permissiong for nightly job (#8652)

.github/workflows/create-patch-pr.yml

@@ -46,13 +46,22 @@ jobs:
           git config user.name "gemini-cli-robot"
           git config user.email "gemini-cli-robot@google.com"
 
+      - name: 'Generate GitHub App Token'
+        id: 'generate_token'
+        uses: 'actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b'
+        with:
+          app-id: '${{ secrets.APP_ID }}'
+          private-key: '${{ secrets.PRIVATE_KEY }}'
+          permission-pull-requests: 'write'
+          permission-contents: 'write'
+
       - name: 'Create Patch for Stable'
         if: "github.event.inputs.channel == 'stable'"
         env:
-          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+          GH_TOKEN: '${{ steps.generate_token.outputs.token }}'
         run: 'node scripts/create-patch-pr.js --commit=${{ github.event.inputs.commit }} --channel=stable --dry-run=${{ github.event.inputs.dry_run }}'
 
       - name: 'Create Patch for Preview'
         env:
-          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+          GH_TOKEN: '${{ steps.generate_token.outputs.token }}'
         run: 'node scripts/create-patch-pr.js --commit=${{ github.event.inputs.commit }} --channel=${{ github.event.inputs.channel }} --dry-run=${{ github.event.inputs.dry_run }}'

.github/workflows/nightly-release.yml

@@ -25,7 +25,10 @@ jobs:
   release:
     runs-on: 'ubuntu-latest'
     permissions:
+      contents: 'write'
+      packages: 'write'
       issues: 'write'
+      pull-requests: 'write'
     steps:
       - name: 'Checkout'
         uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8'
@@ -71,6 +74,16 @@ jobs:
           dry-run: '${{ github.event.inputs.dry_run }}'
           previous-tag: '${{ steps.nightly_version.outputs.PREVIOUS_TAG }}'
 
+      - name: 'Create and Merge Pull Request'
+        uses: './.github/actions/create-pull-request'
+        with:
+          branch-name: 'release/${{ steps.nightly_version.outputs.RELEASE_TAG }}'
+          pr-title: 'chore(release): bump version to ${{ steps.nightly_version.outputs.RELEASE_VERSION }}'
+          pr-body: 'Automated version bump for nightly release.'
+          app-id: '${{ secrets.APP_ID }}'
+          private-key: '${{ secrets.PRIVATE_KEY }}'
+          dry-run: '${{ github.event.inputs.dry_run }}'
+
       - name: 'Create Issue on Failure'
         if: '${{ failure() && github.event.inputs.dry_run == false }}'
         env:

.github/workflows/promote-release.yml

@@ -317,20 +317,15 @@ jobs:
             echo "Dry run enabled. Skipping push."
           fi
 
-      - name: 'Create and Approve Pull Request'
-        if: |-
-          ${{ github.event.inputs.dry_run == 'false' }}
-        env:
-          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
-          BRANCH_NAME: '${{ steps.release_branch.outputs.BRANCH_NAME }}'
-        run: |
-          gh pr create \
-            --title "chore(release): bump version to ${{ needs.calculate-versions.outputs.NEXT_NIGHTLY_VERSION }}" \
-            --body "Automated version bump to prepare for the next nightly release." \
-            --base "main" \
-            --head "${BRANCH_NAME}" \
-            --fill
-          gh pr merge --auto --squash
+      - name: 'Create and Merge Pull Request'
+        uses: './.github/actions/create-pull-request'
+        with:
+          branch-name: '${{ steps.release_branch.outputs.BRANCH_NAME }}'
+          pr-title: 'chore(release): bump version to ${{ needs.calculate-versions.outputs.NEXT_NIGHTLY_VERSION }}'
+          pr-body: 'Automated version bump to prepare for the next nightly release.'
+          app-id: '${{ secrets.APP_ID }}'
+          private-key: '${{ secrets.PRIVATE_KEY }}'
+          dry-run: '${{ github.event.inputs.dry_run }}'
 
       - name: 'Create Issue on Failure'
         if: '${{ failure() && github.event.inputs.dry_run == false }}'