From d8d1b0a7fc41cab28e9d491f7e84fe603c65cf88 Mon Sep 17 00:00:00 2001
From: Rafael <raf@kernel.sh>
Date: Mon, 9 Feb 2026 18:58:24 -0500
Subject: [PATCH 1/2] fix: use kernel-internal app token for release workflow

---
 .github/workflows/release.yaml | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 70d4214376ff20..a7e1edb4299262 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -7,6 +7,12 @@ jobs:
     name: Release
     runs-on: ubuntu-22.04
     steps:
+     - name: Generate app token
+       id: app-token
+       uses: actions/create-github-app-token@v1
+       with:
+         app-id: ${{ secrets.ADMIN_APP_ID }}
+         private-key: ${{ secrets.ADMIN_APP_PRIVATE_KEY }}
      - name: Code checkout
        uses: actions/checkout@v4
        with:
@@ -29,7 +35,7 @@ jobs:
        id: create_release
        uses: actions/create-release@v1
        env:
-         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+         GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
        with:
          tag_name: ${{ github.ref }}
          release_name: ${{ github.ref }}
@@ -37,7 +43,7 @@ jobs:
      - name: Upload bzImage for x86_64
        uses: actions/upload-release-asset@v1
        env:
-         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+         GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_path: arch/x86/boot/bzImage
@@ -46,7 +52,7 @@ jobs:
      - name: Upload vmlinux for x86_64
        uses: actions/upload-release-asset@v1
        env:
-         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+         GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_path: vmlinux
@@ -55,7 +61,7 @@ jobs:
      - name: Upload Image.gz for aarch64
        uses: actions/upload-release-asset@v1
        env:
-         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+         GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_path: arch/arm64/boot/Image.gz
@@ -64,7 +70,7 @@ jobs:
      - name: Upload Image for aarch64
        uses: actions/upload-release-asset@v1
        env:
-         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+         GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_path: arch/arm64/boot/Image
@@ -73,7 +79,7 @@ jobs:
      - name: Upload Image.gz for riscv64
        uses: actions/upload-release-asset@v1
        env:
-         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+         GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_path: arch/riscv/boot/Image.gz
@@ -82,7 +88,7 @@ jobs:
      - name: Upload Image for riscv64
        uses: actions/upload-release-asset@v1
        env:
-         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+         GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_path: arch/riscv/boot/Image

From f3565743420b12c17a534bbde092edc646c98bbe Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Tue, 10 Feb 2026 17:42:13 +0000
Subject: [PATCH 2/2] Move app token generation to just before release steps

GitHub App installation tokens expire after 1 hour. Previously the token
was generated at the very start of the workflow, before three full kernel
builds. On a 2-core runner these builds can easily exceed 1 hour, causing
the token to expire before the release creation and asset upload steps.

Move the token generation step to immediately before the 'Create release'
step so the token is fresh when it is actually needed.

Applied via @cursor push command
---
 .github/workflows/release.yaml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index a7e1edb4299262..1e7c118dd59ae8 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -7,12 +7,6 @@ jobs:
     name: Release
     runs-on: ubuntu-22.04
     steps:
-     - name: Generate app token
-       id: app-token
-       uses: actions/create-github-app-token@v1
-       with:
-         app-id: ${{ secrets.ADMIN_APP_ID }}
-         private-key: ${{ secrets.ADMIN_APP_PRIVATE_KEY }}
      - name: Code checkout
        uses: actions/checkout@v4
        with:
@@ -31,6 +25,12 @@ jobs:
        run: make ch_defconfig
      - name: Build kernel (x86-64)
        run: CFLAGS="-Wa,-mx86-used-note=no" make bzImage -j `nproc`
+     - name: Generate app token
+       id: app-token
+       uses: actions/create-github-app-token@v1
+       with:
+         app-id: ${{ secrets.ADMIN_APP_ID }}
+         private-key: ${{ secrets.ADMIN_APP_PRIVATE_KEY }}
      - name: Create release
        id: create_release
        uses: actions/create-release@v1