From 7dbf5344d8e28973edc6bd8ab44a40a708ce89a3 Mon Sep 17 00:00:00 2001
From: Reza Rahman <13340707+rezrah@users.noreply.github.com>
Date: Fri, 22 Sep 2023 17:34:54 +0100
Subject: [PATCH 1/5] use org token for final release

---
 .github/workflows/release.yml           | 13 +++----------
 .github/workflows/release_candidate.yml |  1 +
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 06abf40c5..bb30f946a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,6 +4,8 @@ on:
     branches:
       - 'main'
       - 'next_major'
+  workflow_dispatch:
+
 jobs:
   release:
     name: Final
@@ -33,15 +35,6 @@ jobs:
       - name: Build experimental tokens
         run: npm run build:tokens
 
-      - id: get-access-token
-        uses: camertron/github-app-installation-auth-action@v1
-        with:
-          app-id: ${{ vars.PRIMER_APP_ID_SHARED }}
-          private-key: ${{ secrets.PRIMER_APP_PRIVATE_KEY_SHARED }}
-          client-id: ${{ vars.PRIMER_APP_CLIENT_ID_SHARED }}
-          client-secret: ${{ secrets.PRIMER_APP_CLIENT_SECRET_SHARED }}
-          installation-id: ${{ vars.PRIMER_APP_INSTALLATION_ID_SHARED }}
-
       - name: Create release pull request or publish to npm
         id: changesets
         uses: changesets/action@v1.4.1
@@ -50,5 +43,5 @@ jobs:
           # This expects you to have a script called release which does a build for your packages and calls changeset publish
           publish: npm run release
         env:
-          GITHUB_TOKEN: ${{ steps.get-access-token.outputs.access-token }}
+          GITHUB_TOKEN: ${{ secrets.GPR_AUTH_TOKEN_SHARED }}
           NPM_TOKEN: ${{ secrets.NPM_AUTH_TOKEN_SHARED }}
diff --git a/.github/workflows/release_candidate.yml b/.github/workflows/release_candidate.yml
index 66307dca7..8b75b86da 100644
--- a/.github/workflows/release_candidate.yml
+++ b/.github/workflows/release_candidate.yml
@@ -3,6 +3,7 @@ on:
   push:
     branches:
       - 'changeset-release/**'
+  workflow_dispatch:
 
 jobs:
   release-candidate:

From 4f264230d897b14cee9c4383d98b1e64ab5fc35c Mon Sep 17 00:00:00 2001
From: Reza Rahman <13340707+rezrah@users.noreply.github.com>
Date: Fri, 22 Sep 2023 17:42:13 +0100
Subject: [PATCH 2/5] switch canary to use org workflow

---
 .github/workflows/release_canary.yml | 60 +++-------------------------
 1 file changed, 6 insertions(+), 54 deletions(-)

diff --git a/.github/workflows/release_canary.yml b/.github/workflows/release_canary.yml
index 0007e3926..964f23271 100644
--- a/.github/workflows/release_canary.yml
+++ b/.github/workflows/release_canary.yml
@@ -10,57 +10,9 @@ jobs:
   release-canary:
     name: Canary
     if: ${{ github.repository == 'primer/primitives' }}
-
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-        with:
-          # This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits
-          fetch-depth: 0
-
-      - name: Set up Node.js
-        uses: actions/setup-node@v3
-        with:
-          node-version: 16.x
-
-      - name: Install dependencies
-        run: npm ci --legacy-peer-deps --no-audit --no-fund --include=dev
-
-      - name: Build tokens
-        run: npm run build
-
-      - name: Build experimental tokens
-        run: npm run build:tokens
-
-      - name: Create .npmrc
-        run: |
-          cat << EOF > "$HOME/.npmrc"
-            //registry.npmjs.org/:_authToken=$NPM_TOKEN
-          EOF
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_AUTH_TOKEN_SHARED }}
-
-      - name: Publish canary version
-        run: |
-          echo "$( jq '.version = "0.0.0"' package.json )" > package.json
-          echo -e "---\n'@primer/primitives': patch\n---\n\nFake entry to force publishing" > .changeset/force-snapshot-release.md
-          npx changeset version --snapshot
-          npx changeset publish --tag canary
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Output canary version number
-        uses: actions/github-script@v6.4.0
-        with:
-          script: |
-            const package = require(`${process.env.GITHUB_WORKSPACE}/package.json`)
-            github.rest.repos.createCommitStatus({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              sha: context.sha,
-              state: 'success',
-              context: `Published ${package.name}`,
-              description: package.version,
-              target_url: `https://unpkg.com/${package.name}@${package.version}/`
-            })
+    uses: primer/.github/.github/workflows/release_canary.yml@main
+    with:
+      install: npm ci --legacy-peer-deps --no-audit --no-fund --include=dev && npm run build && npm run build:tokens
+    secrets:
+      gh_token: ${{ secrets.GITHUB_TOKEN }}
+      npm_token: ${{ secrets.NPM_AUTH_TOKEN_SHARED }}

From d66041ceb12c59f25d64808babb882044a786d62 Mon Sep 17 00:00:00 2001
From: Reza Rahman <13340707+rezrah@users.noreply.github.com>
Date: Fri, 22 Sep 2023 17:46:18 +0100
Subject: [PATCH 3/5] update cli version

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index ece9d61ff..fc7bfa6ad 100644
--- a/package.json
+++ b/package.json
@@ -54,7 +54,7 @@
   "devDependencies": {
     "@actions/github": "^5.1.1",
     "@changesets/changelog-github": "^0.4.8",
-    "@changesets/cli": "^2.22.0",
+    "@changesets/cli": "^2.26.1",
     "@github/prettier-config": "^0.0.6",
     "@playwright/test": "^1.35.1",
     "@types/flat": "^5.0.1",

From 407ca9c30c5d8b9e6dbaea98545887947080c077 Mon Sep 17 00:00:00 2001
From: Reza Rahman <13340707+rezrah@users.noreply.github.com>
Date: Fri, 22 Sep 2023 17:55:00 +0100
Subject: [PATCH 4/5] try use org token for canary

---
 .github/workflows/release_canary.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release_canary.yml b/.github/workflows/release_canary.yml
index 964f23271..85415a70d 100644
--- a/.github/workflows/release_canary.yml
+++ b/.github/workflows/release_canary.yml
@@ -14,5 +14,5 @@ jobs:
     with:
       install: npm ci --legacy-peer-deps --no-audit --no-fund --include=dev && npm run build && npm run build:tokens
     secrets:
-      gh_token: ${{ secrets.GITHUB_TOKEN }}
+      gh_token: ${{ secrets.GPR_AUTH_TOKEN_SHARED }}
       npm_token: ${{ secrets.NPM_AUTH_TOKEN_SHARED }}

From 35bf6952a846e8fe5bf99ae7199f1c17a82ec5df Mon Sep 17 00:00:00 2001
From: Reza Rahman <13340707+rezrah@users.noreply.github.com>
Date: Fri, 22 Sep 2023 18:03:28 +0100
Subject: [PATCH 5/5] elevate perms

---
 .github/workflows/release_canary.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/release_canary.yml b/.github/workflows/release_canary.yml
index 85415a70d..0b2350638 100644
--- a/.github/workflows/release_canary.yml
+++ b/.github/workflows/release_canary.yml
@@ -6,6 +6,12 @@ on:
       - 'changeset-release/**'
       - 'dependabot/**'
 
+permissions:
+  contents: write
+  pull-requests: write
+  checks: write
+  packages: write
+
 jobs:
   release-canary:
     name: Canary