From bd751ba815ecdc0f5e0af135fbdd6861103b82d1 Mon Sep 17 00:00:00 2001
From: Pablo Mena <pablo.mena@soundcloud.com>
Date: Mon, 6 Apr 2026 11:34:20 +0200
Subject: [PATCH] fix(ci): use intervene-ci PAT for semantic-release

GITHUB_TOKEN cannot push to protected branches regardless of push
restriction settings. Switch back to CI_TOKEN (fine-grained PAT from
intervene-ci, which is in the push restrictions) for semantic-release
git and API operations. Keep GITHUB_TOKEN id-token:write for npm OIDC
provenance.

Made-with: Cursor
---
 .github/workflows/release.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6a25f68..7e8dadd 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,8 +6,6 @@ on:
 
 permissions:
   id-token: write
-  contents: write
-  issues: write
 
 jobs:
   release:
@@ -17,6 +15,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -30,5 +30,5 @@ jobs:
         run: make build
       - name: Release
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.CI_TOKEN }}
         run: npm run semantic-release