Use pyroscope-development-app in release workflow

Author: aleks-p

.github/workflows/release.yml

@@ -22,8 +22,29 @@ jobs:
   release:
     runs-on: ubuntu-latest
     steps:
+      - name: Get secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          repo_secrets: |
+            NEXUS_USERNAME=publishing:nexus_username
+            NEXUS_PASSWORD=publishing:nexus_password
+            NEXUS_GPG_KEY_ID=publishing:nexus_gpg_key_id
+            NEXUS_GPG_PASSWORD=publishing:nexus_gpg_password
+            NEXUS_GPG_SECRING_FILE_BASE64=publishing:nexus_gpg_secring_file
+            GITHUB_APP_ID=pyroscope-development-app:app-id
+            GITHUB_APP_PRIVATE_KEY=pyroscope-development-app:app-private-key
+
+      - name: Generate GitHub token
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ env.GITHUB_APP_ID }}
+          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
+
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Set up Java 8
         uses: actions/setup-java@v4
@@ -59,16 +80,6 @@ jobs:
           sed -i "s/pyroscope_version=.*/pyroscope_version=$new_version/" gradle.properties
           echo "version=$new_version" >> $GITHUB_OUTPUT
 
-      - name: Get secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          repo_secrets: |
-            NEXUS_USERNAME=publishing:nexus_username
-            NEXUS_PASSWORD=publishing:nexus_password
-            NEXUS_GPG_KEY_ID=publishing:nexus_gpg_key_id
-            NEXUS_GPG_PASSWORD=publishing:nexus_gpg_password
-            NEXUS_GPG_SECRING_FILE_BASE64=publishing:nexus_gpg_secring_file
-
       - name: Prepare GPG Keyring
         id: prepare_gpg_keyring
         run: |
@@ -82,20 +93,26 @@ jobs:
           export NEXUS_GPG_SECRING_FILE=${{ steps.prepare_gpg_keyring.outputs.keyring_path }}
           make publish
 
-      - name: Commit and Push Changes
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+
+      - name: Commit Version Bump
         run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
           git add gradle.properties
           git commit -m "version ${{ steps.bump_version.outputs.version }}"
           git tag "v${{ steps.bump_version.outputs.version }}"
           git push --atomic origin "refs/heads/main" "refs/tags/v${{ steps.bump_version.outputs.version }}"
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
 
       - name: Create GitHub Release
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           gh release create "v${{ steps.bump_version.outputs.version }}" \
             agent/build/libs/pyroscope.jar \