feat: GH app (#159)

* fix: app token

* feat: app token

* ci: fix get repos

* ci: update token

* ci: change username to oauth2

* ci: remove reporting

* ci: really remove reporting

* try: change GH username

* ci: try another email

* ci: switch to action checkout

* ci: remove work dir

* ci: add repo target for token

* add repo to token

* fix: remove unnecessary set-output

* fix: env to secret

* fix: remove unneeded GH user

* fix: oops

Author: matt-FFFFFF

.github/policies/eventResponder.yml

@@ -7,21 +7,21 @@ disabled: false
 configuration:
   resourceManagementConfiguration:
     eventResponderTasks:
-      - description: PR - close requests from thos without write access
+      - description: PR - close requests from this without write access
         if:
           - payloadType: Pull_Request
           - and:
-            - isOpen
-            - or:
-              - isAction:
-                  action: Opened
-              - isAction:
-                  action: Reopened
-            - or:
-              - activitySenderHasPermission:
-                  permission: read
-              - activitySenderHasPermission:
-                  permission: none
+              - isOpen
+              - or:
+                  - isAction:
+                      action: Opened
+                  - isAction:
+                      action: Reopened
+              - or:
+                  - activitySenderHasPermission:
+                      permission: read
+                  - activitySenderHasPermission:
+                      permission: none
         then:
           - addReply:
               reply: We do not accept pull requests from contributors without write access. Please contact a maintainer to make changes.

.github/workflows/grept-cronjob.yml

@@ -23,6 +23,12 @@ jobs:
     outputs:
       repoarray: ${{ steps.graphql.outputs.repoarray }}
     steps:
+      - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - name: query GitHub graphql API
         id: graphql # TODO replace with CSV output when ready
         run: |
@@ -44,7 +50,7 @@ jobs:
           echo repoarray="$REPOARRAY"
           echo repoarray="$REPOARRAY" >> "$GITHUB_OUTPUT"
         env:
-          GH_TOKEN: ${{ secrets.USER_PAT }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
 
   governance:
     name: governance
@@ -53,8 +59,6 @@ jobs:
     env:
       GITHUB_USER: matt-FFFFFF
       GREPT_CONFIG: "git::https://github.com/Azure/Azure-Verified-Modules-Grept.git//terraform"
-    outputs:
-      result: ${{ steps.set-output.outputs.result }}
     strategy:
       max-parallel: 2
       matrix:
@@ -63,36 +67,38 @@ jobs:
           - repo: "terraform-azurerm-avm-template"
       fail-fast: false
     steps:
-      - name: set env result=success
-        run: |
-          echo 'result=success' >> "$GITHUB_ENV"
-
-      - name: checkout remote
+      - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          owner: Azure
+          repositories: ${{ matrix.repo }}
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         id: checkout
-        run: |
-          git clone "https://${{ env.GITHUB_USER }}:${{ secrets.USER_PAT }}@github.com/Azure/${{ matrix.repo }}.git"
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          repository: Azure/${{ matrix.repo }}
+          persist-credentials: true
 
       - name: grept apply and auto remediate
         run: |
           echo "==> Checking code repository with grept against ${{ env.GREPT_CONFIG }}..."
           docker run --pull always --rm -v "$(pwd)":/src -w /src -e OVERRIDE_GITHUB_REPOSITORY="$OVERRIDE_GITHUB_REPOSITORY" -e OVERRIDE_GITHUB_REPOSITORY_OWNER="$OVERRIDE_GITHUB_REPOSITORY_OWNER" mcr.microsoft.com/azterraform:latest /usr/local/go/bin/grept apply --auto "${{ env.GREPT_CONFIG }}"
-        working-directory: ${{ matrix.repo }}
         env:
           OVERRIDE_GITHUB_REPOSITORY: Azure/${{ matrix.repo }}
           OVERRIDE_GITHUB_REPOSITORY_OWNER: Azure
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
 
       - name: avm pre-commit
         run: |
           ./avm pre-commit
-        working-directory: ${{ matrix.repo }}
         continue-on-error: true
         env:
           OVERRIDE_GITHUB_REPOSITORY: Azure/${{ matrix.repo }}
           OVERRIDE_GITHUB_REPOSITORY_OWNER: Azure
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
 
       - name: detect changes
         id: changes
@@ -104,20 +110,18 @@ jobs:
           fi
           echo "Changes detected"
           echo 'detected=true' >> "$GITHUB_OUTPUT"
-        working-directory: ${{ matrix.repo }}
 
       - name: commit changes to branch and push to origin
         if: steps.changes.outputs.detected == 'true'
         run: |
-          git config --global user.email "github-actions[bot]@users.noreply.github.com"
-          git config --global user.name "github-actions[bot]"
+          git config --global user.email "187664033+azure-verified-modules[bot]@users.noreply.github.com"
+          git config --global user.name "azure-verified-modules[bot]"
           BRANCH="grept-apply-$(date +%s)"
           echo "branch=$BRANCH" >> "$GITHUB_ENV"
           git checkout -b "$BRANCH"
           git add .
           git commit -m "fix: grept apply"
           git push --set-upstream origin "$BRANCH"
-        working-directory: ${{ matrix.repo }}
 
       - name: create PR body
         if: steps.changes.outputs.detected == 'true'
@@ -135,14 +139,12 @@ jobs:
 
           Thanks! The AVM team :heart:
           EOF
-        working-directory: ${{ matrix.repo }}
 
       - name: show body
         if: steps.changes.outputs.detected == 'true'
         run: |
           echo "Displaying PR body:"
           cat prbody.md
-        working-directory: ${{ matrix.repo }}
 
       - name: create pull request
         if: steps.changes.outputs.detected == 'true'
@@ -151,49 +153,17 @@ jobs:
           PR_URL=$(gh pr create --title "chore: repository governance" --body-file prbody.md)
           echo pull-request-number=$(gh pr view $PR_URL --json number | jq -r '.number') >> "$GITHUB_OUTPUT"
         env:
-          GH_TOKEN: ${{ secrets.USER_PAT }}
-        working-directory: ${{ matrix.repo }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
 
       - name: close and comment out of date prs
         if: steps.changes.outputs.detected == 'true'
         run: |
           PULL_REQUESTS=$(gh pr list --search "chore: repository governance" --json number,headRefName)
           echo "$PULL_REQUESTS" | jq -r '.[] | select(.number != ${{ steps.pr.outputs.pull-request-number }}) | .number' | xargs -I {} gh pr close {} --delete-branch --comment "Supersceeded by #${{ steps.pr.outputs.pull-request-number }}"
         env:
-          GH_TOKEN: ${{ secrets.USER_PAT }}
-        working-directory: ${{ matrix.repo }}
-
-      - name: set env result=failure
-        if: ${{ failure() }}
-        run: |
-          echo 'result=failed' >> "$GITHUB_ENV"
-          if [ ! -z "${{ env.branch }}" ]; then
-            git push origin --delete "${{ env.branch }}"
-          fi
-        working-directory: ${{ matrix.repo }}
-
-
-      - name: set output
-        if: ${{ always() }}
-        id: set-output
-        run: |
-          echo "result=${{ env.result }}" >> "$GITHUB_OUTPUT"
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
 
       - name: sleep for rate limit
         if: ${{ always() }}
         id: sleep
         run: sleep 30
-
-  report:
-    name: report
-    runs-on: ubuntu-latest
-    needs: governance
-    if: ${{ failure() }}
-    steps:
-      - name: raise issue
-        run: |
-          ## BLOCKED on matrix outputs: https://github.com/actions/runner/pull/2477
-          ## gh issue create --repo ${{ github.repository }} --title "Repository governance failure" --body "The following repositories failed governance checks:\n\n```json\n${{ toJSON(join(needs.governance.outputs)) }}\n```\n"
-          gh issue create --repo ${{ github.repository }} --assignee matt-FFFFFF --title "Repository governance failure" --body "The following repositories failed governance checks: <${{ github.server_url}}/${{ github.repository }}/actions/runs/${{ github.run_id}}>"
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/repo-labels.yml

@@ -23,6 +23,12 @@ jobs:
     outputs:
       repoarray: ${{ steps.graphql.outputs.repoarray }}
     steps:
+      - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - name: query GitHub graphql API
         id: graphql # TODO replace with CSV output when ready
         run: |
@@ -44,16 +50,12 @@ jobs:
           echo repoarray="$REPOARRAY"
           echo repoarray="$REPOARRAY" >> "$GITHUB_OUTPUT"
         env:
-          GITHUB_TOKEN: ${{ secrets.USER_PAT }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
 
   sync-labels:
     name: sync
     runs-on: ubuntu-latest
     needs: getrepos
-    env:
-      GITHUB_USER: matt-FFFFFF
-    outputs:
-      result: ${{ steps.set-output.outputs.result }}
     strategy:
       max-parallel: 5
       matrix:
@@ -62,12 +64,19 @@ jobs:
           - repo: "terraform-azurerm-avm-template"
       fail-fast: false
     steps:
+      - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          owner: Azure
+          repositories: ${{ matrix.repo }}
+
       - name: run avm github labels script
         shell: pwsh
         run: |
           Invoke-WebRequest -Uri "https://raw.githubusercontent.com/Azure/Azure-Verified-Modules/main/docs/static/scripts/Set-AvmGitHubLabels.ps1" -OutFile "./Set-AvmGitHubLabels.ps1"
           ./Set-AvmGitHubLabels.ps1 -RepositoryName "Azure/${{ matrix.repo }}" -CreateCsvLabelExports $false -RemoveExistingLabels $false -NoUserPrompts $true
           echo ${{ matrix.repo }}
         env:
-          GITHUB_TOKEN: ${{ secrets.USER_PAT }}
-
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}