Use Github App for pushing commits

rtyley · rtyley · commit eb9dee8e7184 · 2024-02-10T03:24:34.000Z
diff --git a/.github/workflows/reusable-release.yml b/.github/workflows/reusable-release.yml
@@ -3,6 +3,13 @@ name: Scala Library Release Workflow
 on:
   workflow_call:
     inputs:
+      GITHUB_APP_ID:
+        description:
+          "App ID for a GitHub App that is allowed to push directly to the default branch. Eg, App ID on:
+          https://github.com/organizations/guardian/settings/apps/gu-scala-library-release"
+        default: '807361' # Only for use by the Guardian!
+        required: true
+        type: string
       SONATYPE_PROFILE_NAME:
         description: 'Sonatype account profile name, eg "com.gu", "org.xerial", etc (not your Sonatype username)'
         default: 'com.gu' # Only for use by the Guardian!
@@ -28,6 +35,11 @@ on:
           Should be in normal plaintext 'BEGIN PGP PUBLIC KEY BLOCK' (ASCII-armored) format, with no additional BASE64-encoding.
           The passphrase can be removed from an existing key using 'gpg --edit-key <key-id> passwd' : https://unix.stackexchange.com/a/550538/46453"
         required: true
+      GITHUB_APP_PRIVATE_KEY:
+        description:
+          "See https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/managing-private-keys-for-github-apps#generating-private-keys
+          Should be in normal plaintext '-----BEGIN RSA PRIVATE KEY-----' format"
+        required: true
     outputs:
       RELEASE_VERSION:
         description: "The un-prefixed version number of the release, eg '3.0.1'"
@@ -143,9 +155,14 @@ jobs:
       release_version: ${{ steps.create-commit.outputs.release_version }}
       release_commit_id: ${{ steps.create-commit.outputs.release_commit_id }}
     steps:
+      - id: generate-github-app-token
+        uses: actions/create-github-app-token@v1
+        with: { app-id: ${{ inputs.GITHUB_APP_ID }} , private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }} }
       - uses: actions/checkout@v4
         with:
           path: repo
+          token: ${{ steps.generate-github-app-token.outputs.token }}
+          persist-credentials: true # Allow us to push as the GitHub App, and bypass branch ruleset
       - uses: actions/cache/restore@v4
         with:
           path: repo-with-unsigned-version-update-commits.git
@@ -350,10 +367,12 @@ jobs:
     env:
       RELEASE_TAG: ${{ needs.push-release-commit.outputs.release_tag }}
       RELEASE_VERSION: ${{ needs.push-release-commit.outputs.release_version }}
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       GH_REPO: ${{ github.repository }}
       GITHUB_REPO_URL: ${{ github.server_url }}/${{ github.repository }}
     steps:
+      - id: generate-github-app-token
+        uses: actions/create-github-app-token@v1
+        with: { app-id: ${ { inputs.GITHUB_APP_ID } }, private-key: ${ { secrets.GITHUB_APP_PRIVATE_KEY } } }
       - name: Common values
         run: |
           GITHUB_ACTIONS_PATH="$GITHUB_REPO_URL/actions"
@@ -367,11 +386,13 @@ jobs:
           EndOfFile
       - name: Create Github Release
         if: needs.init.outputs.release_type == 'FULL_MAIN_BRANCH'
+        env: { GH_TOKEN: ${{ steps.generate-github-app-token.outputs.token }} }
         run: |
           gh release create $RELEASE_TAG --verify-tag --generate-notes --notes "Release run: $GITHUB_WORKFLOW_RUN_LINK"
           echo "GitHub Release notes: [$RELEASE_TAG]($GITHUB_REPO_URL/releases/tag/$RELEASE_TAG)" >> $GITHUB_STEP_SUMMARY
       - name: Update PR with comment
         if: needs.init.outputs.release_type == 'PREVIEW_FEATURE_BRANCH'
+        env: { GH_TOKEN: ${{ steps.generate-github-app-token.outputs.token }} }
         run: |
           cat << EndOfFile > comment_body.txt
           @${{github.actor}} has published a preview version of this PR with release workflow run $GITHUB_WORKFLOW_RUN_LINK, based on commit ${{ github.sha }}:
