From c2d3b28b21d29ca9ee7a5d35fd6bdf6bc79bdf40 Mon Sep 17 00:00:00 2001
From: synsoftworks <synthesissoftworks@gmail.com>
Date: Wed, 15 Apr 2026 12:56:51 -0700
Subject: [PATCH] chore: tighten release-please app token scope

---
 .github/workflows/release-please.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 32d6655..a0de980 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -23,10 +23,14 @@ jobs:
     steps:
       - name: Create GitHub App token
         id: app-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ vars.RELEASE_PLEASE_APP_ID }}
           private-key: ${{ secrets.RELEASE_PLEASE_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          permission-contents: write
+          permission-issues: write
+          permission-pull-requests: write
 
       - name: Run Release Please
         uses: googleapis/release-please-action@v4