From 087fa0bf4beb6987383249482ba44ceeb675c5dc Mon Sep 17 00:00:00 2001
From: Alexander Tarasov <alex.tarasov@sentry.io>
Date: Thu, 15 Jan 2026 15:03:27 +0100
Subject: [PATCH] feat(actions): use javascript-sdk-gitflow app instead of
 personal token

---
 .github/workflows/external-contributors.yml | 11 ++++++++---
 .github/workflows/gitflow-sync-develop.yml  | 10 ++++++++--
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/external-contributors.yml b/.github/workflows/external-contributors.yml
index b4678af2eb56..e86532cfbf31 100644
--- a/.github/workflows/external-contributors.yml
+++ b/.github/workflows/external-contributors.yml
@@ -35,12 +35,17 @@ jobs:
           name: ${{ github.event.pull_request.user.login }}
           author_association: ${{ github.event.pull_request.author_association }}
 
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.GITFLOW_APP_ID }}
+          private-key: ${{ secrets.GITFLOW_APP_PRIVATE_KEY }}
+
       - name: Create PR with changes
         uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725
         with:
-          # This token is scoped to Daniel Griesser
-          # If we used the default GITHUB_TOKEN, the resulting PR would not trigger CI :(
-          token: ${{ secrets.REPO_SCOPED_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
           commit-message: 'chore: Add external contributor to CHANGELOG.md'
           title: 'chore: Add external contributor to CHANGELOG.md'
           branch: 'external-contributor/patch-${{ github.event.pull_request.user.login }}'
diff --git a/.github/workflows/gitflow-sync-develop.yml b/.github/workflows/gitflow-sync-develop.yml
index ff649d6ee204..0ed510f80178 100644
--- a/.github/workflows/gitflow-sync-develop.yml
+++ b/.github/workflows/gitflow-sync-develop.yml
@@ -25,6 +25,13 @@ jobs:
       - name: git checkout
         uses: actions/checkout@v6
 
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.GITFLOW_APP_ID }}
+          private-key: ${{ secrets.GITFLOW_APP_PRIVATE_KEY }}
+
       # https://github.com/marketplace/actions/github-pull-request-action
       - name: Create Pull Request
         id: open-pr
@@ -35,8 +42,7 @@ jobs:
           pr_title: '[Gitflow] Merge ${{ env.SOURCE_BRANCH }} into ${{ env.TARGET_BRANCH }}'
           pr_body: 'Merge ${{ env.SOURCE_BRANCH }} branch into ${{ env.TARGET_BRANCH }}'
           pr_label: 'Dev: Gitflow'
-          # This token is scoped to Daniel Griesser
-          github_token: ${{ secrets.REPO_SCOPED_TOKEN }}
+          github_token: ${{ steps.app-token.outputs.token }}
 
       - name: Enable automerge for PR
         if: steps.open-pr.outputs.pr_number != ''