[Bug]: Release Please workflow fails due to org-level GITHUB_TOKEN restriction

[WilliamBerryiii]

Component

Scripts

Bug Description

The release-please workflow in main.yml fails with:

GitHub Actions is not permitted to create or approve pull requests

This is caused by an org-level enterprise policy that blocks GITHUB_TOKEN from creating pull requests. The setting "Allow GitHub Actions to create and approve pull requests" is greyed out at the repository level, indicating it's controlled at the enterprise/org level.

Expected Behavior

The release-please workflow should successfully create release PRs when changes are pushed to the main branch.

Steps to Reproduce

1. Push a conventional commit to main branch
2. Observe the release-please job in the CI workflow
3. Job fails with "GitHub Actions is not permitted to create or approve pull requests"

Additional Context

Root Cause: Org-level policy blocks GITHUB_TOKEN from creating PRs.

Solution: Use a GitHub App token instead of GITHUB_TOKEN.

GitHub App Created: hve-core-release-please (ID: 2646666)

• Already installed on microsoft org
• Uses actions/create-github-app-token@v2

Fix PR: #167 - Implements GitHub App token for release-please

Remaining Setup After PR Merges:

• Add RELEASE_APP_ID variable (value: 2646666)
• Add RELEASE_APP_PRIVATE_KEY secret (PEM file contents)