From 9130f9dd29bd65550f94b2207c763d1d4f339367 Mon Sep 17 00:00:00 2001 From: Roberto Tyley Date: Fri, 9 Feb 2024 18:10:19 +0000 Subject: [PATCH] Use Github App for pushing commits --- .github/workflows/reusable-release.yml | 27 +++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/.github/workflows/reusable-release.yml b/.github/workflows/reusable-release.yml index da91b68..75c51bb 100644 --- a/.github/workflows/reusable-release.yml +++ b/.github/workflows/reusable-release.yml @@ -3,6 +3,13 @@ name: Scala Library Release Workflow on: workflow_call: inputs: + GITHUB_APP_ID: + description: + "App ID for a GitHub App that is allowed to push directly to the default branch. Eg, App ID on: + https://github.com/organizations/guardian/settings/apps/gu-scala-library-release" + default: '807361' # Only for use by the Guardian! + required: true + type: string SONATYPE_PROFILE_NAME: description: 'Sonatype account profile name, eg "com.gu", "org.xerial", etc (not your Sonatype username)' default: 'com.gu' # Only for use by the Guardian! @@ -28,6 +35,11 @@ on: Should be in normal plaintext 'BEGIN PGP PUBLIC KEY BLOCK' (ASCII-armored) format, with no additional BASE64-encoding. The passphrase can be removed from an existing key using 'gpg --edit-key passwd' : https://unix.stackexchange.com/a/550538/46453" required: true + GITHUB_APP_PRIVATE_KEY: + description: + "See https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/managing-private-keys-for-github-apps#generating-private-keys + Should be in normal plaintext '-----BEGIN RSA PRIVATE KEY-----' format" + required: true outputs: RELEASE_VERSION: description: "The un-prefixed version number of the release, eg '3.0.1'" @@ -143,9 +155,16 @@ jobs: release_version: ${{ steps.create-commit.outputs.release_version }} release_commit_id: ${{ steps.create-commit.outputs.release_commit_id }} steps: + - id: generate-github-app-token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ inputs.GITHUB_APP_ID }} + private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }} } - uses: actions/checkout@v4 with: path: repo + token: ${{ steps.generate-github-app-token.outputs.token }} + persist-credentials: true # Allow us to push as the GitHub App, and bypass branch ruleset - uses: actions/cache/restore@v4 with: path: repo-with-unsigned-version-update-commits.git @@ -350,10 +369,14 @@ jobs: env: RELEASE_TAG: ${{ needs.push-release-commit.outputs.release_tag }} RELEASE_VERSION: ${{ needs.push-release-commit.outputs.release_version }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_REPO: ${{ github.repository }} GITHUB_REPO_URL: ${{ github.server_url }}/${{ github.repository }} steps: + - id: generate-github-app-token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ inputs.GITHUB_APP_ID }} + private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }} } - name: Common values run: | GITHUB_ACTIONS_PATH="$GITHUB_REPO_URL/actions" @@ -367,11 +390,13 @@ jobs: EndOfFile - name: Create Github Release if: needs.init.outputs.release_type == 'FULL_MAIN_BRANCH' + env: { GH_TOKEN: ${{ steps.generate-github-app-token.outputs.token }} } run: | gh release create $RELEASE_TAG --verify-tag --generate-notes --notes "Release run: $GITHUB_WORKFLOW_RUN_LINK" echo "GitHub Release notes: [$RELEASE_TAG]($GITHUB_REPO_URL/releases/tag/$RELEASE_TAG)" >> $GITHUB_STEP_SUMMARY - name: Update PR with comment if: needs.init.outputs.release_type == 'PREVIEW_FEATURE_BRANCH' + env: { GH_TOKEN: ${{ steps.generate-github-app-token.outputs.token }} } run: | cat << EndOfFile > comment_body.txt @${{github.actor}} has published a preview version of this PR with release workflow run $GITHUB_WORKFLOW_RUN_LINK, based on commit ${{ github.sha }}: