SDPLAT-26630: use GH_APP in main.yml (#3731)

Skyscanner · Jan 31, 2025 · 2fdf327 · 2fdf327
1 parent f0802a7
commit 2fdf327
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 3 deletions.
diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml
@@ -2,6 +2,9 @@ name: Build
 
 on:
   workflow_call:
+    secrets:
+      GH_APP_PRIVATE_KEY:
+        required: true
 
 defaults:
   run:
@@ -96,11 +99,17 @@ jobs:
           brotli -d ${{env.BUILD_LOGS}}.tar.br
           tar -xf ${{env.BUILD_LOGS}}.tar
 
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
       - name: Danger
         run: npm run danger
         if: github.ref != 'refs/heads/main' && github.repository == github.event.pull_request.head.repo.full_name
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
 
   PercyTests:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/label-check.yml b/.github/workflows/label-check.yml
@@ -9,7 +9,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
       - uses: docker://agilepathway/pull-request-label-checker:latest
         with:
           one_of: major,minor,patch,skip-changelog
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          repo_token: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -159,7 +159,13 @@ jobs:
       contents: write
       pull-requests: read
     steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
       - name: Draft release notes
         uses: release-drafter/release-drafter@v6
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -129,10 +129,17 @@ jobs:
         external_repository: backpack/storybook-prs
         publish_branch: main
 
+    - uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        app-id: ${{ vars.GH_APP_ID }}
+        private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
     - name: Link to the pull request build
       uses: actions/github-script@v7
       if: github.ref != 'refs/heads/main' && github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]'
       with:
+        github-token: ${{ steps.app-token.outputs.token }}
         script: |
           github.rest.issues.createComment({
             issue_number: context.issue.number,

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -76,6 +76,7 @@ jobs:
       pull-requests: write
     needs: [Create-NPM-Cache, Create-Build-Cache]
     uses: ./.github/workflows/_build.yml
+    secrets: inherit
 
   ReleaseWeb:
     name: Release @skyscanner/backpack-web to NPM