From adbf0eeebbcac3888d8feb619b1a28c507c31c88 Mon Sep 17 00:00:00 2001
From: Miguel Sanchez Gonzalez <miguel.sanchez@platform.sh>
Date: Wed, 1 Apr 2026 16:35:50 +0200
Subject: [PATCH 1/2] fix(ci): use GitHub App token for homebrew-tap push

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/release.yml | 9 +++++++++
 .goreleaser.yaml              | 8 ++++----
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f7a21001..ce2d72a5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -115,11 +115,20 @@ jobs:
       - name: Install Go tools
         run: make goreleaser repogen
 
+      - name: Generate GitHub App token for homebrew-tap
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          repositories: homebrew-tap
+
       - name: Build release (tag)
         if: startsWith(github.ref, 'refs/tags/') || inputs.tag
         env:
           GORELEASER_CURRENT_TAG: ${{ steps.tag.outputs.tag }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAP_GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           RSA_SIGNING_KEY_FILE: ${{ steps.signing-keys.outputs.key_dir }}/rsa-signing-key.pem
           GPG_SIGNING_KEY_FILE: ${{ steps.signing-keys.outputs.key_dir }}/gpg-signing-key.asc
           CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 4cae804b..79406403 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -160,7 +160,7 @@ brews:
     repository:
       owner: upsun
       name: homebrew-tap
-      token: "{{ .Env.GITHUB_TOKEN }}"
+      token: "{{ .Env.TAP_GITHUB_TOKEN }}"
     ids:
       - platform
 
@@ -191,7 +191,7 @@ brews:
     repository:
       owner: upsun
       name: homebrew-tap
-      token: "{{ .Env.GITHUB_TOKEN }}"
+      token: "{{ .Env.TAP_GITHUB_TOKEN }}"
     ids:
       - upsun
 
@@ -223,7 +223,7 @@ scoops:
     repository:
       owner: upsun
       name: homebrew-tap
-      token: "{{ .Env.GITHUB_TOKEN }}"
+      token: "{{ .Env.TAP_GITHUB_TOKEN }}"
     ids:
       - platform
 
@@ -245,7 +245,7 @@ scoops:
     repository:
       owner: upsun
       name: homebrew-tap
-      token: "{{ .Env.GITHUB_TOKEN }}"
+      token: "{{ .Env.TAP_GITHUB_TOKEN }}"
     ids:
       - upsun
 

From 32369662646b40efbe422e8890c9561397f5118d Mon Sep 17 00:00:00 2001
From: Miguel Sanchez Gonzalez <miguel.sanchez@platform.sh>
Date: Wed, 1 Apr 2026 16:41:22 +0200
Subject: [PATCH 2/2] fix(ci): only generate App token when publishing a
 release

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/release.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ce2d72a5..a1cdb4d3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -117,6 +117,7 @@ jobs:
 
       - name: Generate GitHub App token for homebrew-tap
         id: app-token
+        if: startsWith(github.ref, 'refs/tags/') || inputs.tag
         uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ vars.APP_ID }}