-v3",
     ":reviewer(team:ecosystem)"
   ],
+  "ignorePresets": ["github>sanity-io/renovate-config:group-non-major"],
   "packageRules": [
     {
       "matchDepTypes": ["dependencies"],
+      "semanticCommitType": "fix",
       "rangeStrategy": "bump"
     }
   ]
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 84770b773..376c421b7 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -51,19 +51,25 @@ jobs:
 
   release:
     permissions:
-      contents: write # to be able to publish a GitHub release
-      issues: write # to be able to comment on released issues
-      pull-requests: write # to be able to comment on released pull requests
       id-token: write # to enable use of OIDC for npm provenance
     name: 'Semantic release'
     needs: test
     runs-on: ubuntu-latest
     steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ secrets.ECOSPARK_APP_ID }}
+          private-key: ${{ secrets.ECOSPARK_APP_PRIVATE_KEY }}
       - uses: actions/checkout@v4
         with:
           # Need to fetch entire commit history to
           # analyze every commit since last release
           fetch-depth: 0
+          # Uses generated token to allow pushing commits back
+          token: ${{ steps.app-token.outputs.token }}
+          # Make sure the value of GITHUB_TOKEN will not be persisted in repo's config
+          persist-credentials: false
       - uses: actions/setup-node@v4
         with:
           node-version: lts/*
@@ -73,5 +79,5 @@ jobs:
       - run: pnpm exec semantic-release
         env:
           NPM_CONFIG_PROVENANCE: true
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}