ci(steps): Handle push into protected branch

Author: rizqyfahmi

.github/workflows/ci.yaml

@@ -1,4 +1,5 @@
 name: CI Pipeline
+run-name: ${{ github.actor }} is automatically publishing
 
 on:
   push:
@@ -53,6 +54,30 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
+      - name: Decode the GitHub App Private Key
+        id: decode
+        run: |
+          private_key=$(echo "${{ secrets.BOT_PRIVATE_KEY }}" | base64 -d | awk 'BEGIN {ORS="\\n"} {print}' | head -c -2) &> /dev/null
+          echo "::add-mask::$private_key"
+          echo "private-key=$private_key" >> "$GITHUB_OUTPUT"
+      - name: 'Generate token'
+        id: GENERATE_TOKEN
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ steps.decode.outputs.private-key }}
+
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.GENERATE_TOKEN.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.GENERATE_TOKEN.outputs.token }}
+
+      - name: Set global username and email
+        run: |
+          git config --global user.name '${{ steps.GENERATE_TOKEN.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.GENERATE_TOKEN.outputs.app-slug }}[bot]@users.noreply.github.com'
+
       - name: Checkout
         uses: actions/checkout@v4
 
@@ -78,8 +103,12 @@ jobs:
         with:
           inputs: "*.tgz"
 
+      - name: Debug auth
+        run: |
+          curl -s -H "Authorization: token ${{ steps.GENERATE_TOKEN.outputs.token }}" https://api.github.com/user
+
       - name: Run Semantic Release
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.GENERATE_TOKEN.outputs.token }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: npx semantic-release