From 0b29042fc9581a482a5c8e802dc7830df62c370b Mon Sep 17 00:00:00 2001 From: Peter Smith Date: Thu, 23 Jan 2025 09:45:17 +0000 Subject: [PATCH 01/10] chore: remove GitHub PAT token usage --- .github/workflows/linear-pr-integration.yaml | 2 +- .github/workflows/pr-validate-changesets.yaml | 7 ++----- .github/workflows/release.yaml | 13 +++++-------- 3 files changed, 8 insertions(+), 14 deletions(-) diff --git a/.github/workflows/linear-pr-integration.yaml b/.github/workflows/linear-pr-integration.yaml index fc1e8a8c259..9e6f34f5f47 100644 --- a/.github/workflows/linear-pr-integration.yaml +++ b/.github/workflows/linear-pr-integration.yaml @@ -14,4 +14,4 @@ jobs: with: pull_number: ${{ github.event.pull_request.number }} linear_api_key: ${{ secrets.LINEAR_TOKEN }} - github_token: ${{ secrets.REPO_TOKEN }} + github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pr-validate-changesets.yaml b/.github/workflows/pr-validate-changesets.yaml index 286815b44e9..d15c13cd503 100644 --- a/.github/workflows/pr-validate-changesets.yaml +++ b/.github/workflows/pr-validate-changesets.yaml @@ -21,9 +21,6 @@ jobs: with: fetch-depth: 0 ref: ${{ github.event.client_payload.ref }} - # workaround to ensure changeset file is pushed with REPO_TOKEN owner's account - # see https://github.com/changesets/action/issues/70 - persist-credentials: false - name: Get PR's changeset file run: | @@ -51,7 +48,7 @@ jobs: run: | echo "machine github.com" > $HOME/.netrc echo "login github-actions[bot]" >> $HOME/.netrc - echo "password ${{ secrets.REPO_TOKEN }}" >> $HOME/.netrc + echo "password ${{ secrets.GITHUB_TOKEN }}" >> $HOME/.netrc chmod 600 $HOME/.netrc - name: Commit Changeset @@ -63,7 +60,7 @@ jobs: git commit -m "build: update dependency changeset" git push origin HEAD:${{ github.event.pull_request.head.ref }} env: - GITHUB_TOKEN: ${{ secrets.REPO_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} validate-changeset: name: Validate PR Changeset diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 98c20fa8953..18fde5f5bb9 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -24,9 +24,6 @@ jobs: with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.ref }} - # workaround to ensure force pushes to changeset branch use REPO_TOKEN owner's account - # see https://github.com/changesets/action/issues/70 - persist-credentials: false - name: CI Setup uses: ./.github/actions/ci-setup @@ -76,13 +73,13 @@ jobs: githubReleaseName: ${{ env.RELEASE_VERSION }} githubTagName: ${{ env.RELEASE_VERSION }} env: - GITHUB_TOKEN: ${{ secrets.REPO_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - name: Prettify changelog run: pnpm changeset:update-changelog env: - GITHUB_TOKEN: ${{ secrets.REPO_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} RELEASE_TAG: ${{ env.RELEASE_VERSION }} PUBLISHED: ${{ steps.changesets.outputs.published }} REF_NAME: ${{ github.ref_name }} @@ -129,7 +126,7 @@ jobs: workflow: update-nightly.yml ref: master repo: FuelLabs/docs-hub - token: ${{ secrets.REPO_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} - name: Create PR to apply latest release to master if: steps.changesets.outputs.published == 'true' && startsWith(github.ref_name, 'release/') && env.RELEASE_VERSION_HIGHER_THAN_LATEST == 'true' @@ -145,7 +142,7 @@ jobs: gh pr create -B master -H $GITHUB_REF_NAME --title "$PR_TITLE" --body "$PR_BODY" env: - GITHUB_TOKEN: ${{ secrets.REPO_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} RELEASE_VERSION: ${{ env.RELEASE_VERSION }} LATEST_VERSION: ${{ env.LATEST_VERSION }} @@ -155,7 +152,7 @@ jobs: if: steps.changesets.outputs.published == 'true' && startsWith(github.ref_name, 'release/') && env.RELEASE_VERSION_HIGHER_THAN_LATEST == 'false' run: git push origin --delete ${{ github.ref_name }} env: - GITHUB_TOKEN: ${{ secrets.REPO_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Upload assets to S3 - uses: unfor19/install-aws-cli-action@v1.0.7 From bbb28f75e2438a35d60eb83d5e2d4ce1a7081f49 Mon Sep 17 00:00:00 2001 From: Peter Smith Date: Thu, 23 Jan 2025 12:27:08 +0000 Subject: [PATCH 02/10] chore: updated release to application token --- .github/workflows/release.yaml | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 18fde5f5bb9..035dcdd48b5 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -19,11 +19,20 @@ jobs: if: github.event.before != '0000000000000000000000000000000000000000' steps: + - name: Create GitHub App Token + uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.PRIVATE_KEY }} + - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.ref }} + # Make sure the value of GITHUB_TOKEN will not be persisted in repo's config + persist-credentials: false - name: CI Setup uses: ./.github/actions/ci-setup @@ -37,7 +46,7 @@ jobs: echo "FORC_VERSION=$(cat ./internal/forc/VERSION)" >> $GITHUB_ENV git reset --hard env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} - name: Ensure NPM access run: npm whoami @@ -59,7 +68,7 @@ jobs: pnpm add --global semver echo "RELEASE_VERSION_HIGHER_THAN_LATEST=$(semver $LATEST_RELEASE $RELEASE_VERSION | tail -n1 | grep ${RELEASE_VERSION#v} --silent && echo true || echo false)" >> $GITHUB_ENV env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} - name: Create Release Pull Request or Publish to npm id: changesets @@ -73,13 +82,13 @@ jobs: githubReleaseName: ${{ env.RELEASE_VERSION }} githubTagName: ${{ env.RELEASE_VERSION }} env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - name: Prettify changelog run: pnpm changeset:update-changelog env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} RELEASE_TAG: ${{ env.RELEASE_VERSION }} PUBLISHED: ${{ steps.changesets.outputs.published }} REF_NAME: ${{ github.ref_name }} @@ -109,7 +118,7 @@ jobs: pnpm changeset publish --tag next env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} # ensure docs are always deployed after merge of changeset PR - name: Get the last commit message and set env vars @@ -126,7 +135,7 @@ jobs: workflow: update-nightly.yml ref: master repo: FuelLabs/docs-hub - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ steps.app-token.outputs.token }} - name: Create PR to apply latest release to master if: steps.changesets.outputs.published == 'true' && startsWith(github.ref_name, 'release/') && env.RELEASE_VERSION_HIGHER_THAN_LATEST == 'true' @@ -142,7 +151,7 @@ jobs: gh pr create -B master -H $GITHUB_REF_NAME --title "$PR_TITLE" --body "$PR_BODY" env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} RELEASE_VERSION: ${{ env.RELEASE_VERSION }} LATEST_VERSION: ${{ env.LATEST_VERSION }} @@ -152,7 +161,7 @@ jobs: if: steps.changesets.outputs.published == 'true' && startsWith(github.ref_name, 'release/') && env.RELEASE_VERSION_HIGHER_THAN_LATEST == 'false' run: git push origin --delete ${{ github.ref_name }} env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} # Upload assets to S3 - uses: unfor19/install-aws-cli-action@v1.0.7 @@ -182,6 +191,6 @@ jobs: run: | curl -X POST \ -H "Accept: application/vnd.github.v3+json" \ - -H "Authorization: token ${{ secrets.MIGRATIONS_RELEASE_TRIGGER_TOKEN }}" \ + -H "Authorization: token ${{ steps.app-token.outputs.token }}" \ https://api.github.com/repos/FuelLabs/migrations-and-disclosures/dispatches \ -d '{"event_type":"update_versions"}' From b212d3884ca6e4eceb1098e9d8ba4d5c4f291d6a Mon Sep 17 00:00:00 2001 From: Peter Smith Date: Thu, 23 Jan 2025 13:35:25 +0000 Subject: [PATCH 03/10] chore: update changeset --- .github/workflows/pr-validate-changesets.yaml | 26 +++++++++++++++---- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pr-validate-changesets.yaml b/.github/workflows/pr-validate-changesets.yaml index d15c13cd503..5c1cddc536c 100644 --- a/.github/workflows/pr-validate-changesets.yaml +++ b/.github/workflows/pr-validate-changesets.yaml @@ -17,10 +17,26 @@ jobs: if: github.actor == 'dependabot[bot]' steps: + - name: Create GitHub App Token + uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.PRIVATE_KEY }} + + - name: Configure GitHub user + id: github-user + run: | + echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" + echo "user-name=${{ steps.app-token.outputs.app-slug }}[bot]" >> "$GITHUB_OUTPUT" + echo "user-email=${{ steps.github-user.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com" >> "$GITHUB_OUTPUT" + - uses: actions/checkout@v4 with: fetch-depth: 0 ref: ${{ github.event.client_payload.ref }} + # Make sure the value of GITHUB_TOKEN will not be persisted in repo's config + persist-credentials: false - name: Get PR's changeset file run: | @@ -47,20 +63,20 @@ jobs: if: env.CHANGESET_FILE == '' run: | echo "machine github.com" > $HOME/.netrc - echo "login github-actions[bot]" >> $HOME/.netrc - echo "password ${{ secrets.GITHUB_TOKEN }}" >> $HOME/.netrc + echo "login ${{ steps.github-user.outputs.user-name }}" >> $HOME/.netrc + echo "password ${{ steps.app-token.outputs.token }}" >> $HOME/.netrc chmod 600 $HOME/.netrc - name: Commit Changeset if: env.CHANGESET_FILE == '' run: | - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - git config user.name "github-actions[bot]" + git config user.email '${{ steps.github-user.outputs.user-email }}' + git config user.name '${{ steps.github-user.outputs.user-name }}' git add . git commit -m "build: update dependency changeset" git push origin HEAD:${{ github.event.pull_request.head.ref }} env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} validate-changeset: name: Validate PR Changeset From 1edb74c33c8c28f31681f48c2df272863a1f7a93 Mon Sep 17 00:00:00 2001 From: Peter Smith Date: Mon, 3 Feb 2025 08:15:29 +0000 Subject: [PATCH 04/10] chore: revert app usage --- .github/workflows/release.yaml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 035dcdd48b5..a3510566bf9 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -31,8 +31,6 @@ jobs: with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.ref }} - # Make sure the value of GITHUB_TOKEN will not be persisted in repo's config - persist-credentials: false - name: CI Setup uses: ./.github/actions/ci-setup @@ -46,7 +44,7 @@ jobs: echo "FORC_VERSION=$(cat ./internal/forc/VERSION)" >> $GITHUB_ENV git reset --hard env: - GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Ensure NPM access run: npm whoami @@ -68,7 +66,7 @@ jobs: pnpm add --global semver echo "RELEASE_VERSION_HIGHER_THAN_LATEST=$(semver $LATEST_RELEASE $RELEASE_VERSION | tail -n1 | grep ${RELEASE_VERSION#v} --silent && echo true || echo false)" >> $GITHUB_ENV env: - GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Create Release Pull Request or Publish to npm id: changesets @@ -82,13 +80,13 @@ jobs: githubReleaseName: ${{ env.RELEASE_VERSION }} githubTagName: ${{ env.RELEASE_VERSION }} env: - GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - name: Prettify changelog run: pnpm changeset:update-changelog env: - GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} RELEASE_TAG: ${{ env.RELEASE_VERSION }} PUBLISHED: ${{ steps.changesets.outputs.published }} REF_NAME: ${{ github.ref_name }} @@ -118,7 +116,7 @@ jobs: pnpm changeset publish --tag next env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # ensure docs are always deployed after merge of changeset PR - name: Get the last commit message and set env vars @@ -151,7 +149,7 @@ jobs: gh pr create -B master -H $GITHUB_REF_NAME --title "$PR_TITLE" --body "$PR_BODY" env: - GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} RELEASE_VERSION: ${{ env.RELEASE_VERSION }} LATEST_VERSION: ${{ env.LATEST_VERSION }} @@ -161,7 +159,7 @@ jobs: if: steps.changesets.outputs.published == 'true' && startsWith(github.ref_name, 'release/') && env.RELEASE_VERSION_HIGHER_THAN_LATEST == 'false' run: git push origin --delete ${{ github.ref_name }} env: - GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Upload assets to S3 - uses: unfor19/install-aws-cli-action@v1.0.7 From 899b4840851d7807b4f727a49dffe0514a3bd701 Mon Sep 17 00:00:00 2001 From: Peter Smith Date: Mon, 3 Feb 2025 08:15:50 +0000 Subject: [PATCH 05/10] chore: renamed secret to `APP_PRIVATE_KEY` --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a3510566bf9..f76ab337842 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -24,7 +24,7 @@ jobs: id: app-token with: app-id: ${{ vars.APP_ID }} - private-key: ${{ secrets.PRIVATE_KEY }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} - name: Checkout uses: actions/checkout@v4 From bac5014b5b8c1655b75ea5a4cead03c5292464c4 Mon Sep 17 00:00:00 2001 From: Peter Smith Date: Mon, 3 Feb 2025 08:18:17 +0000 Subject: [PATCH 06/10] chore: rollback changeset migration --- .github/workflows/pr-validate-changesets.yaml | 26 ++++--------------- 1 file changed, 5 insertions(+), 21 deletions(-) diff --git a/.github/workflows/pr-validate-changesets.yaml b/.github/workflows/pr-validate-changesets.yaml index 5c1cddc536c..d15c13cd503 100644 --- a/.github/workflows/pr-validate-changesets.yaml +++ b/.github/workflows/pr-validate-changesets.yaml @@ -17,26 +17,10 @@ jobs: if: github.actor == 'dependabot[bot]' steps: - - name: Create GitHub App Token - uses: actions/create-github-app-token@v1 - id: app-token - with: - app-id: ${{ vars.APP_ID }} - private-key: ${{ secrets.PRIVATE_KEY }} - - - name: Configure GitHub user - id: github-user - run: | - echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" - echo "user-name=${{ steps.app-token.outputs.app-slug }}[bot]" >> "$GITHUB_OUTPUT" - echo "user-email=${{ steps.github-user.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com" >> "$GITHUB_OUTPUT" - - uses: actions/checkout@v4 with: fetch-depth: 0 ref: ${{ github.event.client_payload.ref }} - # Make sure the value of GITHUB_TOKEN will not be persisted in repo's config - persist-credentials: false - name: Get PR's changeset file run: | @@ -63,20 +47,20 @@ jobs: if: env.CHANGESET_FILE == '' run: | echo "machine github.com" > $HOME/.netrc - echo "login ${{ steps.github-user.outputs.user-name }}" >> $HOME/.netrc - echo "password ${{ steps.app-token.outputs.token }}" >> $HOME/.netrc + echo "login github-actions[bot]" >> $HOME/.netrc + echo "password ${{ secrets.GITHUB_TOKEN }}" >> $HOME/.netrc chmod 600 $HOME/.netrc - name: Commit Changeset if: env.CHANGESET_FILE == '' run: | - git config user.email '${{ steps.github-user.outputs.user-email }}' - git config user.name '${{ steps.github-user.outputs.user-name }}' + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git config user.name "github-actions[bot]" git add . git commit -m "build: update dependency changeset" git push origin HEAD:${{ github.event.pull_request.head.ref }} env: - GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} validate-changeset: name: Validate PR Changeset From 96e3da23ca0b2b6143c39432687f2583ff13efc6 Mon Sep 17 00:00:00 2001 From: Peter Smith Date: Wed, 5 Feb 2025 15:54:04 +0000 Subject: [PATCH 07/10] chore: update private key secret --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index e1846c10e9e..1b5b0d46744 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -25,7 +25,7 @@ jobs: id: app-token with: app-id: ${{ vars.APP_ID }} - private-key: ${{ secrets.APP_PRIVATE_KEY }} + private-key: ${{ secrets.APP_KEY }} - name: Checkout uses: actions/checkout@v4 From 5d128dcc2818e65b73b3caf0c441743c50ff93e7 Mon Sep 17 00:00:00 2001 From: Peter Smith Date: Wed, 5 Feb 2025 15:57:12 +0000 Subject: [PATCH 08/10] chore: favour action --- .github/workflows/release.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 1b5b0d46744..02553261cfa 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -185,9 +185,9 @@ jobs: aws s3 cp ./packages/account/src/assets/images/ s3://${{ vars.AWS_S3_BUCKET }}/providers/ --recursive - name: Notify migrations and disclosures of the new release (breaking changes) - run: | - curl -X POST \ - -H "Accept: application/vnd.github.v3+json" \ - -H "Authorization: token ${{ steps.app-token.outputs.token }}" \ - https://api.github.com/repos/FuelLabs/migrations-and-disclosures/dispatches \ - -d '{"event_type":"update_versions"}' + uses: benc-uk/workflow-dispatch@v1 + with: + workflow: migrations.yml + ref: master + repo: FuelLabs/migrations-and-disclosures + token: ${{ steps.app-token.outputs.token }} From ed9c36425ea660133ff660fb95a7630017f147ae Mon Sep 17 00:00:00 2001 From: Peter Smith Date: Fri, 7 Feb 2025 12:38:10 +0000 Subject: [PATCH 09/10] chore: external GitHub token --- .github/workflows/release.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 02553261cfa..db76b7c818f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -20,12 +20,12 @@ jobs: if: github.event.before != '0000000000000000000000000000000000000000' steps: - - name: Create GitHub App Token + - name: Create the External GitHub App Token uses: actions/create-github-app-token@v1 - id: app-token + id: external-app-token with: - app-id: ${{ vars.APP_ID }} - private-key: ${{ secrets.APP_KEY }} + app-id: ${{ vars.EXTERNAL_APP_ID }} + private-key: ${{ secrets.EXTERNAL_APP_KEY }} - name: Checkout uses: actions/checkout@v4 @@ -134,7 +134,7 @@ jobs: workflow: update-nightly.yml ref: master repo: FuelLabs/docs-hub - token: ${{ steps.app-token.outputs.token }} + token: ${{ steps.external-app-token.outputs.token }} - name: Create PR to apply latest release to master if: steps.changesets.outputs.published == 'true' && startsWith(github.ref_name, 'release/') && env.RELEASE_VERSION_HIGHER_THAN_LATEST == 'true' @@ -190,4 +190,4 @@ jobs: workflow: migrations.yml ref: master repo: FuelLabs/migrations-and-disclosures - token: ${{ steps.app-token.outputs.token }} + token: ${{ steps.external-app-token.outputs.token }} From 9c6af16026ba63fa2e2e38eb05feced13f059f5f Mon Sep 17 00:00:00 2001 From: Peter Smith Date: Fri, 7 Feb 2025 12:44:34 +0000 Subject: [PATCH 10/10] chore: use internal app token --- .github/workflows/release.yaml | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index db76b7c818f..92d5f92b215 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -20,6 +20,13 @@ jobs: if: github.event.before != '0000000000000000000000000000000000000000' steps: + - name: Create the Internal GitHub App Token + uses: actions/create-github-app-token@v1 + id: internal-app-token + with: + app-id: ${{ vars.INTERNAL_APP_ID }} + private-key: ${{ secrets.INTERNAL_APP_KEY }} + - name: Create the External GitHub App Token uses: actions/create-github-app-token@v1 id: external-app-token @@ -45,7 +52,7 @@ jobs: echo "FORC_VERSION=$(cat ./internal/forc/VERSION)" >> $GITHUB_ENV git reset --hard env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.internal-app-token.outputs.token }} - name: Ensure NPM access run: npm whoami @@ -67,7 +74,7 @@ jobs: pnpm add --global semver echo "RELEASE_VERSION_HIGHER_THAN_LATEST=$(semver $LATEST_RELEASE $RELEASE_VERSION | tail -n1 | grep ${RELEASE_VERSION#v} --silent && echo true || echo false)" >> $GITHUB_ENV env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.internal-app-token.outputs.token }} - name: Create Release Pull Request or Publish to npm id: changesets @@ -81,13 +88,13 @@ jobs: githubReleaseName: ${{ env.RELEASE_VERSION }} githubTagName: ${{ env.RELEASE_VERSION }} env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.internal-app-token.outputs.token }} NODE_AUTH_TOKEN: ${{ secrets.NPM_DEPLOY_TOKEN }} - name: Prettify changelog run: pnpm changeset:update-changelog env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.internal-app-token.outputs.token }} RELEASE_TAG: ${{ env.RELEASE_VERSION }} PUBLISHED: ${{ steps.changesets.outputs.published }} REF_NAME: ${{ github.ref_name }} @@ -117,7 +124,7 @@ jobs: pnpm changeset publish --tag next env: NODE_AUTH_TOKEN: ${{ secrets.NPM_DEPLOY_TOKEN }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.internal-app-token.outputs.token }} # ensure docs are always deployed after merge of changeset PR - name: Get the last commit message and set env vars @@ -150,7 +157,7 @@ jobs: gh pr create -B master -H $GITHUB_REF_NAME --title "$PR_TITLE" --body "$PR_BODY" env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.internal-app-token.outputs.token }} RELEASE_VERSION: ${{ env.RELEASE_VERSION }} LATEST_VERSION: ${{ env.LATEST_VERSION }} @@ -160,7 +167,7 @@ jobs: if: steps.changesets.outputs.published == 'true' && startsWith(github.ref_name, 'release/') && env.RELEASE_VERSION_HIGHER_THAN_LATEST == 'false' run: git push origin --delete ${{ github.ref_name }} env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.internal-app-token.outputs.token }} # Upload assets to S3 - uses: unfor19/install-aws-cli-action@v1.0.7