feat: update workflows to use GitHub App token and improve permissions

BarkinKctp · BarkinKctp · commit f17e33f558cc · 2026-03-14T18:53:44.000+03:00
diff --git a/.github/workflows/build-citus-community-nightlies.yml b/.github/workflows/build-citus-community-nightlies.yml
@@ -18,6 +18,10 @@ jobs:
   build_package:
     name: Build package
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      pull-requests: read
     strategy:
       fail-fast: false
       matrix:
@@ -39,16 +43,14 @@ jobs:
           app-id: ${{ vars.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_KEY }}
           owner: ${{ github.repository_owner }}
-          repositories: |
-            tools
-            packaging
 
       - name: Checkout repository
         uses: actions/checkout@v3
         with:
           token: ${{ steps.app.outputs.token }}
           fetch-depth: 1
           path: tools
+          submodules: true
 
       # This step is to fetch the images unanonymously to have higher bandwidth
       - name: Login to Docker Hub
@@ -60,8 +62,7 @@ jobs:
       - name: Clone build branch
         env:
           GH_TOKEN: ${{ steps.app.outputs.token }}
-          GITHUB_TOKEN: ${{ steps.app.outputs.token }}
-        run: git clone -b "${MAIN_BRANCH}" --depth=1  https://gh-token:${GH_TOKEN}@github.com/citusdata/packaging.git packaging
+        run: git clone -b "${MAIN_BRANCH}" --depth=1 https://${GH_TOKEN}@github.com/citusdata/packaging.git packaging
 
       - name: Install package dependencies
         run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources
@@ -72,7 +73,6 @@ jobs:
       - name: Build packages
         env:
           GH_TOKEN: ${{ steps.app.outputs.token }}
-          GITHUB_TOKEN: ${{ steps.app.outputs.token }}
         run: |
           python -m  tools.packaging_automation.citus_package \
           --gh_token "${GH_TOKEN}" \
diff --git a/.github/workflows/citus-package-all-platforms-test.yml b/.github/workflows/citus-package-all-platforms-test.yml
@@ -17,6 +17,10 @@ on:
 jobs:
   unit_test_execution:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      pull-requests: read
     strategy:
       fail-fast: false
       matrix:
@@ -40,10 +44,6 @@ jobs:
         with:
           app-id: ${{ vars.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_KEY }}
-          owner: citusdata
-          repositories: |
-            tools
-            packaging
 
       - name: Checkout repository
         uses: actions/checkout@v3
@@ -62,5 +62,4 @@ jobs:
       - name: Citus package tests
         env:
           GH_TOKEN: ${{ steps.app.outputs.token }}
-          GITHUB_TOKEN: ${{ steps.app.outputs.token }}
         run: python -m pytest -q packaging_automation/tests/test_citus_package.py -s
diff --git a/.github/workflows/package-tests.yml b/.github/workflows/package-tests.yml
@@ -14,6 +14,10 @@ on:
 jobs:
   metadata:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      pull-requests: read
     outputs:
       pg_versions: ${{ steps.generate-postgres.outputs.pg_versions }}
       citus_version: ${{ steps.get-citus-version.outputs.citus_version }}
@@ -31,6 +35,8 @@ jobs:
         with:
           token: ${{ steps.app.outputs.token }}
           fetch-depth: 2
+          submodules: true
+          
       - name: Package version
         id: get-citus-version
         run: |
@@ -91,7 +97,6 @@ jobs:
       - name: Citus package tests
         env:
           GH_TOKEN: ${{ steps.app.outputs.token }}
-          GITHUB_TOKEN: ${{ steps.app.outputs.token }}
         run: |
           export PROJECT_VERSION="${{ github.event.inputs.project_version }}"
           echo "Citus Version: ${PROJECT_VERSION} "
diff --git a/.github/workflows/packaging-methods-tests.yml b/.github/workflows/packaging-methods-tests.yml
@@ -10,7 +10,10 @@ on:
 jobs:
   unit_test_execution:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write
+      packages: write
+      pull-requests: read
     steps:
       - name: Create GitHub App token
         id: app
@@ -19,14 +22,12 @@ jobs:
           app-id: ${{ vars.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_KEY }}
           owner: citusdata
-          repositories: |
-            tools
-            packaging
 
       - name: Checkout repository
         uses: actions/checkout@v3
         with:
           token: ${{ steps.app.outputs.token }}
+          submodules: true
 
       - name: Install package dependencies
         run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources
@@ -37,5 +38,4 @@ jobs:
       - name: Citus package tests
         env:
           GH_TOKEN: ${{ steps.app.outputs.token }}
-          GITHUB_TOKEN: ${{ steps.app.outputs.token }}
         run: python -m pytest -q packaging_automation/tests/test_citus_package_utils.py
diff --git a/.github/workflows/publish-docker-image-tests.yml b/.github/workflows/publish-docker-image-tests.yml
@@ -10,7 +10,10 @@ on:
 jobs:
   unit_test_execution:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write
+      packages: write
+      pull-requests: read
     steps:
 
       - name: Create GitHub App token
@@ -25,6 +28,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           token: ${{steps.app.outputs.token}}
+          submodules: true
 
 
       - name: Install package dependencies
@@ -36,5 +40,4 @@ jobs:
       - name: Build and publish docker images tests
         env:
           GH_TOKEN: ${{ steps.app.outputs.token }}
-          GITHUB_TOKEN: ${{ steps.app.outputs.token }}
         run: python -m pytest -q packaging_automation/tests/test_publish_docker.py
diff --git a/.github/workflows/pypi-statistics-schedule.yml b/.github/workflows/pypi-statistics-schedule.yml
@@ -21,7 +21,7 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
-
+        
       - name: Install package dependencies
         run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources
 
diff --git a/.github/workflows/statistic-schedule.yml b/.github/workflows/statistic-schedule.yml
@@ -18,6 +18,10 @@ on:
 jobs:
   execute_job:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      pull-requests: read
     strategy:
       fail-fast: false
       matrix:
@@ -36,6 +40,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           token: ${{ steps.app.outputs.token }}
+          submodules: true
 
       - name: Install package dependencies
         run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources
@@ -46,6 +51,5 @@ jobs:
       - name: Execute 'Fetch Daily Statistics'
         env:
           GH_TOKEN: ${{ steps.app.outputs.token }}
-          GITHUB_TOKEN: ${{ steps.app.outputs.token }}
           JOB_NAME: "${{ matrix.JOB_NAME }}"
         run: packaging_automation/bash/daily-statistics-job.sh
diff --git a/.github/workflows/statistic-tests.yml b/.github/workflows/statistic-tests.yml
@@ -18,7 +18,10 @@ on:
 jobs:
   unit_test_execution:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write
+      packages: write
+      pull-requests: read
     steps:
       - name: Create GitHub App token
         id: app
@@ -32,6 +35,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           token: ${{ steps.app.outputs.token }}
+          submodules: true
 
       - name: Install package dependencies
         run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources
@@ -42,23 +46,19 @@ jobs:
       - name: Unit tests for "Docker statistics"
         env:
           GH_TOKEN: ${{ steps.app.outputs.token }}
-          GITHUB_TOKEN: ${{ steps.app.outputs.token }}
         run: python -m pytest -q packaging_automation/tests/test_docker_statistics_collector.py
 
       - name: Unit tests for "Github clone statistics"
         env:
           GH_TOKEN: ${{ steps.app.outputs.token }}
-          GITHUB_TOKEN: ${{ steps.app.outputs.token }}
         run: python -m pytest -q packaging_automation/tests/test_github_statistics_collector.py
 
       - name: Unit tests for "Packagecloud download statistics"
         env:
           GH_TOKEN: ${{ steps.app.outputs.token }}
-          GITHUB_TOKEN: ${{ steps.app.outputs.token }}
         run: python -m pytest -q packaging_automation/tests/test_package_cloud_statistics_collector.py
 
       - name: Unit tests for "Homebrew download statistics"
         env:
           GH_TOKEN: ${{ steps.app.outputs.token }}
-          GITHUB_TOKEN: ${{ steps.app.outputs.token }}
         run: python -m pytest -q packaging_automation/tests/test_homebrew_statistics_collector.py
diff --git a/.github/workflows/tool-tests.yml b/.github/workflows/tool-tests.yml
@@ -24,7 +24,10 @@ jobs:
 
   unit_test_execution:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write
+      packages: write
+      pull-requests: read
     steps:
       - name: Create GitHub App token
         id: app
@@ -33,15 +36,13 @@ jobs:
           app-id: ${{ vars.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_KEY }}
           owner: citusdata
-          repositories: |
-            tools
-            packaging
 
       - name: Checkout repository
         uses: actions/checkout@v3
         with:
           token: ${{ steps.app.outputs.token }}
           fetch-depth: 0
+          submodules: true
 
       - name: Set up Python 3.10
         uses: actions/setup-python@v5
@@ -66,13 +67,11 @@ jobs:
       - name: Unit tests for "Common tools"
         env:
           GH_TOKEN: ${{ steps.app.outputs.token }}
-          GITHUB_TOKEN: ${{ steps.app.outputs.token }}
         run: python -m pytest -q packaging_automation/tests/test_common_tool_methods.py
 
       - name: Unit tests for "Update Package Properties"
         env:
           GH_TOKEN: ${{ steps.app.outputs.token }}
-          GITHUB_TOKEN: ${{ steps.app.outputs.token }}
         run: python -m pytest -q packaging_automation/tests/test_update_package_properties.py
 
       # no longer viable, outdated test, skipping to not block the pipeline
@@ -82,17 +81,14 @@ jobs:
       - name: Unit tests for "Update Docker"
         env:
           GH_TOKEN: ${{ steps.app.outputs.token }}
-          GITHUB_TOKEN: ${{ steps.app.outputs.token }}
         run: python -m pytest -q packaging_automation/tests/test_update_docker.py
 
       - name: Unit tests for "Update Pgxn"
         env:
           GH_TOKEN: ${{ steps.app.outputs.token }}
-          GITHUB_TOKEN: ${{ steps.app.outputs.token }}
         run: python -m pytest -q packaging_automation/tests/test_update_pgxn.py
 
       - name: Packaging Warning Handler
         env:
           GH_TOKEN: ${{ steps.app.outputs.token }}
-          GITHUB_TOKEN: ${{ steps.app.outputs.token }}
         run: python -m pytest -q packaging_automation/tests/test_packaging_warning_handler.py
diff --git a/packaging_automation/common_tool_methods.py b/packaging_automation/common_tool_methods.py
@@ -680,7 +680,8 @@ def remove_suffix(initial_str: str, suffix: str) -> str:
 def initialize_env(exec_path: str, project_name: str, checkout_dir: str):
     remove_cloned_code(f"{exec_path}/{checkout_dir}")
     if not os.path.exists(checkout_dir):
-        run(f"git clone https://github.com/citusdata/{project_name}.git {checkout_dir}")
+        GH_TOKEN = os.environ.get("GH_TOKEN", "")
+        run(f"git clone https://{GH_TOKEN}@github.com/citusdata/{project_name}.git {checkout_dir}")
 
 
 def create_pr(
diff --git a/packaging_automation/tests/test_citus_package.py b/packaging_automation/tests/test_citus_package.py
@@ -86,9 +86,11 @@ def setup_module():
         "pgxn-citus" if PLATFORM == "pgxn" else PACKAGING_BRANCH_NAME
     )
     if not os.path.exists(PACKAGING_EXEC_FOLDER):
+        GH_TOKEN = os.environ.get("GH_TOKEN", "")
+        if not GH_TOKEN:
+            raise ValueError("GH_TOKEN environment variable is not set.")
         run(
-            f"git clone --branch {packaging_branch_name} https://github.com/citusdata/packaging.git"
-            f" {PACKAGING_EXEC_FOLDER}"
+            f"git clone --branch {packaging_branch_name} https://{GH_TOKEN}@github.com/citusdata/packaging.git {PACKAGING_EXEC_FOLDER}"
         )
 
 
diff --git a/packaging_automation/tests/test_citus_package_utils.py b/packaging_automation/tests/test_citus_package_utils.py
@@ -45,8 +45,11 @@
 
 def setup_module():
     if not os.path.exists("packaging_test"):
+        GH_TOKEN = os.environ.get("GH_TOKEN", "")
+        if not GH_TOKEN:
+            raise ValueError("GH_TOKEN environment variable is not set.")
         run(
-            f"git clone --branch all-citus-unit-tests https://github.com/citusdata/packaging.git {PACKAGING_SOURCE_FOLDER}"
+            f"git clone --branch all-citus-unit-tests https://{GH_TOKEN}@github.com/citusdata/packaging.git {PACKAGING_SOURCE_FOLDER}"
         )
 
 
diff --git a/packaging_automation/tests/test_prepare_release.py b/packaging_automation/tests/test_prepare_release.py
@@ -40,7 +40,8 @@ def initialize_env() -> str:
     test_base_path_major = f"{BASE_PATH}/{uuid.uuid4()}"
     remove_cloned_code(test_base_path_major)
     if not os.path.exists(test_base_path_major):
-        run(f"git clone https://github.com/citusdata/citus.git {test_base_path_major}")
+        GH_TOKEN = os.getenv("GH_TOKEN", "")
+        run(f"git clone https://{GH_TOKEN}@github.com/citusdata/citus.git {test_base_path_major}")
     return test_base_path_major
 
 
diff --git a/packaging_automation/tests/test_publish_docker.py b/packaging_automation/tests/test_publish_docker.py
@@ -29,7 +29,8 @@
 
 def initialize_env():
     if not os.path.exists("docker"):
-        run("git clone https://github.com/citusdata/docker.git")
+        GH_TOKEN = os.getenv("GH_TOKEN", "")
+        run(f"git clone https://{GH_TOKEN}@github.com/citusdata/docker.git")
 
 
 def test_decode_triggering_event_info():
diff --git a/packaging_automation/tests/test_update_docker.py b/packaging_automation/tests/test_update_docker.py
@@ -34,7 +34,10 @@
 
 def setup_module():
     if not os.path.exists("docker"):
-        run("git clone https://github.com/citusdata/docker.git")
+        GH_TOKEN = os.getenv("GH_TOKEN", "")
+        if not GH_TOKEN:
+            raise ValueError("GH_TOKEN environment variable is not set.")
+        run(f"git clone https://{GH_TOKEN}@github.com/citusdata/docker.git")
 
 
 def teardown_module():
diff --git a/packaging_automation/tests/test_update_pgxn.py b/packaging_automation/tests/test_update_pgxn.py
@@ -18,8 +18,11 @@
 
 def setup_module():
     if not os.path.exists("packaging_test"):
+        GH_TOKEN = os.environ.get("GH_TOKEN", "")
+        if not GH_TOKEN:
+            raise ValueError("GH_TOKEN environment variable is not set.")
         run(
-            "git clone --branch pgxn-citus https://github.com/citusdata/packaging.git packaging_test"
+            f"git clone --branch pgxn-citus https://{GH_TOKEN}@github.com/citusdata/packaging.git packaging_test"
         )
 
 
