From 76e9e66f070a3106d0dadd80375a137d8c06c3bd Mon Sep 17 00:00:00 2001
From: JacobPEvans <20714140+JacobPEvans-personal@users.noreply.github.com>
Date: Sun, 31 May 2026 13:39:10 -0400
Subject: [PATCH] feat(release-please): org-native reusable workflow on org
 release App

Host the canonical release-please workflow once here so every repo runs identical logic with zero per-repo drift, replacing the cross-account caller (JacobPEvans-personal/.github/_release-please.yml) that 404s on every run because that App is not installed on the org.

Auth uses the org-level release App: app-id from the GH_ACTION_RELEASE_PLEASE_APP_ID org variable, private key from the GH_ACTION_RELEASE_PLEASE_PRIVATE_KEY org secret. No per-repo secrets-sync, no personal-account dependency. The App token (vs default GITHUB_TOKEN) keeps release PRs triggering pull_request CI gates.

Refs: dryvist/terraform-github#6

Assisted-by: Claude:claude-opus-4-8
---
 .github/workflows/_release-please.yml | 55 +++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 .github/workflows/_release-please.yml

diff --git a/.github/workflows/_release-please.yml b/.github/workflows/_release-please.yml
new file mode 100644
index 0000000..91b67e4
--- /dev/null
+++ b/.github/workflows/_release-please.yml
@@ -0,0 +1,55 @@
+# Reusable: Release Please (org-native).
+#
+# Canonical release-please workflow for the org, hosted once here so every repo
+# runs identical logic. A calling repo adds a thin
+# `.github/workflows/release-please.yml` that `uses:` this file and passes the
+# org-level release App private key.
+#
+# Auth: the org-level release App — app-id from the
+# `GH_ACTION_RELEASE_PLEASE_APP_ID` org variable, private key from the
+# `GH_ACTION_RELEASE_PLEASE_PRIVATE_KEY` org secret. The App must be installed
+# on the org with Contents + Pull requests write. The App token (vs the default
+# GITHUB_TOKEN) lets the release PR trigger `pull_request` CI gates.
+#
+# Required files in each calling repo:
+#   release-please-config.json     — release configuration
+#   .release-please-manifest.json  — version manifest, e.g. {".": "1.2.3"}
+#
+# Caller shape:
+#   jobs:
+#     release-please:
+#       permissions:
+#         contents: write
+#         pull-requests: write
+#       uses: dryvist/.github/.github/workflows/_release-please.yml@main
+#       secrets:
+#         GH_ACTION_RELEASE_PLEASE_PRIVATE_KEY: ${{ secrets.GH_ACTION_RELEASE_PLEASE_PRIVATE_KEY }}
+name: _release-please
+
+on:
+  workflow_call:
+    secrets:
+      GH_ACTION_RELEASE_PLEASE_PRIVATE_KEY:
+        required: true
+
+permissions: {}
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ vars.GH_ACTION_RELEASE_PLEASE_APP_ID }}
+          private-key: ${{ secrets.GH_ACTION_RELEASE_PLEASE_PRIVATE_KEY }}
+
+      - uses: googleapis/release-please-action@v5
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          manifest-file: .release-please-manifest.json
+          config-file: release-please-config.json