Update release workflows to use GitHub App instead of PATs

rvermeulen · web-flow · commit e71d5b9585c2 · 2023-11-16T13:22:51.000-08:00
diff --git a/.github/workflows/update-release-status.yml b/.github/workflows/update-release-status.yml
@@ -134,11 +134,23 @@ jobs:
 
           echo "check-run-head-sha=$CHECK_RUN_HEAD_SHA" >> "$GITHUB_OUTPUT"
 
+  generate-token:
+    runs-on: ubuntu-latest
+    outputs:
+      token: ${{ steps.generate-token.outputs.token }}
+    steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        with:
+          app_id: ${{ vars.AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+
   update-release:
-    needs: validate-check-runs
+    needs: [validate-check-runs, generate-token]
     if: needs.validate-check-runs.outputs.status == 'completed'
     uses: ./.github/workflows/update-release.yml
     with:
-        head-sha: ${{ needs.validate-check-runs.outputs.check-run-head-sha }}
+      head-sha: ${{ needs.validate-check-runs.outputs.check-run-head-sha }}
     secrets:
-      RELEASE_ENGINEERING_TOKEN: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
+      RELEASE_ENGINEERING_TOKEN: ${{ generate-token.outputs.token }}
diff --git a/.github/workflows/update-release.yml b/.github/workflows/update-release.yml
@@ -23,8 +23,21 @@ env:
   HEAD_SHA: ${{ inputs.head-sha }}
 
 jobs:
+  generate-token:
+    runs-on: ubuntu-latest
+    outputs:
+      token: ${{ steps.generate-token.outputs.token }}
+    steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        with:
+          app_id: ${{ vars.AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+
   update-release:
     name: "Update release"
+    needs: generate-token
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
@@ -43,7 +56,7 @@ jobs:
       - name: Update release assets
         env:
           GITHUB_TOKEN: ${{ github.token }}
-          RELEASE_ENGINEERING_TOKEN: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
+          RELEASE_ENGINEERING_TOKEN: ${{ generate-token.outputs.token }}
         run: |
           python scripts/release/update-release-assets.py \
             --head-sha $HEAD_SHA \
diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml
@@ -14,6 +14,17 @@ env:
   HEAD_SHA: ${{ github.event.pull_request.head.sha }}
 
 jobs:
+  generate-token:
+    runs-on: ubuntu-latest
+    outputs:
+      token: ${{ steps.generate-token.outputs.token }}
+    steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        with:
+          app_id: ${{ vars.AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
 
   pre-validate-performance:
     outputs:
@@ -36,13 +47,13 @@ jobs:
           echo "check-run-id=$check_run_id" >> "$GITHUB_OUTPUT"
 
   validate-performance:
-    needs: pre-validate-performance
+    needs: [pre-validate-performance, generate-token]
     runs-on: ubuntu-22.04
     steps:
       - name: Invoke performance test
         env:
           CHECK_RUN_ID: ${{ needs.pre-validate-performance.outputs.check-run-id }}
-          GH_TOKEN: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
+          GH_TOKEN: ${{ generate-token.outputs.token }}
         run: |
           jq -n \
           --arg ref "$HEAD_SHA" \
@@ -61,8 +72,8 @@ jobs:
     steps:
       - name: Fail check run status
         env:
-           CHECK_RUN_ID: ${{ needs.pre-validate-performance.outputs.check-run-id }}
-           GITHUB_TOKEN: ${{ github.token }}
+          CHECK_RUN_ID: ${{ needs.pre-validate-performance.outputs.check-run-id }}
+          GITHUB_TOKEN: ${{ github.token }}
         run: |
           jq -n \
           --arg status "completed" \
@@ -97,13 +108,13 @@ jobs:
           echo "check-run-id=$check_run_id" >> "$GITHUB_OUTPUT"
 
   validate-compiler-compatibility:
-    needs: pre-validate-compiler-compatibility
+    needs: [pre-validate-compiler-compatibility, generate-token]
     runs-on: ubuntu-22.04
     steps:
       - name: Invoke compiler compatibility test
         env:
           CHECK_RUN_ID: ${{ needs.pre-validate-compiler-compatibility.outputs.check-run-id }}
-          GITHUB_TOKEN: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
+          GITHUB_TOKEN: ${{ generate-token.outputs.token }}
         run: |
           jq -n \
           --arg ref "$HEAD_SHA" \
@@ -116,14 +127,15 @@ jobs:
           --ref rvermeulen/release-process
 
   on-failure-validate-compiler-compatibility-dispatch:
-    needs: [pre-validate-compiler-compatibility, validate-compiler-compatibility]
+    needs:
+      [pre-validate-compiler-compatibility, validate-compiler-compatibility]
     if: failure()
     runs-on: ubuntu-22.04
     steps:
       - name: Fail check run status
         env:
-           CHECK_RUN_ID: ${{ needs.pre-validate-compiler-compatibility.outputs.check-run-id }}
-           GITHUB_TOKEN: ${{ github.token }}
+          CHECK_RUN_ID: ${{ needs.pre-validate-compiler-compatibility.outputs.check-run-id }}
+          GITHUB_TOKEN: ${{ github.token }}
         run: |
           jq -n \
           --arg status "completed" \
