ci: publish releases using the @slackapi github app token

[zimeg]

Summary

• Adds a Gather credentials step using actions/create-github-app-token to generate an app token for the @slackapi GitHub app
• Uses the app token for checkout and publishing so GitHub releases are created under the app identity
• Replaces secrets.GITHUB_TOKEN with the app token in the publish and release details steps

Notes

This mirrors the release process found in bolt-js: slackapi/bolt-js#2883

• We have a few secrets to add alongside these changes before the next release too 🔏
  • GH_APP_CLIENT_ID
  • GH_APP_PRIVATE_KEY

Requirements

• I've read and understood the Contributing Guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.

🤖 Generated with Claude Code

Co-Authored-By: Claude svc-devxp-claude@slack-corp.com

[changeset-bot]

⚠️ No Changeset found

Latest commit: 00ff246

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.41%. Comparing base (2e0395b) to head (00ff246).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2560   +/-   ##
=======================================
  Coverage   87.41%   87.41%           
=======================================
  Files          62       62           
  Lines       10251    10251           
  Branches      415      415           
=======================================
  Hits         8961     8961           
  Misses       1269     1269           
  Partials       21       21           

Flag	Coverage Δ
cli-hooks	87.41% <ø> (ø)
cli-test	87.41% <ø> (ø)
logger	87.41% <ø> (ø)
oauth	87.41% <ø> (ø)
socket-mode	87.41% <ø> (ø)
web-api	87.41% <ø> (ø)
webhook	87.41% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[zimeg]

🔭 A note of changes made as token updates are in progress-

[zimeg]

🪬 note: I'm curious if publishing with changeset and this token shows a "verified" release? Adjacent releases with a more custom script found this difficult-

🔗 https://github.com/slackapi/slack-github-action/releases/tag/v3.0.2

[zimeg]

💾 The credentials have been saved. This should be similar enough to the Bolt for JavaScript release processes at this time so I'll merge this next.

[WilliamBergamin]

Nice work!! 💯

None blocking comment: Could we move Setup Node as the first step in the job 🤔

1. Setup Node
2. Gather credentials
3. Checkout repo
4. Install dependencies
5. Build packages
6. ...

[zimeg]

@WilliamBergamin Thanks so much for encouraging reviews toward these releases 🚀 ✨

Could we move Setup Node as the first step in the job

I'm hesitant to reorder node before checkout since this isn't shown in documentation and the current steps might take advantage of package resolution when the lock file's available but that's not as clear to me:

🔗 https://github.com/actions/setup-node?tab=readme-ov-file

I'll merge this as is but remain curious to finding what works best! 👾