PI-2302 Switch to GitHub app for bootstrap workflow (#4164)

.github/actions/create-signed-pull-request/action.yml

@@ -1,36 +1,25 @@
 name: Create a signed pull request
-description: Set up GPG commit verification, then create a pull request
+description: Create a pull request with signed commits, using a GitHub app
 
 inputs:
   add-paths:
-    description: >
-      A comma or newline-separated list of file paths to commit.
-      Paths should follow git's pathspec syntax.
-      Defaults to adding all new and modified files.
+    description: A newline-separated list of file paths to commit. Paths should follow git's pathspec syntax.
   body:
-    description: 'The body of the pull request.'
-    default: 'Automated changes by GitHub Actions workflow'
+    description: The body of the pull request. Defaults to "Automated changes by a GitHub Actions workflow.", with a link to the current run.
   branch:
-    description: 'The pull request branch name.'
-  committer:
-    description: >
-      The committer name and email address in the format `Display Name <[email protected]>`.
-      Defaults to the GitHub Actions bot user.
-    default: 'probation-integration-bot <[email protected]>'
+    description: The pull request target branch name.
   commit-message:
-    description: 'The message to use when committing changes.'
+    description: The message to use when committing changes.
   labels:
-    description: 'A comma or newline separated list of labels.'
+    description: A comma or newline separated list of labels.
   path:
-    description: >
-      Relative path under $GITHUB_WORKSPACE to the repository.
-      Defaults to $GITHUB_WORKSPACE.
-  private-key:
-    description: 'GPG private key exported as an ASCII armored version or its base64 encoding'
-  passphrase:
-    description: 'Passphrase of the GPG private key'
+    description: Relative path under $GITHUB_WORKSPACE to the repository. Defaults to $GITHUB_WORKSPACE.
   token:
-    description: 'GITHUB_TOKEN or a `repo` scoped Personal Access Token (PAT)'
+    description: A GitHub app token
+  owner:
+    description: GitHub repository owner, defaults to current repository
+  repository:
+    description: GitHub repository name, defaults to current repository
 
 outputs:
   pull-request-number:
@@ -39,36 +28,74 @@ outputs:
   pull-request-url:
     description: 'The URL of the pull request.'
     value: ${{ steps.pr.outputs.pull-request-url }}
-  pull-request-operation:
-    description: 'The pull request operation performed by the action, `created`, `updated` or `closed`.'
-    value: ${{ steps.pr.outputs.pull-request-operation }}
   pull-request-head-sha:
     description: 'The commit SHA of the pull request branch.'
     value: ${{ steps.pr.outputs.pull-request-head-sha }}
 
 runs:
   using: composite
   steps:
-    - name: Setup GPG commit verification
-      uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
+    - name: Get working directory or default
+      run: echo "path=${path:-$GITHUB_WORKSPACE}" | tee -a "$GITHUB_ENV"
+      shell: bash
+      env:
+        path: ${{ inputs.path }}
+
+    - name: Get pull request body or default
+      run: echo "body=${body:-"Automated changes by a [GitHub Actions workflow]($url)."}" | tee -a "$GITHUB_ENV"
+      shell: bash
+      env:
+        body: ${{ inputs.body }}
+        url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+
+    - name: Get repository info
+      run: |
+        echo "owner=$(gh repo view "$(git remote get-url origin)" --json owner --jq .owner.login)" | tee -a "$GITHUB_ENV"
+        echo "repository=$(gh repo view "$(git remote get-url origin)" --json name --jq .name)" | tee -a "$GITHUB_ENV"
+      shell: bash
+      working-directory: ${{ env.path }}
+      env:
+        GITHUB_TOKEN: ${{ inputs.token }}
+
+    - name: Git add
+      run: |
+        while IFS= read -r add_path; do 
+          if [ -n "$add_path" ]; then
+            echo Adding "$add_path"
+            git add "$add_path"
+          fi
+        done <<< "$add_paths"
+        git status
+      shell: bash
+      working-directory: ${{ env.path }}
+      env:
+        add_paths: ${{ inputs.add-paths }}
+
+    - name: Commit and push
+      uses: marcus-bcl/github-app-commit-action@main # using fork until PR is merged: https://github.com/dsanders11/github-app-commit-action/pull/23
       with:
-        gpg_private_key: ${{ inputs.private-key }}
-        passphrase: ${{ inputs.passphrase }}
-        git_user_signingkey: true
-        git_commit_gpgsign: true
-        workdir: ${{ inputs.path }}
+        owner: ${{ env.owner }}
+        repository: ${{ env.repository }}
+        working-directory: ${{ env.path }}
+        ref: ${{ inputs.branch }}
+        fail-on-no-changes: false
+        message: ${{ inputs.commit-message }}
+        token: ${{ inputs.token }}
 
     - name: Create pull request
       id: pr
-      uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c #v6.1.0
-      with:
-        add-paths: ${{ inputs.add-paths }}
-        author: ${{ inputs.committer }}
-        base: main
-        body: ${{ inputs.body }}
+      run: |
+        git fetch origin "$branch"
+        git checkout "$branch"
+        url=$(gh pr create --title "$commit_message" --body "$body" --label "$labels")
+        echo "pull-request-url=$url" | tee -a "$GITHUB_OUTPUT"
+        echo "pull-request-number=$(gh pr view "$url" --json number --jq .number)" | tee -a "$GITHUB_OUTPUT"
+        echo "pull-request-head-sha=$(gh pr view "$url" --json headRefOid --jq .headRefOid)" | tee -a "$GITHUB_OUTPUT"
+      shell: bash
+      working-directory: ${{ env.path }}
+      env:
         branch: ${{ inputs.branch }}
-        committer: ${{ inputs.committer }}
-        commit-message: ${{ inputs.commit-message }}
-        path: ${{ inputs.path }}
-        title: ${{ inputs.commit-message }}
-        token: ${{ inputs.token }}
+        body: ${{ env.body }}
+        commit_message: ${{ inputs.commit-message }}
+        labels: ${{ inputs.labels }}
+        GITHUB_TOKEN: ${{ inputs.token }}

.github/actions/format-code/action.yml

@@ -93,7 +93,7 @@ runs:
 
     - name: Commit and push
       if: inputs.dry == 'false'
-      uses: dsanders11/github-app-commit-action@48d2ff8c1a855eb15d16afa97ae12616456d7cbc # v1.4.0
+      uses: dsanders11/github-app-commit-action@5c7daabae956f8143277417996b26a173439e1b7 # v1.4.1
       with:
         fail-on-no-changes: false
         message: ${{ inputs.commit_message }}

.github/workflows/bootstrap.yml

@@ -34,11 +34,6 @@ on:
         default: true
         required: true
         type: boolean
-      create_ingress:
-        description: Will the service provide a HTTP API?
-        default: false
-        required: true
-        type: boolean
       create_queue:
         description: Will the service consume HMPPS domain event messages?
         default: true
@@ -71,9 +66,17 @@ jobs:
     if: ${{ inputs.project_template != 'No template - I want to create the project from scratch' }}
     runs-on: ubuntu-latest
     steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          repositories: hmpps-probation-integration-services,hmpps-probation-integration-e2e-tests
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
+
       - uses: actions/checkout@v4
         with:
-          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          ref: main
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Render project template
         uses: ./.github/actions/render-project-template
@@ -93,15 +96,14 @@ jobs:
             projects/${{ inputs.project_name }}
           branch: bootstrap/${{ inputs.project_name }}
           commit-message: ${{ inputs.issue_number }} Create initial project for ${{ inputs.project_name }}
-          private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.BOT_GPG_PASSPHRASE }}
-          token: ${{ secrets.BOT_GITHUB_TOKEN }} # TODO replace these usages with app token signing, once https://github.com/peter-evans/create-pull-request/pull/3057 is released
+          token: ${{ steps.app-token.outputs.token }}
 
       - uses: actions/checkout@v4
         with:
+          ref: main
           path: hmpps-probation-integration-e2e-tests
           repository: ministryofjustice/hmpps-probation-integration-e2e-tests
-          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Update e2e test repo
         run: sed -i '/add new projects here/i \          - '"'"'["${{ inputs.project_name }}"]'"'"'' hmpps-probation-integration-e2e-tests/.github/workflows/test-single-project.yml
@@ -114,9 +116,7 @@ jobs:
           add-paths: .github/workflows
           branch: ${{ inputs.issue_number }}-create-${{ inputs.project_name }}-project
           commit-message: ${{ inputs.issue_number }} Add option to run tests for ${{ inputs.project_name }}
-          private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.BOT_GPG_PASSPHRASE }}
-          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Create issue for manual steps
         run: |
@@ -254,27 +254,32 @@ jobs:
       - id: project_name
         run: echo "with_underscores_uppercase=$(echo '${{ inputs.project_name }}' | sed 's/-/_/g' | tr '[:lower:]' '[:upper:]')" | tee -a "$GITHUB_OUTPUT"
 
-      - uses: actions/checkout@v4
+      - uses: actions/create-github-app-token@v1
+        id: app-token
         with:
-          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          repositories: cloud-platform-environments
+          app-id: ${{ secrets.BOT_EXTERNAL_REPOS_APP_ID }}
+          private-key: ${{ secrets.BOT_EXTERNAL_REPOS_APP_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v4
 
       - uses: actions/checkout@v4
         with:
           path: cloud-platform-environments-dev
           repository: ministryofjustice/cloud-platform-environments
-          token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - uses: actions/checkout@v4
         with:
           path: cloud-platform-environments-preprod
           repository: ministryofjustice/cloud-platform-environments
-          token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - uses: actions/checkout@v4
         with:
           path: cloud-platform-environments-prod
           repository: ministryofjustice/cloud-platform-environments
-          token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Render Terraform queue template
         run: |
@@ -299,9 +304,7 @@ jobs:
           add-paths: namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-probation-integration-services-dev
           branch: ${{ inputs.issue_number }}-create-${{ inputs.project_name }}-queue-dev
           commit-message: ${{ inputs.issue_number }} Create SQS queues for ${{ inputs.project_name }} (dev)
-          private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.BOT_GPG_PASSPHRASE }}
-          token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Create preprod pull request
         id: preprod-pr
@@ -311,9 +314,7 @@ jobs:
           add-paths: namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-probation-integration-services-preprod
           branch: ${{ inputs.issue_number }}-create-${{ inputs.project_name }}-queue-preprod
           commit-message: ${{ inputs.issue_number }} Create SQS queues for ${{ inputs.project_name }} (preprod)
-          private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.BOT_GPG_PASSPHRASE }}
-          token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Create prod pull request
         id: prod-pr
@@ -323,9 +324,7 @@ jobs:
           add-paths: namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-probation-integration-services-prod
           branch: ${{ inputs.issue_number }}-create-${{ inputs.project_name }}-queue-prod
           commit-message: ${{ inputs.issue_number }} Create SQS queues for ${{ inputs.project_name }} (prod)
-          private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.BOT_GPG_PASSPHRASE }}
-          token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Create issue for manual steps
         run: |
@@ -351,27 +350,32 @@ jobs:
       - id: project_name
         run: echo "hash=$(echo -n '${{ inputs.project_name }}' | sha1sum | head -c 8)" | tee -a "$GITHUB_OUTPUT"
 
-      - uses: actions/checkout@v4
+      - uses: actions/create-github-app-token@v1
+        id: app-token
         with:
-          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          repositories: cloud-platform-environments
+          app-id: ${{ secrets.BOT_EXTERNAL_REPOS_APP_ID }}
+          private-key: ${{ secrets.BOT_EXTERNAL_REPOS_APP_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v4
 
       - uses: actions/checkout@v4
         with:
           path: cloud-platform-environments-dev
           repository: ministryofjustice/cloud-platform-environments
-          token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - uses: actions/checkout@v4
         with:
           path: cloud-platform-environments-preprod
           repository: ministryofjustice/cloud-platform-environments
-          token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - uses: actions/checkout@v4
         with:
           path: cloud-platform-environments-prod
           repository: ministryofjustice/cloud-platform-environments
-          token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Add Pingdom check
         run: sed -i '/add new projects here/i \    "${{ inputs.project_name }}",' 'cloud-platform-environments-prod/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-probation-integration-services-prod/resources/pingdom.tf'
@@ -390,9 +394,7 @@ jobs:
           add-paths: namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-probation-integration-services-dev
           branch: ${{ inputs.issue_number }}-create-${{ inputs.project_name }}-infra-dev
           commit-message: ${{ inputs.issue_number }} Create certificate for ${{ inputs.project_name }} (dev)
-          private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.BOT_GPG_PASSPHRASE }}
-          token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Create preprod pull request
         id: preprod-pr
@@ -402,9 +404,7 @@ jobs:
           add-paths: namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-probation-integration-services-preprod
           branch: ${{ inputs.issue_number }}-create-${{ inputs.project_name }}-infra-preprod
           commit-message: ${{ inputs.issue_number }} Create certificate for ${{ inputs.project_name }} (preprod)
-          private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.BOT_GPG_PASSPHRASE }}
-          token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Create prod pull request
         id: prod-pr
@@ -414,9 +414,7 @@ jobs:
           add-paths: namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-probation-integration-services-prod
           branch: ${{ inputs.issue_number }}-create-${{ inputs.project_name }}-infra-prod
           commit-message: ${{ inputs.issue_number }} Create Pingdom check and certificate for ${{ inputs.project_name }} (prod)
-          private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.BOT_GPG_PASSPHRASE }}
-          token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Create issue for manual steps
         run: |

.github/workflows/gradle.yml

@@ -50,7 +50,7 @@ jobs:
           fi
 
       - name: Commit and push
-        uses: marcus-bcl/github-app-commit-action@main # using fork while waiting for merge of https://github.com/dsanders11/github-app-commit-action/pull/20
+        uses: dsanders11/github-app-commit-action@5c7daabae956f8143277417996b26a173439e1b7 # v1.4.1
         with:
           fail-on-no-changes: false
           force: true