From 45c2f33c74280a50b8cd3d84e925c638a47954c3 Mon Sep 17 00:00:00 2001 From: Kyle Harding Date: Tue, 19 Dec 2023 14:48:53 -0500 Subject: [PATCH] BREAKING: switch to official actions/create-github-app-token This deprecates support for the token_scope input for custom actions which wasn't used anywhere anyway. It also deprecates support for the installation_id input as the installation will be derived from the repo owner. The old token action is still in use to enable auto-merge where custom token scopes were still required. This will be removed in the future when custom permissions are supported by the new action. See: https://github.com/tibdex/github-app-token/issues/99 See: https://github.com/actions/create-github-app-token/issues/3 Resolves: https://github.com/product-os/flowzone/issues/790 Change-type: major Signed-off-by: Kyle Harding --- .github/actions/always/action.yml | 11 - .github/actions/clean/action.yml | 11 - .github/actions/finalize/action.yml | 11 - .github/actions/test/action.yml | 11 - .github/workflows/flowzone.yml | 660 ++++++++++------------------ README.md | 19 +- flowzone.yml | 194 ++------ 7 files changed, 264 insertions(+), 653 deletions(-) diff --git a/.github/actions/always/action.yml b/.github/actions/always/action.yml index ae33dcb38..78a20e62b 100644 --- a/.github/actions/always/action.yml +++ b/.github/actions/always/action.yml @@ -27,14 +27,3 @@ runs: echo "${INPUTS}" echo "${SECRETS}" echo "${VARIABLES}" - - # https://github.com/marketplace/actions/github-app-token - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 - id: gh_app_installation_token - with: - app_id: ${{ fromJSON(inputs.json).app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ fromJSON(inputs.json).installation_id }} - private_key: ${{ fromJSON(inputs.secrets).GH_APP_PRIVATE_KEY }} - permissions: ${{ fromJSON(inputs.json).token_scope }} diff --git a/.github/actions/clean/action.yml b/.github/actions/clean/action.yml index 22b94cb5f..0532e9e9b 100644 --- a/.github/actions/clean/action.yml +++ b/.github/actions/clean/action.yml @@ -27,14 +27,3 @@ runs: echo "${INPUTS}" echo "${SECRETS}" echo "${VARIABLES}" - - # https://github.com/marketplace/actions/github-app-token - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 - id: gh_app_installation_token - with: - app_id: ${{ fromJSON(inputs.json).app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ fromJSON(inputs.json).installation_id }} - private_key: ${{ fromJSON(inputs.secrets).GH_APP_PRIVATE_KEY }} - permissions: ${{ fromJSON(inputs.json).token_scope }} diff --git a/.github/actions/finalize/action.yml b/.github/actions/finalize/action.yml index e77f7818d..1a09cba00 100644 --- a/.github/actions/finalize/action.yml +++ b/.github/actions/finalize/action.yml @@ -27,14 +27,3 @@ runs: echo "${INPUTS}" echo "${SECRETS}" echo "${VARIABLES}" - - # https://github.com/marketplace/actions/github-app-token - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 - id: gh_app_installation_token - with: - app_id: ${{ fromJSON(inputs.json).app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ fromJSON(inputs.json).installation_id }} - private_key: ${{ fromJSON(inputs.secrets).GH_APP_PRIVATE_KEY }} - permissions: ${{ fromJSON(inputs.json).token_scope }} diff --git a/.github/actions/test/action.yml b/.github/actions/test/action.yml index 4e03129f2..71c54f00c 100644 --- a/.github/actions/test/action.yml +++ b/.github/actions/test/action.yml @@ -39,14 +39,3 @@ runs: echo "semver=$(npx -q -y -- semver -c -l "${tag}")" >> $GITHUB_OUTPUT echo "describe=$(git describe --tags --always --dirty | cat)" >> $GITHUB_OUTPUT echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - - # https://github.com/marketplace/actions/github-app-token - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@0914d50df753bbc42180d982a6550f195390069f # v2.0.0 - id: gh_app_installation_token - with: - app_id: ${{ fromJSON(inputs.json).app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ fromJSON(inputs.json).installation_id }} - private_key: ${{ fromJSON(inputs.secrets).GH_APP_PRIVATE_KEY }} - permissions: ${{ fromJSON(inputs.json).token_scope }} diff --git a/.github/workflows/flowzone.yml b/.github/workflows/flowzone.yml index a23cd7097..8be82a1a5 100644 --- a/.github/workflows/flowzone.yml +++ b/.github/workflows/flowzone.yml @@ -120,25 +120,11 @@ on: description: GitHub App id to impersonate type: string required: false - default: ${{ vars.APP_ID || '291899' }} + default: ${{ vars.FLOWZONE_APP_ID || vars.APP_ID }} installation_id: - description: GitHub App installation id + description: GitHub App installation id (deprecated, installation is derived from repo owner) type: string required: false - default: ${{ vars.INSTALLATION_ID || '34040165' }} - token_scope: - description: Ephemeral token scope(s) - type: string - required: false - default: |- - { - "administration": "write", - "contents": "write", - "metadata": "read", - "packages": "write", - "pages": "write", - "pull_requests": "read" - } jobs_timeout_minutes: description: Timeout for the job(s). type: number @@ -506,22 +492,14 @@ jobs: GH_REPO: ${{ github.repository }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "administration": "write", - "contents": "write", - "metadata": "read", - "pull_requests": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout refs/pull/${{ github.event.number }}/merge uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -727,20 +705,14 @@ jobs: node_versions: ${{ steps.node_versions.outputs.json }} npm_access: ${{ steps.access.outputs.access }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -862,20 +834,14 @@ jobs: docker_bake_json: ${{ steps.docker_bake.outputs.json }} docker_test_matrix: ${{ steps.docker_test.outputs.build }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -990,20 +956,14 @@ jobs: python_versions: ${{ steps.python_versions.outputs.json }} pypi_publish: ${{ steps.python_poetry.outputs.pypi_publish }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -1087,20 +1047,14 @@ jobs: cargo_targets: ${{ steps.cargo_targets.outputs.build }} cargo: ${{ steps.cargo_yml.outputs.enabled }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -1141,20 +1095,14 @@ jobs: balena_slugs: ${{ steps.balena_slugs.outputs.build }} balena_yml: ${{ steps.balena_yml.outputs.enabled }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -1200,20 +1148,14 @@ jobs: custom_publish_matrix: ${{ steps.custom_publish_matrix.outputs.build }} custom_finalize_matrix: ${{ steps.custom_finalize_matrix.outputs.build }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -1286,20 +1228,14 @@ jobs: outputs: has_readme: ${{ steps.has_readme.outputs.enabled }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -1333,20 +1269,14 @@ jobs: stacks: ${{ steps.cloudformation_stacks.outputs.matrix }} includes: ${{ steps.cloudformation_stacks.outputs.includes }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -1449,20 +1379,14 @@ jobs: sha_tag: ${{ steps.meta.outputs.sha_tag }} version_tag: ${{ steps.meta.outputs.version_tag }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -1633,20 +1557,14 @@ jobs: working-directory: . shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Sort node versions id: node_versions env: @@ -1688,22 +1606,14 @@ jobs: working-directory: . shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "pages": "write", - "contents": "read", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Sort node versions id: node_versions env: @@ -1749,20 +1659,14 @@ jobs: env: DOCKER_BUILDKIT: "1" steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2271,20 +2175,14 @@ jobs: image: ${{ fromJSON(needs.is_docker.outputs.docker_images) }} target: ${{ fromJSON(needs.is_docker.outputs.bake_targets) }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2499,20 +2397,14 @@ jobs: working-directory: ${{ inputs.working_directory }} shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2587,20 +2479,14 @@ jobs: working-directory: ${{ inputs.working_directory }} shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2672,20 +2558,14 @@ jobs: matrix: python-version: ${{ fromJSON(needs.is_python.outputs.python_versions) }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2758,20 +2638,14 @@ jobs: working-directory: ${{ inputs.working_directory }} shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2832,20 +2706,14 @@ jobs: working-directory: ${{ inputs.working_directory }} shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2887,20 +2755,14 @@ jobs: (github.event.action != 'closed' || github.event.pull_request.merged == true) && needs.is_website.result == 'success' steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2956,21 +2818,14 @@ jobs: working-directory: . shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "write", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Delete draft GitHub release run: gh release delete --yes '${{ github.event.pull_request.head.ref }}' || true env: @@ -2996,21 +2851,14 @@ jobs: working-directory: . shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "write", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Delete draft GitHub release run: gh release delete --yes '${{ github.event.pull_request.head.ref }}' || true env: @@ -3056,20 +2904,14 @@ jobs: working-directory: . shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "write", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3140,20 +2982,14 @@ jobs: sha_tag: ${{ steps.meta.outputs.sha_tag }} version_tag: ${{ steps.meta.outputs.version_tag }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3218,20 +3054,14 @@ jobs: matrix: target: ${{ fromJSON(needs.is_cargo.outputs.cargo_targets) }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3280,20 +3110,14 @@ jobs: working-directory: ${{ inputs.working_directory }} shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3336,16 +3160,14 @@ jobs: echo "::error::Custom actions are disabled for external contributors and will be skipped. \ Please contact a member of the organization for assistance." exit 1 - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: ${{ inputs.token_scope }} + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3401,16 +3223,14 @@ jobs: echo "::error::Custom actions are disabled for external contributors and will be skipped. \ Please contact a member of the organization for assistance." exit 1 - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: ${{ inputs.token_scope }} + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3460,16 +3280,14 @@ jobs: echo "::error::Custom actions are disabled for external contributors and will be skipped. \ Please contact a member of the organization for assistance." exit 1 - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: ${{ inputs.token_scope }} + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3515,16 +3333,14 @@ jobs: echo "::error::Custom actions are disabled for external contributors and will be skipped. \ Please contact a member of the organization for assistance." exit 1 - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: ${{ inputs.token_scope }} + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3569,16 +3385,14 @@ jobs: echo "::error::Custom actions are disabled for external contributors and will be skipped. \ Please contact a member of the organization for assistance." exit 1 - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: ${{ inputs.token_scope }} + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3622,20 +3436,14 @@ jobs: ATTEMPTS: 5 TIMEOUT: 3 steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -4009,20 +3817,14 @@ jobs: KUBE_NAMESPACE: ${{ vars.KUBE_NAMESPACE }} LOCK_TIMEOUT: 300s steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -4115,20 +3917,14 @@ jobs: KUBE_NAMESPACE: ${{ vars.KUBE_NAMESPACE }} LOCK_TIMEOUT: 300s steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -4204,22 +4000,14 @@ jobs: env: BRANCH_PROTECTION_URI: repos/${{ github.repository }}/branches/${{ github.event.repository.default_branch }}/protection steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "administration": "write", - "contents": "read", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Get branch protection rules id: branch_protection shell: bash --noprofile --norc -eo pipefail -x {0} @@ -4424,22 +4212,14 @@ jobs: github.event.pull_request.merged == true && inputs.repo_config == true steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "administration": "write", - "contents": "read", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Configure repository env: GH_DEBUG: "true" @@ -4585,8 +4365,8 @@ jobs: id: gh_app_token with: app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} + installation_retrieval_mode: organization + installation_retrieval_payload: ${{ github.repository_owner }} private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} permissions: |- { diff --git a/README.md b/README.md index 654c1d8b1..73523a86f 100644 --- a/README.md +++ b/README.md @@ -204,25 +204,12 @@ jobs: # GitHub App id to impersonate # Type: string # Required: false - app_id: ${{ vars.APP_ID || '291899' }} + app_id: ${{ vars.FLOWZONE_APP_ID || vars.APP_ID }} - # GitHub App installation id + # GitHub App installation id (deprecated, installation is derived from repo owner) # Type: string # Required: false - installation_id: ${{ vars.INSTALLATION_ID || '34040165' }} - - # Ephemeral token scope(s) - # Type: string - # Required: false - token_scope: > - { - "administration": "write", - "contents": "write", - "metadata": "read", - "packages": "write", - "pages": "write", - "pull_requests": "read" - } + installation_id: # Timeout for the job(s). # Type: number diff --git a/flowzone.yml b/flowzone.yml index b0e89c652..5f8aad476 100644 --- a/flowzone.yml +++ b/flowzone.yml @@ -11,22 +11,16 @@ - &ifPublicRepository if: github.event.repository.private != true - - &getGitHubAppToken # https://github.com/marketplace/actions/github-app-token - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 - continue-on-error: true + - &getGitHubAppToken # https://github.com/actions/create-github-app-token + name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 + if: inputs.app_id != '' id: gh_app_token - with: &getGitHubAppTokenWith - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - # permissions: ${{ inputs.token_scope }} - permissions: >- - { - "contents": "read", - "metadata": "read" - } + with: + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + # Create a token for all repositories in the current owner's installation + owner: ${{ github.repository_owner }} # optionally attempt to get AWS login short-lived session credentials over OIDC - &configureAWSCredentials # https://github.com/aws-actions/configure-aws-credentials @@ -812,32 +806,11 @@ on: description: "GitHub App id to impersonate" type: string required: false - # https://github.com/organizations/product-os/settings/apps/flowzone-app - # https://github.com/organizations/product-os/settings/variables/actions/APP_ID - default: "${{ vars.APP_ID || '291899' }}" - # not needed if installed on this current org/repo + default: "${{ vars.FLOWZONE_APP_ID || vars.APP_ID }}" installation_id: - description: "GitHub App installation id" - type: string - required: false - # https://github.com/organizations/product-os/settings/installations - # https://github.com/organizations/product-os/settings/variables/actions/INSTALLATION_ID - default: "${{ vars.INSTALLATION_ID || '34040165' }}" - token_scope: - description: "Ephemeral token scope(s)" + description: "GitHub App installation id (deprecated, installation is derived from repo owner)" type: string required: false - # https://github.com/organizations/product-os/settings/installations/34040165 - # https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#create-a-scoped-access-token - default: >- - { - "administration": "write", - "contents": "write", - "metadata": "read", - "packages": "write", - "pages": "write", - "pull_requests": "read" - } jobs_timeout_minutes: description: "Timeout for the job(s)." type: number @@ -1161,17 +1134,8 @@ jobs: <<: *gitHubCliEnvironment steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # admin permission is currently required to bypass branch protection rules - permissions: >- - { - "administration": "write", - "contents": "write", - "metadata": "read", - "pull_requests": "read" - } + # currently requires repo:admin:write to bypass branch protection + - *getGitHubAppToken # Checkout the merge ref for open PRs - <<: *checkoutMergeRef @@ -2194,18 +2158,7 @@ jobs: <<: *rootWorkingDirectory steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # need permissions to publish to github pages - permissions: >- - { - "pages": "write", - "contents": "read", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' - + - *getGitHubAppToken - *sortNodeVersions # https://github.com/dawidd6/action-download-artifact @@ -2850,19 +2803,11 @@ jobs: if: | github.event.action == 'closed' && github.event.pull_request.merged == false + <<: *rootWorkingDirectory - steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # contents:write permissions for managing releases - permissions: >- - { - "contents": "write", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' + steps: + - *getGitHubAppToken - *deleteDraftGitHubRelease github_publish: @@ -2882,17 +2827,7 @@ jobs: <<: *rootWorkingDirectory steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # contents:write permissions for managing releases - permissions: >- - { - "contents": "write", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' - + - *getGitHubAppToken - *deleteDraftGitHubRelease - name: Download all artifacts @@ -2935,16 +2870,7 @@ jobs: <<: *rootWorkingDirectory steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # contents:write permissions for managing releases - permissions: >- - { - "contents": "write", - "metadata": "read" - } - + - *getGitHubAppToken - *checkoutVersionedSha - *getReleaseNotes @@ -3154,12 +3080,7 @@ jobs: steps: - *rejectExternalCustomActions - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # use permissions from the token_scope input - permissions: ${{ inputs.token_scope }} - + - *getGitHubAppToken - *checkoutVersionedSha - *resetGitHubDirectory - *createLocalRefs @@ -3201,13 +3122,7 @@ jobs: steps: - *rejectExternalCustomActions - - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # use permissions from the token_scope input - permissions: ${{ inputs.token_scope }} - + - *getGitHubAppToken - *checkoutVersionedSha - *resetGitHubDirectory - *createLocalRefs @@ -3242,13 +3157,7 @@ jobs: steps: - *rejectExternalCustomActions - - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # use permissions from the token_scope input - permissions: ${{ inputs.token_scope }} - + - *getGitHubAppToken - *checkoutVersionedSha - *resetGitHubDirectory @@ -3281,13 +3190,7 @@ jobs: steps: - *rejectExternalCustomActions - - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # use permissions from the token_scope input - permissions: ${{ inputs.token_scope }} - + - *getGitHubAppToken - *checkoutVersionedSha - *resetGitHubDirectory @@ -3318,13 +3221,7 @@ jobs: steps: - *rejectExternalCustomActions - - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # use permissions from the token_scope input - permissions: ${{ inputs.token_scope }} - + - *getGitHubAppToken - *checkoutVersionedSha - *resetGitHubDirectory @@ -3752,18 +3649,8 @@ jobs: BRANCH_PROTECTION_URI: repos/${{ github.repository }}/branches/${{ github.event.repository.default_branch }}/protection steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # admin permission is required to set branch protection - permissions: >- - { - "administration": "write", - "contents": "read", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' - + # repo:admin:write permission is required to set branch protection + - *getGitHubAppToken - *getBranchProtectionRules - *isDraftPullRequest @@ -3901,17 +3788,8 @@ jobs: github.event.pull_request.merged == true && inputs.repo_config == true steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # admin permission is required modify repo config - permissions: >- - { - "administration": "write", - "contents": "read", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' + # repo:admin:write permission is required to set repository settings + - *getGitHubAppToken - name: Configure repository env: @@ -4031,10 +3909,20 @@ jobs: BRANCH_PROTECTION_URI: repos/${{ github.repository }}/branches/${{ github.event.pull_request.base.ref }}/protection steps: - - <<: *getGitHubAppToken + # https://github.com/marketplace/actions/github-app-token + # FIXME: switch to actions/create-github-app-token as soon as custom permissions are supported + # https://github.com/actions/create-github-app-token/issues/3 + - name: Generate GitHub App installation token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + continue-on-error: true + id: gh_app_token with: - <<: *getGitHubAppTokenWith - # avoid providing any permissions here that are able to bypass branch protections! + app_id: ${{ inputs.app_id }} + installation_retrieval_mode: organization + installation_retrieval_payload: ${{ github.repository_owner }} + private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} + # DO NOT include any permissions here that would bypass branch protections! + # e.g. admin:write would merge PRs before required checks have passed permissions: >- { "administration": "read",