diff --git a/.github/workflows/check_current_version.yaml b/.github/workflows/check_current_version.yaml index 2b15256..fab5ddb 100644 --- a/.github/workflows/check_current_version.yaml +++ b/.github/workflows/check_current_version.yaml @@ -22,6 +22,18 @@ on: required: false type: string default: '"warning"' + generate_token: + description: Generate token from GitHub app + required: false + type: boolean + default: false + secrets: + TOKEN_APP_ID: + description: ID of the GitHub app used to generate a new token + required: false + TOKEN_APP_PRIVATE_KEY: + description: Private Key for the GitHub app used to generate a new token + required: false permissions: contents: read jobs: @@ -48,6 +60,14 @@ jobs: ERROR_ON_DEFAULT: '"warning"' steps: - uses: actions/checkout@v4 + - name: Generate custom token + id: generate-token + if: ${{ inputs.generate_token }} + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.TOKEN_APP_ID }} + private-key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Package specific setup if: ${{ inputs.use_local_setup_action }} uses: ./.github/actions/setup @@ -58,6 +78,8 @@ jobs: http-user-agent: '${{matrix.config.http-user-agent}}' use-public-rspm: true - uses: r-lib/actions/setup-r-dependencies@v2 + env: + GITHUB_PAT: ${{ steps.generate-token.outputs.token || secrets.GITHUB_TOKEN }} with: extra-packages: 'any::rcmdcheck' needs: check diff --git a/.github/workflows/check_nn_versions.yaml b/.github/workflows/check_nn_versions.yaml index 7c12b19..3384430 100644 --- a/.github/workflows/check_nn_versions.yaml +++ b/.github/workflows/check_nn_versions.yaml @@ -22,6 +22,18 @@ on: required: false type: string default: '"warning"' + generate_token: + description: Generate token from GitHub app + required: false + type: boolean + default: false + secrets: + TOKEN_APP_ID: + description: ID of the GitHub app used to generate a new token + required: false + TOKEN_APP_PRIVATE_KEY: + description: Private Key for the GitHub app used to generate a new token + required: false permissions: contents: read jobs: @@ -45,6 +57,14 @@ jobs: ERROR_ON_DEFAULT: '"warning"' steps: - uses: actions/checkout@v4 + - name: Generate custom token + id: generate-token + if: ${{ inputs.generate_token }} + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.TOKEN_APP_ID }} + private-key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Package specific setup if: ${{ inputs.use_local_setup_action }} uses: ./.github/actions/setup @@ -55,6 +75,8 @@ jobs: use-public-rspm: false cran: 'https://packagemanager.posit.co/cran/${{matrix.config.date}}' - uses: r-lib/actions/setup-r-dependencies@v2 + env: + GITHUB_PAT: ${{ steps.generate-token.outputs.token || secrets.GITHUB_TOKEN }} with: extra-packages: 'any::rcmdcheck' needs: check diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml index 8ce35da..c05c667 100644 --- a/.github/workflows/coverage.yaml +++ b/.github/workflows/coverage.yaml @@ -22,6 +22,18 @@ on: required: false type: boolean default: false + generate_token: + description: Generate token from GitHub app + required: false + type: boolean + default: false + secrets: + TOKEN_APP_ID: + description: ID of the GitHub app used to generate a new token + required: false + TOKEN_APP_PRIVATE_KEY: + description: Private Key for the GitHub app used to generate a new token + required: false permissions: contents: read pull-requests: write @@ -30,6 +42,14 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + - name: Generate custom token + id: generate-token + if: ${{ inputs.generate_token }} + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.TOKEN_APP_ID }} + private-key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Package specific setup if: ${{ inputs.use_local_setup_action }} uses: ./.github/actions/setup @@ -37,6 +57,8 @@ jobs: with: use-public-rspm: true - uses: r-lib/actions/setup-r-dependencies@v2 + env: + GITHUB_PAT: ${{ steps.generate-token.outputs.token || secrets.GITHUB_TOKEN }} with: extra-packages: | any::covr diff --git a/.github/workflows/pkgdown.yaml b/.github/workflows/pkgdown.yaml index 6589cde..1e004d1 100644 --- a/.github/workflows/pkgdown.yaml +++ b/.github/workflows/pkgdown.yaml @@ -20,6 +20,18 @@ on: required: false type: boolean default: false + generate_token: + description: Generate token from GitHub app + required: false + type: boolean + default: false + secrets: + TOKEN_APP_ID: + description: ID of the GitHub app used to generate a new token + required: false + TOKEN_APP_PRIVATE_KEY: + description: Private Key for the GitHub app used to generate a new token + required: false permissions: contents: write pull-requests: write @@ -30,6 +42,14 @@ jobs: group: 'pkgdown-${{ github.event_name != ''pull_request'' || github.run_id }}' steps: - uses: actions/checkout@v4 + - name: Generate custom token + id: generate-token + if: ${{ inputs.generate_token }} + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.TOKEN_APP_ID }} + private-key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Package specific setup if: ${{ inputs.use_local_setup_action }} uses: ./.github/actions/setup @@ -38,6 +58,8 @@ jobs: with: use-public-rspm: true - uses: r-lib/actions/setup-r-dependencies@v2 + env: + GITHUB_PAT: ${{ steps.generate-token.outputs.token || secrets.GITHUB_TOKEN }} with: extra-packages: 'any::pkgdown, local::.' needs: website diff --git a/README.md b/README.md index 4ac8a7e..ddc67b1 100644 --- a/README.md +++ b/README.md @@ -88,3 +88,33 @@ jobs: ... ``` You can of course add much more complicated setup steps this way, but now Quarto is available for all following steps in the `R-CMD-check standard` workflow. + +## Install from private repositories in your organisation + +If you have dependencies on private repositories insider your GitHub organisation +you need to run the workflows (excluding MegaLinter) with `generate_token: true` input, +and supply an App Id and App Private key as secrets. + +Using e.g. the `R-CMD-check standard` workflow it can be done like this: + +```yaml +... +jobs: + check-current-version: + name: Check current version + uses: >- + NovoNordisk-OpenSource/r.workflows/.github/workflows/check_current_version.yaml@main + secrets: + TOKEN_APP_ID: ${{ secrets.TOKEN_APP_ID }} + TOKEN_APP_PRIVATE_KEY: ${{ secrets.TOKEN_APP_PRIVATE_KEY }} + with: + generate_token: true +... +``` + +Where the secrets point to a GitHub App in your organisation that have read access to the relevant +repositories. Using the `actions/create-github-app-token@v2` action this generates a new token, that +have the neccasary acess, to be used in the step setting up the R dependencies. + +See also [Authenticating with a GitHub App](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow#authenticating-with-a-github-app) +for more information on this way of authenticating.