From 0e32a92fc147a0ff074624ea83da7434248d31f0 Mon Sep 17 00:00:00 2001
From: BowTiedDevOps <157840260+BowTiedDevOps@users.noreply.github.com>
Date: Tue, 1 Apr 2025 19:08:03 +0300
Subject: [PATCH 1/4] feat: replace github_token secret in release ci file

---
 .github/workflows/github-release.yml | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/github-release.yml b/.github/workflows/github-release.yml
index 75155649b6..9d46f01131 100644
--- a/.github/workflows/github-release.yml
+++ b/.github/workflows/github-release.yml
@@ -29,9 +29,6 @@ on:
         description: "True if it is a signer release"
         required: true
         type: string
-    secrets:
-      GH_TOKEN:
-        required: true
 
 concurrency:
   group: github-release-${{ github.head_ref || github.ref }}
@@ -95,6 +92,8 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - build-binaries
+    permissions:
+      contents: write
     steps:
       ## Creates releases
       - name: Create Release
@@ -106,7 +105,7 @@ jobs:
           signer_docker_tag: ${{ inputs.signer_docker_tag }}
           is_node_release: ${{ inputs.is_node_release }}
           is_signer_release: ${{ inputs.is_signer_release }}
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          GH_TOKEN: ${{ github.TOKEN }}
 
 
   ## Builds arch dependent Docker images from binaries
@@ -156,9 +155,11 @@ jobs:
       - build-binaries
       - create-release
       - docker-image
+    permissions:
+      pull-requests: write
     steps:
       - name: Open Downstream PR
         id: create-pr
         uses: stacks-network/actions/stacks-core/release/downstream-pr@main
         with:
-          token: ${{ secrets.GH_TOKEN }}
+          token: ${{ github.TOKEN }}

From 3d6fe3e452c13bc7dc34bfc2427c8570a4f2294b Mon Sep 17 00:00:00 2001
From: BowTiedDevOps <157840260+BowTiedDevOps@users.noreply.github.com>
Date: Tue, 1 Apr 2025 19:09:24 +0300
Subject: [PATCH 2/4] feat: remove `secrets: inherit` line from create-release
 job

---
 .github/workflows/ci.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e32148c06f..73c86b5b8e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -102,7 +102,6 @@ jobs:
       signer_docker_tag: ${{ needs.check-release.outputs.signer_docker_tag }}
       is_node_release: ${{ needs.check-release.outputs.is_node_release }}
       is_signer_release: ${{ needs.check-release.outputs.is_signer_release }}
-    secrets: inherit
 
   ## Build and push Debian image built from source
   ##

From 3b9c2cbb220b053d7ae8af090943787a11eb9910 Mon Sep 17 00:00:00 2001
From: BowTiedDevOps <157840260+BowTiedDevOps@users.noreply.github.com>
Date: Tue, 1 Apr 2025 19:29:58 +0300
Subject: [PATCH 3/4] feat: remove the docker image build job from ci.yml

---
 .github/workflows/ci.yml | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 73c86b5b8e..6446197e42 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -103,21 +103,6 @@ jobs:
       is_node_release: ${{ needs.check-release.outputs.is_node_release }}
       is_signer_release: ${{ needs.check-release.outputs.is_signer_release }}
 
-  ## Build and push Debian image built from source
-  ##
-  ## Runs when:
-  ##  - it is not a node or signer-only release run
-  docker-image:
-    if: |
-      needs.check-release.outputs.is_node_release != 'true' ||
-      needs.check-release.outputs.is_signer_release != 'true'
-    name: Docker Image (Source)
-    uses: ./.github/workflows/image-build-source.yml
-    needs:
-      - rustfmt
-      - check-release
-    secrets: inherit
-
   ## Create a reusable cache for tests
   ##
   ## Runs when:

From 2329139499659e64c82106307225975587c93332 Mon Sep 17 00:00:00 2001
From: BowTiedDevOps <157840260+BowTiedDevOps@users.noreply.github.com>
Date: Wed, 2 Apr 2025 16:49:29 +0300
Subject: [PATCH 4/4] feat: change token name in release workflow

---
 .github/workflows/github-release.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/github-release.yml b/.github/workflows/github-release.yml
index 9d46f01131..104f29281b 100644
--- a/.github/workflows/github-release.yml
+++ b/.github/workflows/github-release.yml
@@ -105,7 +105,7 @@ jobs:
           signer_docker_tag: ${{ inputs.signer_docker_tag }}
           is_node_release: ${{ inputs.is_node_release }}
           is_signer_release: ${{ inputs.is_signer_release }}
-          GH_TOKEN: ${{ github.TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
 
   ## Builds arch dependent Docker images from binaries
@@ -162,4 +162,4 @@ jobs:
         id: create-pr
         uses: stacks-network/actions/stacks-core/release/downstream-pr@main
         with:
-          token: ${{ github.TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}