vercel · TooTallNate · May 4, 2026 · Apr 17, 2026 · Apr 29, 2026 · Apr 29, 2026
diff --git a/.changeset/backport-release-app-token-removal.md b/.changeset/backport-release-app-token-removal.md
@@ -0,0 +1,4 @@
+---
+---
+
+Backport CI changes from `main` to unblock releases on `stable`. Removes the dependency on the temporarily-removed Release App by switching to `secrets.GITHUB_TOKEN` with `commitMode: github-api` for GPG-signed commits, and bumps `pnpm/action-setup` to `v5` so the version is read from `package.json#packageManager`. Backports #1785, #1866, and #1867.
diff --git a/.github/actions/setup-workflow-dev/action.yml b/.github/actions/setup-workflow-dev/action.yml
@@ -6,10 +6,6 @@ inputs:
     description: 'Node.js version to use'
     required: false
     default: '22.x'
-  pnpm-version:
-    description: 'pnpm version to use'
-    required: false
-    default: '10.14.0'
   setup-rust:
     description: 'Whether to setup Rust toolchain'
     required: false
@@ -37,9 +33,7 @@ runs:
         toolchain: stable
 
     - name: Setup pnpm
-      uses: pnpm/action-setup@v3
-      with:
-        version: ${{ inputs.pnpm-version }}
+      uses: pnpm/action-setup@v5
 
     - name: Setup Node.js ${{ inputs.node-version }}
       uses: actions/setup-node@v4

diff --git a/.github/workflows/debug-windows.yml b/.github/workflows/debug-windows.yml
@@ -27,9 +27,7 @@ jobs:
           target: wasm32-unknown-unknown
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v3
-        with:
-          version: 10.14.0
+        uses: pnpm/action-setup@v5
 
       - name: Setup Node.js 22.x
         uses: actions/setup-node@v4

diff --git a/.github/workflows/dispatch-front-workflow-release-pr.yml b/.github/workflows/dispatch-front-workflow-release-pr.yml
@@ -1,5 +1,10 @@
 name: Dispatch Front Workflow Release PR
 
+# DISABLED: This workflow dispatches to vercel/front (cross-repo) which
+# requires a GitHub App token. The Release App has been temporarily
+# removed, so this workflow is disabled (all jobs gated on `if: false`)
+# until the App is restored. See .github/workflows/release.yml, which
+# has also been updated to no longer rely on the Release App.
 on:
   pull_request:
     types: [opened, synchronize, reopened, closed]
@@ -15,6 +20,7 @@ jobs:
   dispatch-front-sync:
     name: Dispatch Front Sync
     if: >
+      false &&
       startsWith(github.event.pull_request.head.ref, 'changeset-release/') &&
       github.event.action != 'closed'
     runs-on: ubuntu-latest
@@ -68,6 +74,7 @@ jobs:
   dispatch-front-close:
     name: Dispatch Front Close
     if: >
+      false &&
       startsWith(github.event.pull_request.head.ref, 'changeset-release/') &&
       github.event.action == 'closed'
     runs-on: ubuntu-latest

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,6 +5,11 @@ on:
     branches:
       - main
       - stable
+  # Allow manual triggering from the Actions tab. Useful for re-running the
+  # release flow when a push from the default GITHUB_TOKEN (e.g. a clean
+  # cherry-pick from the backport workflow, or a merged "Version Packages"
+  # PR) does not automatically trigger this workflow.
+  workflow_dispatch:
 
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
@@ -23,28 +28,18 @@ jobs:
       TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
       TURBO_TEAM: ${{ vars.TURBO_TEAM }}
     steps:
-      - name: Generate GitHub App Token
-        id: app-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.RELEASE_APP_ID }}
-          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
-
       - name: Checkout Repo
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ steps.app-token.outputs.token }}
 
       - name: Configure Git identity
         run: |
-          git config user.name "${{ steps.app-token.outputs.app-slug }}[bot]"
-          git config user.email "${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com"
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v3
-        with:
-          version: 10.14.0
+        uses: pnpm/action-setup@v5
 
       - name: Setup Node.js 24.x
         uses: actions/setup-node@v4
@@ -64,13 +59,15 @@ jobs:
           publish: pnpm ci:publish
           createGithubReleases: false
           setupGitUser: false
+          # Use GitHub API for GPG-signed commits (required by branch rules).
+          commitMode: github-api
         env:
-          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Create GitHub Release
         if: steps.changesets.outputs.published == 'true'
         env:
-          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PUBLISHED_PACKAGES: ${{ steps.changesets.outputs.publishedPackages }}
         run: |
           # Generate release notes (PUBLISHED_PACKAGES filters to only include packages from this release)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -161,9 +161,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v3
-        with:
-          version: 10.14.0
+        uses: pnpm/action-setup@v5
 
       - name: Setup Node.js 22.x
         uses: actions/setup-node@v4
@@ -622,9 +620,7 @@ jobs:
           target: wasm32-unknown-unknown
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v3
-        with:
-          version: 10.14.0
+        uses: pnpm/action-setup@v5
 
       - name: Setup Node.js 22.x
         uses: actions/setup-node@v4