feat: update with generated token

.github/workflows/check_current_version.yaml

@@ -22,6 +22,18 @@ on:
         required: false
         type: string
         default: '"warning"'
+      generate_token:
+        description: Generate token from GitHub app
+        required: false
+        type: boolean
+        default: false
+    secrets:
+      TOKEN_APP_ID:
+        description: ID of the GitHub app used to generate a new token
+        required: false
+      TOKEN_APP_PRIVATE_KEY:
+        description: Private Key for the GitHub app used to generate a new token
+        required: false
 permissions:
   contents: read
 jobs:
@@ -48,6 +60,14 @@ jobs:
       ERROR_ON_DEFAULT: '"warning"'
     steps:
       - uses: actions/checkout@v4
+      - name: Generate custom token
+        id: generate-token
+        if:  ${{ inputs.generate_token }}
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.TOKEN_APP_ID }}
+          private-key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
       - name: Package specific setup
         if:  ${{ inputs.use_local_setup_action }}
         uses: ./.github/actions/setup
@@ -58,6 +78,8 @@ jobs:
           http-user-agent: '${{matrix.config.http-user-agent}}'
           use-public-rspm: true
       - uses: r-lib/actions/setup-r-dependencies@v2
+        env:
+          GITHUB_PAT: ${{ steps.generate-token.outputs.token || secrets.GITHUB_TOKEN }}
         with:
           extra-packages: 'any::rcmdcheck'
           needs: check

.github/workflows/check_nn_versions.yaml

@@ -22,6 +22,18 @@ on:
         required: false
         type: string
         default: '"warning"'
+      generate_token:
+        description: Generate token from GitHub app
+        required: false
+        type: boolean
+        default: false
+    secrets:
+      TOKEN_APP_ID:
+        description: ID of the GitHub app used to generate a new token
+        required: false
+      TOKEN_APP_PRIVATE_KEY:
+        description: Private Key for the GitHub app used to generate a new token
+        required: false
 permissions:
   contents: read
 jobs:
@@ -45,6 +57,14 @@ jobs:
       ERROR_ON_DEFAULT: '"warning"'
     steps:
       - uses: actions/checkout@v4
+      - name: Generate custom token
+        id: generate-token
+        if:  ${{ inputs.generate_token }}
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.TOKEN_APP_ID }}
+          private-key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
       - name: Package specific setup
         if: ${{ inputs.use_local_setup_action }}
         uses: ./.github/actions/setup
@@ -55,6 +75,8 @@ jobs:
           use-public-rspm: false
           cran: 'https://packagemanager.posit.co/cran/${{matrix.config.date}}'
       - uses: r-lib/actions/setup-r-dependencies@v2
+        env:
+          GITHUB_PAT: ${{ steps.generate-token.outputs.token || secrets.GITHUB_TOKEN }}
         with:
           extra-packages: 'any::rcmdcheck'
           needs: check

.github/workflows/coverage.yaml

@@ -22,6 +22,18 @@ on:
         required: false
         type: boolean
         default: false
+      generate_token:
+        description: Generate token from GitHub app
+        required: false
+        type: boolean
+        default: false
+    secrets:
+      TOKEN_APP_ID:
+        description: ID of the GitHub app used to generate a new token
+        required: false
+      TOKEN_APP_PRIVATE_KEY:
+        description: Private Key for the GitHub app used to generate a new token
+        required: false
 permissions:
   contents: read
   pull-requests: write
@@ -30,13 +42,23 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+      - name: Generate custom token
+        id: generate-token
+        if:  ${{ inputs.generate_token }}
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.TOKEN_APP_ID }}
+          private-key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
       - name: Package specific setup
         if:  ${{ inputs.use_local_setup_action }}
         uses: ./.github/actions/setup
       - uses: r-lib/actions/setup-r@v2
         with:
           use-public-rspm: true
       - uses: r-lib/actions/setup-r-dependencies@v2
+        env:
+          GITHUB_PAT: ${{ steps.generate-token.outputs.token || secrets.GITHUB_TOKEN }}
         with:
           extra-packages: |
             any::covr

.github/workflows/pkgdown.yaml

@@ -20,6 +20,18 @@ on:
         required: false
         type: boolean
         default: false
+      generate_token:
+        description: Generate token from GitHub app
+        required: false
+        type: boolean
+        default: false
+    secrets:
+      TOKEN_APP_ID:
+        description: ID of the GitHub app used to generate a new token
+        required: false
+      TOKEN_APP_PRIVATE_KEY:
+        description: Private Key for the GitHub app used to generate a new token
+        required: false
 permissions:
   contents: write
   pull-requests: write
@@ -30,6 +42,14 @@ jobs:
       group: 'pkgdown-${{ github.event_name != ''pull_request'' || github.run_id }}'
     steps:
       - uses: actions/checkout@v4
+      - name: Generate custom token
+        id: generate-token
+        if:  ${{ inputs.generate_token }}
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.TOKEN_APP_ID }}
+          private-key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
       - name: Package specific setup
         if:  ${{ inputs.use_local_setup_action }}
         uses: ./.github/actions/setup
@@ -38,6 +58,8 @@ jobs:
         with:
           use-public-rspm: true
       - uses: r-lib/actions/setup-r-dependencies@v2
+        env:
+          GITHUB_PAT: ${{ steps.generate-token.outputs.token || secrets.GITHUB_TOKEN }}
         with:
           extra-packages: 'any::pkgdown, local::.'
           needs: website

README.md

@@ -88,3 +88,33 @@ jobs:
 ...
 ```
 You can of course add much more complicated setup steps this way, but now Quarto is available for all following steps in the `R-CMD-check standard` workflow.
+
+## Install from private repositories in your organisation
+
+If you have dependencies on private repositories insider your GitHub organisation
+you need to run the workflows (excluding MegaLinter) with `generate_token: true` input,
+and supply an App Id and App Private key as secrets.
+
+Using e.g. the `R-CMD-check standard` workflow it can be done like this:
+
+```yaml
+...
+jobs:
+  check-current-version:
+    name: Check current version
+    uses: >-
+      NovoNordisk-OpenSource/r.workflows/.github/workflows/check_current_version.yaml@main
+    secrets:
+      TOKEN_APP_ID: ${{ secrets.TOKEN_APP_ID }}
+      TOKEN_APP_PRIVATE_KEY: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
+    with:
+      generate_token: true
+...
+```
+
+Where the secrets point to a GitHub App in your organisation that have read access to the relevant
+repositories. Using the `actions/create-github-app-token@v2` action this generates a new token, that
+have the neccasary acess, to be used in the step setting up the R dependencies.
+
+See also [Authenticating with a GitHub App](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow#authenticating-with-a-github-app)
+for more information on this way of authenticating.