From 8f9ce370a55638024e0aed724b0d926dcbc747a1 Mon Sep 17 00:00:00 2001
From: Brad Anderson <brad@enforceauth.com>
Date: Tue, 5 May 2026 09:15:58 -0400
Subject: [PATCH] ci: fix release-plz detached-HEAD failure and app-id
 deprecation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR #63 set `ref: ${{ github.sha }}` on the release-plz checkouts per a
CodeRabbit suggestion to avoid running against a moving `main`. That
form causes actions/checkout to do `git checkout --force <sha>`, which
leaves HEAD detached. release-plz then runs
`git rev-parse --abbrev-ref --symbolic-full-name @{upstream}` and
aborts with `fatal: HEAD does not point to a branch`, failing both
release-plz-release and release-plz-pr.

Drop the explicit `ref:` so checkout uses its default behavior:
`git checkout -B main <github.sha>`. This gives a branch HEAD pinned
to the triggering commit — same commit-pinning guarantee CodeRabbit
asked for, without the detached-HEAD side effect.

Also rename `app-id:` to `client-id:` on
actions/create-github-app-token@v3 (3 call sites) to clear the
deprecation warnings. The existing RELEASE_PLZ_APP_ID secret value
continues to work; the input was just renamed upstream.

Signed-off-by: Brad Anderson <brad@enforceauth.com>
---
 .github/workflows/release-binaries.yml | 2 +-
 .github/workflows/release-plz.yml      | 6 ++----
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml
index ab32e27..6594bc8 100644
--- a/.github/workflows/release-binaries.yml
+++ b/.github/workflows/release-binaries.yml
@@ -88,7 +88,7 @@ jobs:
         id: app-token
         uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
-          app-id: ${{ secrets.RELEASE_PLZ_APP_ID }}
+          client-id: ${{ secrets.RELEASE_PLZ_APP_ID }}
           private-key: ${{ secrets.RELEASE_PLZ_APP_PRIVATE_KEY }}
           owner: EnforceAuth
           repositories: homebrew-tap
diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml
index e3f1ebd..a011db6 100644
--- a/.github/workflows/release-plz.yml
+++ b/.github/workflows/release-plz.yml
@@ -22,13 +22,12 @@ jobs:
         id: app-token
         uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
-          app-id: ${{ secrets.RELEASE_PLZ_APP_ID }}
+          client-id: ${{ secrets.RELEASE_PLZ_APP_ID }}
           private-key: ${{ secrets.RELEASE_PLZ_APP_PRIVATE_KEY }}
 
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
-          ref: ${{ github.sha }}
           # Use the App token so release-plz's git push (tags, etc.)
           # is authored by the App rather than the default GITHUB_TOKEN.
           token: ${{ steps.app-token.outputs.token }}
@@ -64,13 +63,12 @@ jobs:
         id: app-token
         uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
-          app-id: ${{ secrets.RELEASE_PLZ_APP_ID }}
+          client-id: ${{ secrets.RELEASE_PLZ_APP_ID }}
           private-key: ${{ secrets.RELEASE_PLZ_APP_PRIVATE_KEY }}
 
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
-          ref: ${{ github.sha }}
           token: ${{ steps.app-token.outputs.token }}
 
       - uses: dtolnay/rust-toolchain@stable