ci(release): open Version Packages PR via qa-wolf-ops App token

[Michael Price (michael-pr)]

What

Swap the token the changesets action uses from the default GITHUB_TOKEN to a short-lived qa-wolf-ops GitHub App token, minted at runtime with actions/create-github-app-token (pinned to v3.2.0). Mirrors the App-token pattern already used in wolf-ops CI (.github/workflows/claude-reviewer-assignment.yml).

Why

The release workflow has been failing at Create Release PR or Publish:

HttpError: GitHub Actions is not permitted to create or approve pull requests.

The default GITHUB_TOKEN cannot open PRs under the org policy. The initial 1.0.0 release only shipped because the "Version Packages" PR (#1369) was opened manually after the action pushed the branch — the action's PR creation has never succeeded here. New changesets are now queued (→ 1.0.1) with no open version PR, so the action tries to create one again and fails.

A second benefit: PRs opened with GITHUB_TOKEN do not trigger downstream workflows, so the Version Packages PR would skip CI. An App-token-authored PR runs CI normally.

Prerequisites

1. ✅ Secrets QA_WOLF_OPS_CLIENT_ID / QA_WOLF_OPS_PRIVATE_KEY — confirmed organization-managed (same secrets wolf-ops uses).
2. ⬜ qa-wolf-ops App installed on qawolf/cli with Contents: write + Pull requests: write. The create-github-app-token step fails fast if the App is not installed on this repo, so the next release run is the decisive check.

Test plan

• Merge, then confirm the next push to main with a pending changeset opens a changeset-release/main PR authored by qa-wolf-ops[bot] and that CI runs on it.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 6a10c3ee-6d1f-4578-8c04-f019036625b1

📥 Commits

Reviewing files that changed from the base of the PR and between 2112a7c and 1e250d6.

📒 Files selected for processing (1)

• .github/workflows/release.yml

---

Walkthrough

The release workflow (release.yml) gains a new step that generates a short-lived GitHub App token using the actions/create-github-app-token action, authenticated with the qa-wolf-ops app credentials stored as repository secrets. The immediately following Changesets action step is updated so its GITHUB_TOKEN environment variable references steps.app-token.outputs.token rather than ${{ secrets.GITHUB_TOKEN }}. No other workflow steps or jobs are modified.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title is specific, descriptive, and follows imperative mood with a conventional-commit prefix (ci(release):). It clearly summarizes the change—using a qa-wolf-ops App token for the release workflow.
Description check	✅ Passed	Description covers required sections: What (token swap), Why (org policy restriction on GITHUB_TOKEN), Prerequisites (secrets confirmed, App installation pending), and Test plan (merge and verify PR authorship and CI execution). All core elements are present.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}