Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: use GitHub application token #3616

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

chore: use GitHub application token #3616

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0b29042
chore: remove GitHub PAT token usage
petertonysmith94 Jan 23, 2025
bbb28f7
chore: updated release to application token
petertonysmith94 Jan 23, 2025
e772e20
Merge branch 'master' of github.com:FuelLabs/fuels-ts into ps/chore/u…
petertonysmith94 Jan 23, 2025
b212d38
chore: update changeset
petertonysmith94 Jan 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 21 additions & 5 deletions .github/workflows/pr-validate-changesets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,26 @@ jobs:
if: github.actor == 'dependabot[bot]'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is happening in this workflow that requires an app token? It looks like it's only manipulating the contents of the current repo, which should be a matter of adjusting the existing token permissions, not using an app.


steps:
- name: Create GitHub App Token
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}

- name: Configure GitHub user
id: github-user
run: |
echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
echo "user-name=${{ steps.app-token.outputs.app-slug }}[bot]" >> "$GITHUB_OUTPUT"
echo "user-email=${{ steps.github-user.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com" >> "$GITHUB_OUTPUT"

- uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.client_payload.ref }}
# Make sure the value of GITHUB_TOKEN will not be persisted in repo's config
persist-credentials: false

- name: Get PR's changeset file
run: |
Expand All @@ -47,20 +63,20 @@ jobs:
if: env.CHANGESET_FILE == ''
run: |
echo "machine github.com" > $HOME/.netrc
echo "login github-actions[bot]" >> $HOME/.netrc
echo "password ${{ secrets.GITHUB_TOKEN }}" >> $HOME/.netrc
echo "login ${{ steps.github-user.outputs.user-name }}" >> $HOME/.netrc
echo "password ${{ steps.app-token.outputs.token }}" >> $HOME/.netrc
chmod 600 $HOME/.netrc

- name: Commit Changeset
if: env.CHANGESET_FILE == ''
run: |
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config user.name "github-actions[bot]"
git config user.email '${{ steps.github-user.outputs.user-email }}'
git config user.name '${{ steps.github-user.outputs.user-name }}'
git add .
git commit -m "build: update dependency changeset"
git push origin HEAD:${{ github.event.pull_request.head.ref }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
petertonysmith94 marked this conversation as resolved.
Show resolved Hide resolved

validate-changeset:
name: Validate PR Changeset
Expand Down
27 changes: 18 additions & 9 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,20 @@ jobs:
if: github.event.before != '0000000000000000000000000000000000000000'

steps:
- name: Create GitHub App Token
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}

- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.ref }}
# Make sure the value of GITHUB_TOKEN will not be persisted in repo's config
persist-credentials: false

- name: CI Setup
uses: ./.github/actions/ci-setup
Expand All @@ -37,7 +46,7 @@ jobs:
echo "FORC_VERSION=$(cat ./internal/forc/VERSION)" >> $GITHUB_ENV
git reset --hard
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
petertonysmith94 marked this conversation as resolved.
Show resolved Hide resolved

- name: Ensure NPM access
run: npm whoami
Expand All @@ -59,7 +68,7 @@ jobs:
pnpm add --global semver
echo "RELEASE_VERSION_HIGHER_THAN_LATEST=$(semver $LATEST_RELEASE $RELEASE_VERSION | tail -n1 | grep ${RELEASE_VERSION#v} --silent && echo true || echo false)" >> $GITHUB_ENV
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
petertonysmith94 marked this conversation as resolved.
Show resolved Hide resolved

- name: Create Release Pull Request or Publish to npm
id: changesets
Expand All @@ -73,13 +82,13 @@ jobs:
githubReleaseName: ${{ env.RELEASE_VERSION }}
githubTagName: ${{ env.RELEASE_VERSION }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
petertonysmith94 marked this conversation as resolved.
Show resolved Hide resolved
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

- name: Prettify changelog
run: pnpm changeset:update-changelog
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
petertonysmith94 marked this conversation as resolved.
Show resolved Hide resolved
RELEASE_TAG: ${{ env.RELEASE_VERSION }}
PUBLISHED: ${{ steps.changesets.outputs.published }}
REF_NAME: ${{ github.ref_name }}
Expand Down Expand Up @@ -109,7 +118,7 @@ jobs:
pnpm changeset publish --tag next
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Most of these changes don't look like they need an app - only the stuff doing anything to other repos should need special access. The default token should work fine for changes to this repo.

GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
petertonysmith94 marked this conversation as resolved.
Show resolved Hide resolved

# ensure docs are always deployed after merge of changeset PR
- name: Get the last commit message and set env vars
Expand All @@ -126,7 +135,7 @@ jobs:
workflow: update-nightly.yml
ref: master
repo: FuelLabs/docs-hub
token: ${{ secrets.GITHUB_TOKEN }}
token: ${{ steps.app-token.outputs.token }}
petertonysmith94 marked this conversation as resolved.
Show resolved Hide resolved

- name: Create PR to apply latest release to master
if: steps.changesets.outputs.published == 'true' && startsWith(github.ref_name, 'release/') && env.RELEASE_VERSION_HIGHER_THAN_LATEST == 'true'
Expand All @@ -142,7 +151,7 @@ jobs:

gh pr create -B master -H $GITHUB_REF_NAME --title "$PR_TITLE" --body "$PR_BODY"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
petertonysmith94 marked this conversation as resolved.
Show resolved Hide resolved
RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
LATEST_VERSION: ${{ env.LATEST_VERSION }}

Expand All @@ -152,7 +161,7 @@ jobs:
if: steps.changesets.outputs.published == 'true' && startsWith(github.ref_name, 'release/') && env.RELEASE_VERSION_HIGHER_THAN_LATEST == 'false'
run: git push origin --delete ${{ github.ref_name }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
petertonysmith94 marked this conversation as resolved.
Show resolved Hide resolved

# Upload assets to S3
- uses: unfor19/[email protected]
Expand Down Expand Up @@ -182,6 +191,6 @@ jobs:
run: |
curl -X POST \
-H "Accept: application/vnd.github.v3+json" \
-H "Authorization: token ${{ secrets.MIGRATIONS_RELEASE_TRIGGER_TOKEN }}" \
-H "Authorization: token ${{ steps.app-token.outputs.token }}" \
https://api.github.com/repos/FuelLabs/migrations-and-disclosures/dispatches \
petertonysmith94 marked this conversation as resolved.
Show resolved Hide resolved
-d '{"event_type":"update_versions"}'
Loading