citusdata
diff --git a/‎.github/workflows/build-citus-community-nightlies.yml‎
Lines changed: 8 additions & 21 deletions b/‎.github/workflows/build-citus-community-nightlies.yml‎
Lines changed: 8 additions & 21 deletions
diff --git a/‎.github/workflows/citus-package-all-platforms-test.yml‎
Lines changed: 19 additions & 3 deletions b/‎.github/workflows/citus-package-all-platforms-test.yml‎
Lines changed: 19 additions & 3 deletions
diff --git a/‎.github/workflows/package-tests.yml‎
Lines changed: 16 additions & 0 deletions b/‎.github/workflows/package-tests.yml‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎.github/workflows/packaging-methods-tests.yml‎
Lines changed: 17 additions & 3 deletions b/‎.github/workflows/packaging-methods-tests.yml‎
Lines changed: 17 additions & 3 deletions
diff --git a/‎.github/workflows/statistic-schedule.yml‎
Lines changed: 16 additions & 2 deletions b/‎.github/workflows/statistic-schedule.yml‎
Lines changed: 16 additions & 2 deletions
diff --git a/‎.github/workflows/statistic-tests.yml‎
Lines changed: 26 additions & 1 deletion b/‎.github/workflows/statistic-tests.yml‎
Lines changed: 26 additions & 1 deletion
diff --git a/‎.github/workflows/tool-tests.yml‎
Lines changed: 27 additions & 1 deletion b/‎.github/workflows/tool-tests.yml‎
Lines changed: 27 additions & 1 deletion
@@ -19,7 +19,6 @@ jobs:
     name: Build package
     runs-on: ubuntu-latest
     permissions:
-      id-token: write
       contents: read
     strategy:
       fail-fast: false
@@ -43,27 +42,10 @@ jobs:
           private-key: ${{ secrets.GH_APP_KEY }}
           owner: ${{ github.repository_owner }}
 
-      - name: Debug - Test token access to repos
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
-        run: |
-          echo "Testing token access to repositories..."
-          for repo in citus packaging tools; do
-            echo "Testing access to citusdata/$repo..."
-            if gh api repos/citusdata/$repo --jq '.full_name' 2>/dev/null; then
-              echo "✓ Access to citusdata/$repo OK"
-            else
-              echo "✗ No access to citusdata/$repo"
-            fi
-          done
-          echo "Token scopes:"
-          curl -sS -H "Authorization: Bearer $GH_TOKEN" https://api.github.com/rate_limit | head -20
-
       - name: Checkout repository
         uses: actions/checkout@v3
         with:
-          fetch-depth: 1
-          path: tools
+          token: ${{steps.app.outputs.token}}
 
       # This step is to fetch the images unanonymously to have higher bandwidth
       - name: Login to Docker Hub
@@ -73,7 +55,11 @@ jobs:
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
       - name: Clone build branch
-        run: git clone -b "${MAIN_BRANCH}" --depth=1  https://github.com/citusdata/packaging.git packaging
+        env:
+          GH_TOKEN: ${{steps.app.outputs.token}}
+        run: |
+          git clone -b "${MAIN_BRANCH}" --depth=1 \
+          https://x-access-token:${GH_TOKEN}@github.com/citusdata/packaging.git packaging
 
       - name: Install package dependencies
         run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources
@@ -83,7 +69,8 @@ jobs:
 
       - name: Build packages
         env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
+          GH_TOKEN: ${{steps.app.outputs.token}}
+          GITHUB_TOKEN: ${{steps.app.outputs.token}}
         run: |
           python -m  tools.packaging_automation.citus_package \
           --gh_token "${GH_TOKEN}" \
 
@@ -1,8 +1,6 @@
 name: Citus package all platforms tests
 
 env:
-  GH_TOKEN: ${{ secrets.GH_TOKEN }}
-  GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
   PACKAGING_PASSPHRASE: ${{ secrets.PACKAGING_PASSPHRASE }}
   MICROSOFT_EMAIL: gindibay@microsoft.com
   USER_NAME: Gurkan Indibay
@@ -19,6 +17,8 @@ on:
 jobs:
   unit_test_execution:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -36,17 +36,33 @@ jobs:
       PLATFORM: ${{ matrix.platform }}
 
     steps:
+
+      - name: Create GitHub App token
+        id: app
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_KEY }}
+          owner: ${{ github.repository_owner }}
+
       - name: Checkout repository
         uses: actions/checkout@v3
+        with:
+          token: ${{steps.app.outputs.token}}
+
+          
 
       - name: Install dependencies
         run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources
 
-      - name: Define git credentails
+      - name: Define git credentials
         run: git config --global user.email "${MICROSOFT_EMAIL}"&& git config --global user.name "${USER_NAME}"
 
       - name: Install python requirements
         run: python -m pip install -r packaging_automation/requirements.txt
 
       - name: Citus package tests
+        env:
+          GH_TOKEN: ${{steps.app.outputs.token}}
+          GITHUB_TOKEN: ${{steps.app.outputs.token}}
         run: python -m pytest -q packaging_automation/tests/test_citus_package.py -s
@@ -44,6 +44,8 @@ jobs:
           echo "::set-output name=pg_versions::${POSTGRES_VERSIONS}"
   test_execution:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: metadata
     strategy:
       fail-fast: false
@@ -60,8 +62,19 @@ jobs:
       PLATFORM: ${{ matrix.platform }}
 
     steps:
+
+      - name: Create GitHub App token
+        id: app
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_KEY }}
+          owner: ${{ github.repository_owner }}
+
       - name: Checkout repository
         uses: actions/checkout@v3
+        with:
+          token: ${{steps.app.outputs.token}}
 
       - name: Install dependencies
         run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources
@@ -70,6 +83,9 @@ jobs:
         run: python -m pip install -r packaging_automation/requirements.txt
 
       - name: Citus package tests
+        env:
+          GH_TOKEN: ${{steps.app.outputs.token}}
+          GITHUB_TOKEN: ${{steps.app.outputs.token}}
         run: |
           export PROJECT_VERSION="${{ github.event.inputs.project_version }}"
           echo "Citus Version: ${PROJECT_VERSION} "
 
@@ -1,8 +1,5 @@
 name: Packaging helper methods tests
 
-env:
-  GH_TOKEN: ${{ secrets.GH_TOKEN }}
-
 on:
   push:
     branches:
@@ -13,10 +10,23 @@ on:
 jobs:
   unit_test_execution:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
+
+      - name: Create GitHub App token
+        id: app
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_KEY }}
+          owner: ${{ github.repository_owner }}
+
       - name: Checkout repository
         uses: actions/checkout@v3
+        with: 
+          token: ${{steps.app.outputs.token}}
 
       - name: Install package dependencies
         run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources
@@ -25,4 +35,8 @@ jobs:
         run: python -m pip install -r packaging_automation/requirements.txt
 
       - name: Citus package tests
+        env:
+          GH_TOKEN: ${{steps.app.outputs.token}}
+          
+          GITHUB_TOKEN: ${{steps.app.outputs.token}}
         run: python -m pytest -q packaging_automation/tests/test_citus_package_utils.py
@@ -5,7 +5,6 @@ env:
   DB_PASSWORD: ${{ secrets.STATS_DB_PASSWORD }}
   DB_HOST_AND_PORT: ${{ secrets.STATS_DB_HOST_AND_PORT }}
   DB_NAME: ${{ secrets.STATS_DB_NAME }}
-  GH_TOKEN: ${{ secrets.GH_TOKEN }}
 on:
   schedule:
     - cron: "0 16 * * *"
@@ -19,14 +18,26 @@ on:
 jobs:
   execute_job:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
         job_name: [docker_pull_citus, github_clone_citus, homebrew_citus]
 
     steps:
+      - name: Create GitHub App token
+        id: app
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_KEY }}
+          owner: ${{ github.repository_owner }}
+
       - name: Checkout repository
         uses: actions/checkout@v3
+        with:
+          token: ${{steps.app.outputs.token}}
 
       - name: Install package dependencies
         run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources
@@ -35,6 +46,9 @@ jobs:
         run: python -m pip install -r packaging_automation/requirements.txt
 
       - name: Execute 'Fetch Daily Statistics'
-        run: packaging_automation/bash/daily-statistics-job.sh
         env:
           JOB_NAME: "${{ matrix.JOB_NAME }}"
+          GH_TOKEN: ${{steps.app.outputs.token}}
+          GITHUB_TOKEN: ${{steps.app.outputs.token}}
+        run: packaging_automation/bash/daily-statistics-job.sh
+          
@@ -5,7 +5,6 @@ env:
   DB_PASSWORD: ${{ secrets.STATS_DB_PASSWORD }}
   DB_HOST_AND_PORT: ${{ secrets.STATS_DB_HOST_AND_PORT }}
   DB_NAME: ${{ secrets.STATS_DB_NAME }}
-  GH_TOKEN: ${{ secrets.GH_TOKEN }}
   PACKAGE_CLOUD_API_TOKEN: ${{ secrets.PACKAGE_CLOUD_API_TOKEN }}
   PACKAGE_CLOUD_ADMIN_API_TOKEN: ${{ secrets.PACKAGE_CLOUD_ADMIN_API_TOKEN }}
 on:
@@ -19,10 +18,24 @@ on:
 jobs:
   unit_test_execution:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
+
+      - name: Create GitHub App token
+        id: app
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_KEY }}
+          owner: ${{ github.repository_owner }}
+
       - name: Checkout repository
         uses: actions/checkout@v3
+        with:
+          token: ${{ steps.app.outputs.token }}
+
 
       - name: Install package dependencies
         run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources
@@ -31,13 +44,25 @@ jobs:
         run: python -m pip install -r packaging_automation/requirements.txt
 
       - name: Unit tests for "Docker statistics"
+        env:
+          GH_TOKEN: ${{steps.app.outputs.token}}
+          GITHUB_TOKEN: ${{steps.app.outputs.token}}
         run: python -m pytest -q packaging_automation/tests/test_docker_statistics_collector.py
 
       - name: Unit tests for "Github clone statistics"
+        env:
+          GH_TOKEN: ${{steps.app.outputs.token}}
+          GITHUB_TOKEN: ${{steps.app.outputs.token}}
         run: python -m pytest -q packaging_automation/tests/test_github_statistics_collector.py
 
       - name: Unit tests for "Packagecloud download statistics"
+        env:
+          GH_TOKEN: ${{steps.app.outputs.token}}
+          GITHUB_TOKEN: ${{steps.app.outputs.token}}
         run: python -m pytest -q packaging_automation/tests/test_package_cloud_statistics_collector.py
 
       - name: Unit tests for "Homebrew download statistics"
+        env:
+          GH_TOKEN: ${{steps.app.outputs.token}}
+          GITHUB_TOKEN: ${{steps.app.outputs.token}}
         run: python -m pytest -q packaging_automation/tests/test_homebrew_statistics_collector.py
@@ -1,7 +1,6 @@
 name: Tool Tests
 
 env:
-  GH_TOKEN: ${{ secrets.GH_TOKEN }}
   MICROSOFT_EMAIL: gindibay@microsoft.com
   USER_NAME: Gurkan Indibay
   MAIN_BRANCH: all-citus
@@ -25,12 +24,24 @@ jobs:
 
   unit_test_execution:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
+
+      - name: Create GitHub App token
+        id: app
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_KEY }}
+          owner: ${{ github.repository_owner }}
+
       - name: Checkout repository
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
+          token: ${{ steps.app.outputs.token }}
 
       - name: Set up Python 3.10
         uses: actions/setup-python@v5
@@ -53,20 +64,35 @@ jobs:
         run: black . --check
 
       - name: Unit tests for "Common tools"
+        env:
+          GH_TOKEN: ${{steps.app.outputs.token}}
+          GITHUB_TOKEN: ${{steps.app.outputs.token}}
         run: python -m pytest -q packaging_automation/tests/test_common_tool_methods.py
 
       - name: Unit tests for "Update Package Properties"
+        env:
+          GH_TOKEN: ${{steps.app.outputs.token}}
+          GITHUB_TOKEN: ${{steps.app.outputs.token}}
         run: python -m pytest -q packaging_automation/tests/test_update_package_properties.py
 
       # no longer viable, outdated test, skipping to not block the pipeline
       # - name: Unit tests for "Prepare Release"
       #   run: python -m pytest -q packaging_automation/tests/test_prepare_release.py
 
       - name: Unit tests for "Update Docker"
+        env:
+          GH_TOKEN: ${{steps.app.outputs.token}}
+          GITHUB_TOKEN: ${{steps.app.outputs.token}}
         run: python -m pytest -q packaging_automation/tests/test_update_docker.py
 
       - name: Unit tests for "Update Pgxn"
+        env:
+          GH_TOKEN: ${{steps.app.outputs.token}}
+          GITHUB_TOKEN: ${{steps.app.outputs.token}}
         run: python -m pytest -q packaging_automation/tests/test_update_pgxn.py
 
       - name: Packaging Warning Handler
+        env:
+          GH_TOKEN: ${{steps.app.outputs.token}}
+          GITHUB_TOKEN: ${{steps.app.outputs.token}}
         run: python -m pytest -q packaging_automation/tests/test_packaging_warning_handler.py