Closes #1735 (W1a-fix) under M134.
PR #1698 added token: ${{ secrets.SNAPSHOT_PR_TOKEN || secrets.GITHUB_TOKEN }}
as a half-measure for the snapshot PR. The PAT secret was never created, and the
fallback path (GITHUB_TOKEN) opens PRs as github-actions[bot],
whose pushes do not trigger required CI checks. Auto-merge therefore stalls.
This change mints a Release Bot App installation token using the existing
RELEASE_BOT_APP_ID + RELEASE_BOT_PRIVATE_KEY secrets that
release-please.yml already uses. App-issued tokens DO trigger CI.
.github/workflows/claude-release-watch.yml | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-)
actions/create-github-app-token@1b10c78c… step (same SHA as release-please.yml) just before the peter-evans/create-pull-request step.token: ${{ secrets.SNAPSHOT_PR_TOKEN || secrets.GITHUB_TOKEN }} with token: ${{ steps.app_token.outputs.token }}.SNAPSHOT_PR_TOKEN.gh pr merge --auto step is unchanged — it correctly continues to use GITHUB_TOKEN.actionlint .github/workflows/claude-release-watch.yml — clean.npm run test:manifests — passed.
Workflow contract preserved: same step id: cpr, same outputs, same downstream
gh pr merge wiring. Only the auth source for peter-evans/create-pull-request
changed.