From 9798ac6fa9d3afac266b10e612e4fd9823999748 Mon Sep 17 00:00:00 2001
From: Hugo Haakseth <hugo.haakseth@spk.no>
Date: Fri, 22 Aug 2025 09:40:48 +0200
Subject: [PATCH 1/2] Add input to allow signing release commits

---
 .github/workflows/prepare_release.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/prepare_release.yml b/.github/workflows/prepare_release.yml
index 3ff2d3e..9557a2b 100644
--- a/.github/workflows/prepare_release.yml
+++ b/.github/workflows/prepare_release.yml
@@ -14,6 +14,11 @@ on:
         required: false
         default: ''
         type: string
+      sign-commits:
+        description: 'Sign commits as `github-actions[bot]` when using `GITHUB_TOKEN`, or your own bot when using GitHub App tokens.'
+        required: false
+        default: false
+        type: boolean
       working-directory:
         description: The working directory where all jobs should be executed. Used for modules in subdirectories like a monorepo or a control repository.
         default: '.'
@@ -26,7 +31,7 @@ on:
         type: string
     secrets:
       github_pat:
-        description: 'The pccibot PAT that will create the PR'
+        description: 'PAT or GitHub App token that will be used to create the PR'
         required: true
 env:
   BUNDLE_WITHOUT: development:test:system_tests
@@ -74,6 +79,7 @@ jobs:
           commit-message: "Release ${{ inputs.version }}"
           branch: release-prep
           delete-branch: true
+          sign-commits: ${{ inputs.sign-commits }}
           title: "Release ${{ inputs.version }}"
           labels: skip-changelog
           token: '${{ secrets.github_pat }}'

From 5cd8ae0d42f96ad72fb6d5ae8101c08b27a961c1 Mon Sep 17 00:00:00 2001
From: Hugo Haakseth <hugo.haakseth@spk.no>
Date: Fri, 29 Aug 2025 11:22:09 +0200
Subject: [PATCH 2/2] Support using Github app credentials

---
 .github/workflows/prepare_release.yml | 54 ++++++++++++++++++++++++++-
 1 file changed, 53 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/prepare_release.yml b/.github/workflows/prepare_release.yml
index 9557a2b..dd388f5 100644
--- a/.github/workflows/prepare_release.yml
+++ b/.github/workflows/prepare_release.yml
@@ -29,10 +29,18 @@ on:
         required: false
         default: ''
         type: string
+      github_app_id:
+        description: 'GitHub App ID that will be used to create the PR'
+        required: false
+        default: ''
+        type: string
     secrets:
       github_pat:
         description: 'PAT or GitHub App token that will be used to create the PR'
-        required: true
+        required: false
+      github_app_key:
+        description: 'GitHub App private key that will be used to create the PR'
+        required: false
 env:
   BUNDLE_WITHOUT: development:test:system_tests
   BUNDLE_WITH: release
@@ -49,6 +57,27 @@ jobs:
     runs-on: ubuntu-24.04
     if: github.repository_owner == inputs.allowed_owner
     steps:
+      - name: Validate input
+        run: |
+          if [[ -z "${{ secrets.github_pat }}" && -z "${{ secrets.github_app_key }}" ]]; then
+            echo "Error: either PAT or GitHub App credentials are required"
+            exit 1
+          fi
+          if [[ -n "${{ secrets.github_pat }}" && -n "${{ secrets.github_app_key }}" ]]; then
+            echo "Error: use either PAT or GitHub App credentials"
+            exit 1
+          fi
+          if [[ -n "${{ inputs.github_app_id }}" && -z "${{ secrets.github_app_key }}" ]]; then
+            echo "Error: github_app_key secret is required when using github_app_id"
+            exit 1
+          fi
+      - name: Generate GitHub App Token
+        if: inputs.github_app_id != ''
+        id: generate-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ inputs.github_app_id }}
+          private-key: ${{ secrets.github_app_key }}
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
@@ -69,11 +98,19 @@ jobs:
             bundle exec rake module:bump
           fi
       - name: Prepare the release
+        if: inputs.github_app_id == ''
         env:
           # https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication
           CHANGELOG_GITHUB_TOKEN: '${{ secrets.github_pat }}'
         run: bundle exec rake release:prepare
+      - name: Prepare the release
+        if: inputs.github_app_id != ''
+        env:
+          # https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication
+          CHANGELOG_GITHUB_TOKEN: '${{ steps.generate-token.outputs.token }}'
+        run: bundle exec rake release:prepare
       - name: Create pull Request
+        if: inputs.github_app_id == ''
         uses: peter-evans/create-pull-request@v7
         with:
           commit-message: "Release ${{ inputs.version }}"
@@ -87,3 +124,18 @@ jobs:
           body: |
             Automated release-prep through https://github.com/voxpupuli/gha-puppet/ from commit ${{ github.sha }}.
             Checkout the [module release instructions](https://voxpupuli.org/docs/releasing_version/).
+      - name: Create pull Request
+        if: inputs.github_app_id != ''
+        uses: peter-evans/create-pull-request@v7
+        with:
+          commit-message: "Release ${{ inputs.version }}"
+          branch: release-prep
+          delete-branch: true
+          sign-commits: ${{ inputs.sign-commits }}
+          title: "Release ${{ inputs.version }}"
+          labels: skip-changelog
+          token: '${{ steps.generate-token.outputs.token }}'
+          assignees: '${{ github.triggering_actor }}'
+          body: |
+            Automated release-prep through https://github.com/voxpupuli/gha-puppet/ from commit ${{ github.sha }}.
+            Checkout the [module release instructions](https://voxpupuli.org/docs/releasing_version/).