How to make a cross-repository pull requests (for Winget) using a private key?

[kaplas]

Hi!

I'm trying to get our tool Jalapeno into some package managers. We are releasing it on behalf of our company, and thus it belongs to the company's GitHub orgasation. One consequence of this is that we are trying to get the package manager -related publishing to work using GitHub deploy keys, instead of Personal Access Tokens (to make it sure that the pipeline won't break when the token owners decides to switch jobs).

The first one I configured was a homebrew tap (link to related commit):

brews:
  - name: jalapeno
    repository:
      owner: futurice
      name: homebrew-jalapeno
      git:
        url: "[email protected]:futurice/homebrew-jalapeno.git"
        private_key: "{{ .Env.HOMEBREW_TAP_PRIVATE_KEY }}"

...which worked really nicely. I had to use the git attribute to be able to define the private key to be used, but I got it working.

Next up I decided that it's time to support our Windows users, and thus started configuring Winget support. Here's where I'm strugling. With Homebrew tap, I can just commit directly to the main branch of the listed repo. With microsoft/winget-pkgs repo I should be committing to a named branch in our own futurice/winget-pkgs fork, and then making a cross-repository pull requests to the Microsoft repo. However I can not get this to work with a private/deploy key.

I tried defining the branch attribute:

  repository:
    owner: futurice
    name: winget-pkgs
    branch: "{{.ProjectName}}-{{.Version}}"
    git:
      url: "[email protected]:futurice/winget-pkgs.git"
      private_key: "{{ .Env.WINGET_PKGS_PRIVATE_KEY }}"

...but the commit went to the main branch instead of the named branch. Then I tried defining the branch in the Git URL as well:

    git:
      url: "[email protected]:futurice/winget-pkgs.git#{{.ProjectName}}-{{.Version}}"

...but then cloning the repo didn't work. I even checked goreleaser own YAML file for some inspiration, and saw that they are not using anything extra in their token configs. I thought this sounded weird, as I had read that token's permissions are limited to the repository that contains the workflow, but I even tried that:

  repository:
    owner: futurice
    name: winget-pkgs
    branch: "{{.ProjectName}}-{{.Version}}"

...and it failed as well.

How should I do this? Is this even possible to accomplish using write-enabled deploy keys? For now I would really like to get this working without using user-owned PATs. I found an issue where someone had circumvented this by using tibdex/github-app-token as a helper. But shouldn't this be possible also with deploy keys?

Thank you for your help in advance!

[caarlos0]

hmm, that is a bug I think

should be fixed by #4324

[kaplas]

Thank you for a quick fix! Do you have any estimate when you are going to make a new release? I presume the github action uses the latest release from you?

[caarlos0]

just released

[kaplas]

Thank you!

@caarlos0 I noticed however that the update broke git-blocks where branch name was not explicitly defined. This the case eg. with Homebrew taps, where pushes are made to the default branch.

• This used to work: existing .goreleser.yaml config for Homebrew
• But with v1.21.1 build complains about missing branch information

  ⨯ release failed after 3m20s               error=1 error occurred:
	* homebrew tap formula: git: could not checkout branch : "checkout -b " failed: fatal: '' is not a valid branch name

Adding branch: main fixed the issue, but there are most probably other users of the git-block as well that got broken.

[caarlos0]

ouch, fixing it

[caarlos0]

pushed 26fed97

[kaplas]

@caarlos0 And another question on this very same topic: How do you actually handle the GITHUB_TOKEN in your own repo? I see on mention of it whatsoever in your own .goreleaser.yaml.

[caarlos0]

Depends, on some repos I use a PAT for my account, on orgs I usually create an account with the right permissions and use a PAT from that account.

[kaplas]

Still continuing on the discussion on the question in the topic. It might be that I've even understood something wrongly here, but is it even possible to open a pull request with a deploy key? I started this configuration with the assumption that is possible, but after fixing the branch problem I got the Winget manifest committed to a branch in futurice/winget-pkgs, but no pull request was made to microsoft/winget-pkgs. And I'm just confused if this let's-not-use-a-PAT is even a valid path forward.

[caarlos0]

afaik it isn't possible to use the github api with deploy keys