chore: switch to github app automation tokens

devpow112 · devpow112 · commit 6b384200c9c4 · 2024-12-13T23:05:21.000-05:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -17,7 +17,7 @@ jobs:
     name: CD
     if: (!startsWith(github.event.head_commit.message, 'chore(release):'))
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 15
     needs:
       - ci
     steps:
@@ -34,8 +34,14 @@ jobs:
         run: npm ci
       - name: Run build
         run: npm run build
+      - name: Generate app token
+        id: app-token
+        uses: actions/create-github-app-token@v1.11.0
+        with:
+          app-id: ${{secrets.GH_APP_ID}}
+          private-key: ${{secrets.GH_APP_PRIVATE_KEY}}
       - name: Release
         run: npx semantic-release
         env:
-          GITHUB_TOKEN: ${{secrets.RELEASE_TOKEN}}
+          GITHUB_TOKEN: ${{steps.app-token.outputs.token}}
           NPM_TOKEN: ${{secrets.NPM_TOKEN}}
diff --git a/.github/workflows/update-license.yml b/.github/workflows/update-license.yml
@@ -33,25 +33,42 @@ jobs:
       - name: Update LICENSE
         run: |
           sed -i -E "s/$REGEX/\1${{steps.info.outputs.license-year}}\2/" LICENSE
+      - name: Generate app token
+        id: app-token
+        uses: actions/create-github-app-token@v1.11.0
+        with:
+          app-id: ${{secrets.GH_APP_ID}}
+          private-key: ${{secrets.GH_APP_PRIVATE_KEY}}
+      - name: Generate user info
+        id: user-info
+        run: |
+          USER_NAME="$GH_APP_SLUG[bot]"
+          USER_ID=$(gh api "/users/$USER_NAME" --jq .id)
+          USER_EMAIL="$USER_ID+$USER_NAME@users.noreply.github.com"
+          echo "id=$USER_ID" >> $GITHUB_OUTPUT
+          echo "name=$USER_NAME" >> $GITHUB_OUTPUT
+          echo "email=$USER_ID+$USER_NAME@users.noreply.github.com" >> $GITHUB_OUTPUT
+          echo "commit-author=$USER_NAME <$USER_EMAIL>" >> $GITHUB_OUTPUT
+        env:
+          GH_APP_SLUG: ${{steps.app-token.outputs.app-slug}}
+          GH_TOKEN: ${{steps.app-token.outputs.token}}
       - name: Handle changes
         uses: peter-evans/create-pull-request@v7.0.5
         id: changes
         with:
-          token: ${{secrets.AUTOMATION_TOKEN}}
+          token: ${{steps.app-token.outputs.token}}
           commit-message: ${{steps.info.outputs.update-title}}
-          committer: ${{env.GIT_USER}}
+          author: ${{steps.user-info.outputs.commit-author}}
+          committer: ${{steps.user-info.outputs.commit-author}}
           add-paths: LICENSE
-          author: ${{env.GIT_USER}}
           branch: auto/update-license
           delete-branch: true
           title: ${{steps.info.outputs.update-title}}
           body: ${{steps.info.outputs.update-body}}
           labels: auto
-        env:
-          GIT_USER: ${{secrets.AUTOMATION_USER}} <${{secrets.AUTOMATION_EMAIL}}>
       - name: Enable auto-merge
         if: steps.changes.outputs.pull-request-operation == 'created'
         run: gh pr merge --auto --rebase "$PULL_REQUEST_URL"
         env:
           PULL_REQUEST_URL: ${{steps.changes.outputs.pull-request-url}}
-          GITHUB_TOKEN: ${{secrets.AUTOMATION_TOKEN}}
+          GITHUB_TOKEN: ${{steps.app-token.outputs.token}}
diff --git a/.github/workflows/update-node.yml b/.github/workflows/update-node.yml
@@ -31,25 +31,42 @@ jobs:
           echo "update-body=$UPDATE_BODY" >> $GITHUB_OUTPUT
       - name: Update .nvmrc
         run: echo '${{steps.info.outputs.version}}' > .nvmrc
+      - name: Generate app token
+        id: app-token
+        uses: actions/create-github-app-token@v1.11.0
+        with:
+          app-id: ${{secrets.GH_APP_ID}}
+          private-key: ${{secrets.GH_APP_PRIVATE_KEY}}
+      - name: Generate user info
+        id: user-info
+        run: |
+          USER_NAME="$GH_APP_SLUG[bot]"
+          USER_ID=$(gh api "/users/$USER_NAME" --jq .id)
+          USER_EMAIL="$USER_ID+$USER_NAME@users.noreply.github.com"
+          echo "id=$USER_ID" >> $GITHUB_OUTPUT
+          echo "name=$USER_NAME" >> $GITHUB_OUTPUT
+          echo "email=$USER_ID+$USER_NAME@users.noreply.github.com" >> $GITHUB_OUTPUT
+          echo "commit-author=$USER_NAME <$USER_EMAIL>" >> $GITHUB_OUTPUT
+        env:
+          GH_APP_SLUG: ${{steps.app-token.outputs.app-slug}}
+          GH_TOKEN: ${{steps.app-token.outputs.token}}
       - name: Handle changes
         uses: peter-evans/create-pull-request@v7.0.5
         id: changes
         with:
-          token: ${{secrets.AUTOMATION_TOKEN}}
+          token: ${{steps.app-token.outputs.token}}
           commit-message: ${{steps.info.outputs.update-title}}
-          committer: ${{env.GIT_USER}}
+          author: ${{steps.user-info.outputs.commit-author}}
+          committer: ${{steps.user-info.outputs.commit-author}}
           add-paths: .nvmrc
-          author: ${{env.GIT_USER}}
           branch: auto/update-node
           delete-branch: true
           title: ${{steps.info.outputs.update-title}}
           body: ${{steps.info.outputs.update-body}}
           labels: auto,dependencies
-        env:
-          GIT_USER: ${{secrets.AUTOMATION_USER}} <${{secrets.AUTOMATION_EMAIL}}>
       - name: Enable auto-merge
         if: steps.changes.outputs.pull-request-operation == 'created'
         run: gh pr merge --auto --rebase "$PULL_REQUEST_URL"
         env:
           PULL_REQUEST_URL: ${{steps.changes.outputs.pull-request-url}}
-          GITHUB_TOKEN: ${{secrets.AUTOMATION_TOKEN}}
+          GITHUB_TOKEN: ${{steps.app-token.outputs.token}}
