fix: support GH_TOKEN to override GITHUB_TOKEN

docs/EXAMPLES.md

@@ -131,7 +131,7 @@ jobs:
 
 The Action/CLI will automatically detect the [environment variables](https://crowdin.github.io/crowdin-cli/configuration#environment-variables) and use them for the configuration.
 
-> **Note**
+> [!NOTE]
 > To avoid any conflicts, do not use the `crowdin.yml` file in the repository when using the above configuration approach.
 
 ### Upload sources only
@@ -195,7 +195,7 @@ Note that the value of the `crowdin_branch_name` is `env.BRANCH_NAME` - this is
 
 The Crowdin CLI supports a `--cache` parameter for the `upload sources` command that stores source file checksums locally. This allows the CLI to only upload files that have changed, significantly reducing upload time for large projects.
 
-> **Note**
+> [!NOTE]
 > The cache feature is experimental. For any feedback, visit [Crowdin CLI Discussions](https://github.com/crowdin/crowdin-cli/discussions).
 
 To persist the cache between workflow runs, use the `actions/cache` action to save and restore the cache file located at `~/.crowdin/cache.json`:
@@ -302,7 +302,7 @@ jobs:
           CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
 ```
 
-> **Note**
+> [!NOTE]
 > If you are using a **String-based** project, you need to use this option to download translations. The default `download_translations` option does not work for this type of projects.
 
 The `download_bundle` option accepts the bundle numeric ID.
@@ -569,6 +569,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Generate GitHub App Token
         id: generate-token
@@ -599,6 +601,9 @@ To set this up:
 
 For more details, see [GitHub issue #270](https://github.com/crowdin/github-action/issues/270).
 
+> [!NOTE]
+> When using a GitHub App token via `GH_TOKEN`, the Checkout step must use `persist-credentials: false`. Otherwise, the default `GITHUB_TOKEN` cached in `.git/config` by `actions/checkout` takes precedence over `GH_TOKEN`, and the action will not use your App token for creating pull requests.
+
 ### Checking the translation progress
 
 ```yaml

entrypoint.sh

@@ -79,9 +79,17 @@ download_translations() {
 }
 
 create_pull_request() {
-  BRANCH="${1}"
+  [ -z "${GITHUB_TOKEN}" ] && [ -z "${GH_TOKEN}" ] && {
+    echo "ERROR: Either 'GITHUB_TOKEN' or 'GH_TOKEN' must be set in the environment variables!"
+    exit 1
+  }
 
-  AUTH_HEADER="Authorization: token ${GITHUB_TOKEN}"
+  AUTH_TOKEN="${GITHUB_TOKEN}"
+  if [ -n "${GH_TOKEN}" ]; then
+    AUTH_TOKEN="${GH_TOKEN}"
+  fi
+
+  AUTH_HEADER="Authorization: token ${AUTH_TOKEN}"
   HEADER="Accept: application/vnd.github.v3+json; application/vnd.github.antiope-preview+json; application/vnd.github.shadow-cat-preview+json"
 
   if [ -n "$INPUT_GITHUB_API_BASE_URL" ]; then
@@ -95,14 +103,16 @@ create_pull_request() {
 
   auth_status=$(curl -sL --write-out '%{http_code}' --output /dev/null -H "${AUTH_HEADER}" -H "${HEADER}" "${PULLS_URL}")
   if [[ $auth_status -eq 403 || "$auth_status" -eq 401 ]] ; then
-    echo "FAILED TO AUTHENTICATE USING 'GITHUB_TOKEN' CHECK TOKEN IS VALID"
+    echo "FAILED TO AUTHENTICATE WITH GITHUB. PLEASE CHECK YOUR GITHUB TOKEN"
     echo "pull_request_url=" >> $GITHUB_OUTPUT
     echo "pull_request_number=" >> $GITHUB_OUTPUT
     exit 1
   fi
 
   echo "CHECK IF PULL REQUEST ALREADY EXIST"
 
+  BRANCH="${1}"
+
   if [ -n "$INPUT_PULL_REQUEST_BASE_BRANCH_NAME" ]; then
     BASE_BRANCH="$INPUT_PULL_REQUEST_BASE_BRANCH_NAME"
   else
@@ -233,9 +243,18 @@ create_pull_request() {
 }
 
 push_to_branch() {
-  BRANCH=${INPUT_LOCALIZATION_BRANCH_NAME}
+  [ -z "${GITHUB_TOKEN}" ] && [ -z "${GH_TOKEN}" ] && {
+      echo "ERROR: Either 'GITHUB_TOKEN' or 'GH_TOKEN' must be set in the environment variables!"
+      exit 1
+  }
 
-  REPO_URL="https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@${INPUT_GITHUB_BASE_URL}/${GITHUB_REPOSITORY}.git"
+  AUTH_TOKEN="${GITHUB_TOKEN}"
+  if [ -n "${GH_TOKEN}" ]; then
+    AUTH_TOKEN="${GH_TOKEN}"
+  fi
+
+  BRANCH=${INPUT_LOCALIZATION_BRANCH_NAME}
+  REPO_URL="https://${GITHUB_ACTOR}:${AUTH_TOKEN}@${INPUT_GITHUB_BASE_URL}/${GITHUB_REPOSITORY}.git"
 
   echo "CONFIGURING GIT USER"
   git config --global user.email "${INPUT_GITHUB_USER_EMAIL}"
@@ -389,11 +408,6 @@ if [ "$INPUT_DOWNLOAD_SOURCES" = true ]; then
   download_sources "$@"
 
   if [ "$INPUT_PUSH_SOURCES" = true ]; then
-    [ -z "${GITHUB_TOKEN}" ] && {
-      echo "CAN NOT FIND 'GITHUB_TOKEN' IN ENVIRONMENT VARIABLES"
-      exit 1
-    }
-
     [ -n "${INPUT_GPG_PRIVATE_KEY}" ] && {
       setup_commit_signing
     }
@@ -406,11 +420,6 @@ if [ "$INPUT_DOWNLOAD_TRANSLATIONS" = true ]; then
   download_translations "$@"
 
   if [ "$INPUT_PUSH_TRANSLATIONS" = true ]; then
-    [ -z "${GITHUB_TOKEN}" ] && {
-      echo "CAN NOT FIND 'GITHUB_TOKEN' IN ENVIRONMENT VARIABLES"
-      exit 1
-    }
-
     [ -n "${INPUT_GPG_PRIVATE_KEY}" ] && {
       setup_commit_signing
     }
@@ -425,11 +434,6 @@ if [ "$INPUT_DOWNLOAD_BUNDLE" ]; then
   crowdin bundle download $INPUT_DOWNLOAD_BUNDLE $DOWNLOAD_BUNDLE_ARGS
 
   if [ "$INPUT_PUSH_TRANSLATIONS" = true ]; then
-      [ -z "${GITHUB_TOKEN}" ] && {
-        echo "CAN NOT FIND 'GITHUB_TOKEN' IN ENVIRONMENT VARIABLES"
-        exit 1
-      }
-
       [ -n "${INPUT_GPG_PRIVATE_KEY}" ] && {
         setup_commit_signing
       }