.common-repo.yaml

@@ -3,5 +3,11 @@
     - "src/**"
     - "src/.*"
     - "src/.*/**"
+- template:
+    - "src/.github/workflows/release.yaml"
+- template-vars:
+    GH_APP_ID_VAR: CHRISTMAS_ISLAND_APP_ID
+    GH_APP_KEY_SECRET: CHRISTMAS_ISLAND_PRIVATE_KEY
+    GH_APP_OWNER: christmas-island
 - rename:
     - "^src/(.*)$": "$1"

.github/workflows/ci.yaml

@@ -16,7 +16,7 @@ jobs:
         run: |
           # Verify distributed files in src/ match the repo's own copies
           status=0
-          for file in .releaserc.yaml commitlint.config.js; do
+          for file in .releaserc.yaml commitlint.config.cjs; do
             if ! diff -q "$file" "src/$file" > /dev/null 2>&1; then
               echo "❌ $file differs from src/$file"
               diff --color "$file" "src/$file" || true
@@ -25,7 +25,7 @@ jobs:
               echo "✅ $file matches src/$file"
             fi
           done
-          for file in .github/workflows/commitlint.yml .github/workflows/release.yaml; do
+          for file in .github/workflows/commitlint.yml; do
             if ! diff -q "$file" "src/$file" > /dev/null 2>&1; then
               echo "❌ $file differs from src/$file"
               diff --color "$file" "src/$file" || true
@@ -34,6 +34,8 @@ jobs:
               echo "✅ $file matches src/$file"
             fi
           done
+          # release.yaml intentionally differs: src/ uses template vars, top-level uses hardcoded defaults
+          echo "⏭️  .github/workflows/release.yaml skipped (template vars in src/)"
           if [ $status -ne 0 ]; then
             echo ""
             echo "Top-level files and src/ are out of sync."

.github/workflows/commitlint.yml

@@ -17,4 +17,4 @@ jobs:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 0
-      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548c61b7286b4ffe7cb3d # v6
+      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6

README.md

@@ -15,7 +15,7 @@ Files distributed from `src/`:
 
 ## Usage
 
-> **Requires common-repo ≥ 0.28.0** for source-declared filtering.
+> **Requires common-repo ≥ 0.28.4** for source-declared filtering and template variable overrides.
 
 ### Add to an existing `.common-repo.yaml`
 
@@ -56,19 +56,36 @@ cr-semantic-release/
     └── commitlint.config.js
 ```
 
-The top-level files and `src/` files are identical — the repo eats its own dog food. CI enforces they stay in sync.
+The top-level files and `src/` files are identical — the repo eats its own dog food. CI enforces they stay in sync (except `release.yaml`, which uses template variables in `src/` and hardcoded defaults at the top level).
 
 ## Prerequisites
 
-The release workflow expects the following GitHub org-level vars and secrets:
+By default, the release workflow uses these GitHub org-level vars and secrets:
 
-| Name | Type | Purpose |
-|---|---|---|
-| `CHRISTMAS_ISLAND_APP_ID` | Variable | GitHub App ID for generating tokens |
-| `CHRISTMAS_ISLAND_PRIVATE_KEY` | Secret | GitHub App private key |
+| Name | Type | Default | Purpose |
+|---|---|---|---|
+| `CHRISTMAS_ISLAND_APP_ID` | Variable | — | GitHub App ID for generating tokens |
+| `CHRISTMAS_ISLAND_PRIVATE_KEY` | Secret | — | GitHub App private key |
 
 These are used by `actions/create-github-app-token` to generate a token with write permissions for creating releases and pushing tags/changelogs.
 
+### Using a different GitHub App
+
+Override the template variables in your consumer config to use your own app credentials:
+
+```yaml
+- repo:
+    url: https://github.com/christmas-island/cr-semantic-release
+    ref: v2.0.0
+    with:
+      - template-vars:
+          GH_APP_ID_VAR: MY_APP_ID          # GitHub vars name
+          GH_APP_KEY_SECRET: MY_APP_KEY      # GitHub secrets name
+          GH_APP_OWNER: my-org               # App installation owner
+```
+
+This renders the workflow with `${{ vars.MY_APP_ID }}`, `${{ secrets.MY_APP_KEY }}`, and `owner: my-org`.
+
 ## Customization
 
 ### Release workflow

src/.github/workflows/commitlint.yml

@@ -17,4 +17,4 @@ jobs:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 0
-      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548c61b7286b4ffe7cb3d # v6
+      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6

src/.github/workflows/release.yaml

@@ -32,9 +32,9 @@ jobs:
         id: app-token
         uses: actions/create-github-app-token@v1
         with:
-          app-id: ${{ vars.CHRISTMAS_ISLAND_APP_ID }}
-          private-key: ${{ secrets.CHRISTMAS_ISLAND_PRIVATE_KEY }}
-          owner: christmas-island
+          app-id: ${{ vars.${GH_APP_ID_VAR:-CHRISTMAS_ISLAND_APP_ID} }}
+          private-key: ${{ secrets.${GH_APP_KEY_SECRET:-CHRISTMAS_ISLAND_PRIVATE_KEY} }}
+          owner: ${GH_APP_OWNER:-christmas-island}
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 0