Revert "[BazelBot] Use a Machine User (llvm#794)"

boomanaiden154 · boomanaiden154 · commit c2eca50cf19c · 2026-03-27T10:53:24.000-07:00
This reverts commit 3919ae8. After discussion with the infra area team, it turns out an app would be preferred here despite the issues with the actual commit email.
diff --git a/google-bazel-bot/bazel-bot/bazelbot_server_test.py b/google-bazel-bot/bazel-bot/bazelbot_server_test.py
@@ -25,7 +25,8 @@ def test_parse_targets(self):
             "BUILDKITE_API_TOKEN": "bk_token",
             "GITHUB_APP_ID": "app_id",
             "GITHUB_APP_PRIVATE_KEY": "private_key",
-            "GITHUB_PR_PAT": "pr_pat",
+            "GITHUB_PR_APP_ID": "pr_app_id",
+            "GITHUB_PR_APP_PRIVATE_KEY": "pr_private_key",
         },
     )
     def test_credential_manager(self):
@@ -35,16 +36,14 @@ def test_credential_manager(self):
         self.assertEqual(creds.bk_token, "bk_token")
         self.assertEqual(creds.gh_fork_repo_name, "fork_user/llvm-project")
         self.assertEqual(creds.gh_pr_repo_name, "pr_user/llvm-project")
-        self.assertEqual(creds.gh_pr_pat, "pr_pat")
+        self.assertEqual(creds.gh_pr_app_id, "pr_app_id")
+        self.assertEqual(creds.gh_pr_app_private_key, "pr_private_key")
 
     @mock.patch("utils.git.Repo")
     @mock.patch("utils.github.GithubIntegration")
-    @mock.patch("utils.github.Github")
     @mock.patch("utils.github.Auth")
     @mock.patch("os.path.exists")
-    def test_local_git_repo(
-        self, mock_exists, github_integration_mock, github_mock, auth_mock, mock_repo
-    ):
+    def test_local_git_repo(self, mock_exists, github_mock, auth_mock, mock_repo):
         mock_exists.return_value = False
         creds = mock.MagicMock()
         creds.gh_fork_repo_name = "fork/repo"
diff --git a/google-bazel-bot/bazel-bot/utils.py b/google-bazel-bot/bazel-bot/utils.py
@@ -35,7 +35,8 @@ def __init__(self):
         self.bk_token = os.getenv("BUILDKITE_API_TOKEN")
         self.gh_app_id = os.getenv("GITHUB_APP_ID")
         self.gh_app_private_key = os.getenv("GITHUB_APP_PRIVATE_KEY")
-        self.gh_pr_pat = os.getenv("GITHUB_PR_PAT")
+        self.gh_pr_app_id = os.getenv("GITHUB_PR_APP_ID")
+        self.gh_pr_app_private_key = os.getenv("GITHUB_PR_APP_PRIVATE_KEY")
 
     @property
     def gh_fork_repo_name(self):
@@ -198,9 +199,17 @@ def __init__(self, repo_path: str, creds: CredentialManager, can_create_pr):
                 self.creds.gh_fork_repo_name
             )
         )
-        self.gh_pr_repo = github.Github(
-            auth=github.Auth.Token(self.creds.gh_pr_pat)
-        ).get_repo(self.creds.gh_pr_repo_name)
+        self.pr_github_integration = github.GithubIntegration(
+            auth=github.Auth.AppAuth(creds.gh_pr_app_id, creds.gh_pr_app_private_key)
+        )
+        self.gh_pr_installation = self.pr_github_integration.get_repo_installation(
+            self.creds.gh_pr_user, "llvm-project"
+        )
+        self.gh_pr_repo = (
+            self.gh_pr_installation.get_github_for_installation().get_repo(
+                self.creds.gh_pr_repo_name
+            )
+        )
         self.bazel_utils_path = os.path.join(self.repo_path, "utils", "bazel")
         self.main_branch = "main"
         self.remote_name = "origin"
diff --git a/google-bazel-bot/bazel-fixer-bot.yaml b/google-bazel-bot/bazel-fixer-bot.yaml
@@ -42,11 +42,16 @@ spec:
                 secretKeyRef:
                   name: github-app
                   key: private-key
-            - name: GITHUB_PR_PAT
+            - name: GITHUB_PR_APP_ID
               valueFrom:
                 secretKeyRef:
                   name: github-pr-app
-                  key: pat
+                  key: id
+            - name: GITHUB_PR_APP_PRIVATE_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: github-pr-app
+                  key: private-key
             - name: GITHUB_FORK_USER
               value: google-bazel-bot
             - name: GITHUB_PR_USER
diff --git a/google-bazel-bot/main.tf b/google-bazel-bot/main.tf
@@ -148,8 +148,12 @@ data "google_secret_manager_secret_version" "github_app_private_key" {
   secret = "github-app-private-key"
 }
 
-data "google_secret_manager_secret_version" "github_pr_pat" {
-  secret = "github-pr-pat"
+data "google_secret_manager_secret_version" "github_pr_app_id" {
+  secret = "github-pr-app-id"
+}
+
+data "google_secret_manager_secret_version" "github_pr_app_private_key" {
+  secret = "github-pr-app-private-key"
 }
 
 resource "kubernetes_namespace" "bazel_ci" {
@@ -194,7 +198,8 @@ resource "kubernetes_secret" "github_pr_app" {
   }
 
   data = {
-    "pat" = data.google_secret_manager_secret_version.github_pr_pat.secret_data
+    "id"          = data.google_secret_manager_secret_version.github_pr_app_id.secret_data
+    "private-key" = data.google_secret_manager_secret_version.github_pr_app_private_key.secret_data
   }
 
   type       = "Opaque"

Original file line number	Diff line number	Diff line change
`@@ -148,8 +148,12 @@ data "google_secret_manager_secret_version" "github_app_private_key" {`
`148`	`148`	`secret = "github-app-private-key"`
`149`	`149`	`}`
`150`	`150`
`151`		`-data "google_secret_manager_secret_version" "github_pr_pat" {`
`152`		`- secret = "github-pr-pat"`
	`151`	`+data "google_secret_manager_secret_version" "github_pr_app_id" {`
	`152`	`+ secret = "github-pr-app-id"`
	`153`	`+}`
	`154`	`+`
	`155`	`+data "google_secret_manager_secret_version" "github_pr_app_private_key" {`
	`156`	`+ secret = "github-pr-app-private-key"`
`153`	`157`	`}`
`154`	`158`
`155`	`159`	`resource "kubernetes_namespace" "bazel_ci" {`
`@@ -194,7 +198,8 @@ resource "kubernetes_secret" "github_pr_app" {`
`194`	`198`	`}`
`195`	`199`
`196`	`200`	`data = {`
`197`		`- "pat" = data.google_secret_manager_secret_version.github_pr_pat.secret_data`
	`201`	`+ "id" = data.google_secret_manager_secret_version.github_pr_app_id.secret_data`
	`202`	`+ "private-key" = data.google_secret_manager_secret_version.github_pr_app_private_key.secret_data`
`198`	`203`	`}`
`199`	`204`
`200`	`205`	`type = "Opaque"`