Switch to github app for PR creation (#488)

grst · flying-sheep · web-flow · commit 2d14d19a6951 · 2026-04-02T14:51:12.000+02:00
* Switch to github app for PR creation

* Fix token scope

* Fix git identity

* authenticate github cli

* Use app tokens in other github actions

* fix issue comment token

* update git author

* use bot for git because why not

---------

Co-authored-by: Philipp A. &lt;flying-sheep@web.de&gt;
diff --git a/.github/workflows/deploy-instance-pr-actions.yml b/.github/workflows/deploy-instance-pr-actions.yml
@@ -9,9 +9,19 @@ jobs:
 
     env:
       INSTANCE_REPO_GITHUB: scverse/cookiecutter-scverse-instance
-      GH_TOKEN: ${{ secrets.BOT_GH_TOKEN }} # for gh cli
 
     steps:
+      - name: Generate tokens
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.PR_CREATOR_APP_ID }}
+          private-key: ${{ secrets.PR_CREATOR_PRIVATE_KEY }}
+          repositories: cookiecutter-scverse-instance
+
+      - name: Authenticate gh CLI with app token
+        run: echo "${{ steps.app-token.outputs.token }}" | gh auth login --with-token
+
       - name: Define sister PR branch name
         run: |
           echo "SISTER_PR_BRANCH=pr-${{ github.event.pull_request.number }}" >> $GITHUB_ENV
diff --git a/.github/workflows/deploy-instance-repo.yml b/.github/workflows/deploy-instance-repo.yml
@@ -16,30 +16,42 @@ jobs:
       # directory in which cookiecuter generates the new repository
       INSTANCE_GENERATED: "TEMPLATE_INSTANCE_GENERATED"
       PROJECT_NAME: "cookiecutter-scverse-instance"
-      GH_TOKEN: ${{ secrets.BOT_GH_TOKEN }} # for gh cli
+      APP_USERNAME: "scverse-pr-creator[bot]"
+      APP_EMAIL: "272303624+scverse-pr-creator[bot]@users.noreply.github.com"
 
     steps:
-      - name: Checkout template repository
-        uses: actions/checkout@v6
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@v7
+        with:
+          cache-dependency-glob: .github/workflows/deploy-instance-repo.yml
 
       - name: Set git identity
         run: |
-          git config --global user.name "scverse-bot"
-          git config --global user.email "108668866+scverse-bot@users.noreply.github.com"
+          git config --global user.name "${{ env.APP_USERNAME }}"
+          git config --global user.email "${{ env.APP_EMAIL }}"
+
+      - name: Checkout template repository
+        uses: actions/checkout@v6
+
+      - name: Generate tokens
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.PR_CREATOR_APP_ID }}
+          private-key: ${{ secrets.PR_CREATOR_PRIVATE_KEY }}
+          repositories: cookiecutter-scverse-instance
+
+      - name: Authenticate gh CLI with app token
+        run: echo "${{ steps.app-token.outputs.token }}" | gh auth login --with-token
 
       - name: Checkout instance repository
         uses: actions/checkout@v6
         with:
           repository: ${{ env.INSTANCE_REPO_GITHUB }}
-          token: ${{ secrets.BOT_GH_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
           path: ${{ env.INSTANCE_REPO }}
           persist-credentials: true
 
-      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@v7
-        with:
-          cache-dependency-glob: .github/workflows/deploy-instance-repo.yml
-
       - name: define sister PR branch name for pull request
         if: github.event_name == 'pull_request'
         run: |
@@ -79,7 +91,9 @@ jobs:
         if: ${{ env.GIT_HAS_CHANGES == 'TRUE' }}
         uses: EndBug/add-and-commit@v9
         with:
-          default_author: github_actions
+          author_name: ${{ env.APP_USERNAME }}
+          author_email: ${{ env.APP_EMAIL }}
+          default_author: user_info
           commit: "--no-verify" # no need to run pre-commit at this point - saves runtime!
           cwd: ${{ env.INSTANCE_REPO }}
           message: Update instance repo from cookiecutter template
@@ -90,7 +104,7 @@ jobs:
         if: ${{ env.GIT_HAS_CHANGES == 'TRUE' }}
         uses: ad-m/github-push-action@v0.8.0
         with:
-          github_token: ${{ secrets.BOT_GH_TOKEN }}
+          github_token: ${{ steps.app-token.outputs.token }}
           branch: ${{ env.SISTER_PR_BRANCH }}
           repository: scverse/cookiecutter-scverse-instance
           force: false
@@ -144,6 +158,8 @@ jobs:
             [checks]: https://github.com/scverse/cookiecutter-scverse-instance/pull/${{ env.SISTER_PR_ID }}/checks
             [docs-badge]: https://app.readthedocs.org/projects/cookiecutter-scverse-instance/badge/?version=${{ env.SISTER_PR_ID }}
             [docs]: https://cookiecutter-scverse-instance--${{ env.SISTER_PR_ID }}.org.readthedocs.build/
+          # use default token, which allows to comment in the cookiecutter-scverse repo.
+          # The token generated by the app is scoped to the cookiecutter-scverse-instance repo instead.
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           allow-repeats: false
 
diff --git a/.github/workflows/propagate-pre-commit.yml b/.github/workflows/propagate-pre-commit.yml
@@ -10,9 +10,16 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.actor == 'pre-commit-ci[bot]' }}
     steps:
+      - name: Generate tokens
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.PR_CREATOR_APP_ID }}
+          private-key: ${{ secrets.PR_CREATOR_PRIVATE_KEY }}
+
       - uses: actions/checkout@v6
         with:
-          token: ${{ secrets.BOT_GH_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
       - run: pipx install pre-commit
       - run: cd '{{cookiecutter.project_name}}' && pre-commit autoupdate
       - uses: stefanzweifel/git-auto-commit-action@v7
