chore(gh-actions): use gihtub app instead of a token

fabianrbz · fabianrbz · commit 4a8ddfceb3a9 · 2025-12-17T09:15:56.000-03:00
diff --git a/.github/workflows/sync-deck.yml b/.github/workflows/sync-deck.yml
@@ -19,6 +19,14 @@ jobs:
         uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
         with:
           egress-policy: audit
+      - name: Create GitHub App Token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf
+        id: app-token
+        with:
+          app-id: ${{ vars.GH_APP_KONG_DOCS_ID }}
+          private-key: ${{ secrets.GH_APP_KONG_DOCS_SECRET }}
+          owner: Kong
+
       - uses: Kong/setup-deck@v1
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: Fetch OAS Data
@@ -27,10 +35,11 @@ jobs:
           npm ci
           node extract-help.js
           node fetch-versions.js
+
       - name: Create pull request
         uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
         with:
           title: Sync Deck Releases
           commit-message: Sync Deck Releases
           labels: skip-changelog,review:general
-          token: ${{ secrets.PAT }}
+          token: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/sync-konnect-oas-data.yml b/.github/workflows/sync-konnect-oas-data.yml
@@ -14,6 +14,15 @@ jobs:
         uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
         with:
           egress-policy: audit
+
+      - name: Create GitHub App Token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf
+        id: app-token
+        with:
+          app-id: ${{ vars.GH_APP_KONG_DOCS_ID }}
+          private-key: ${{ secrets.GH_APP_KONG_DOCS_SECRET }}
+          owner: Kong
+
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: Fetch OAS Data
         run: |
@@ -26,4 +35,4 @@ jobs:
           title: Sync Konnect OAS Data
           commit-message: Sync Konnect OAS Data
           labels: skip-changelog,review:general
-          token: ${{ secrets.PAT }}
+          token: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/sync-kuma-submodule.yml b/.github/workflows/sync-kuma-submodule.yml
@@ -47,6 +47,15 @@ jobs:
         uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
         with:
           egress-policy: audit
+
+      - name: Create GitHub App Token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf
+        id: app-token
+        with:
+          app-id: ${{ vars.GH_APP_KONG_DOCS_ID }}
+          private-key: ${{ secrets.GH_APP_KONG_DOCS_SECRET }}
+          owner: Kong
+
       - name: 'Check-out current repo'
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
@@ -79,7 +88,7 @@ jobs:
           author: kong-docs[bot] <team-docs@konghq.com>
           signoff: true
           branch: chore/upgrade-kuma-website
-          token: ${{ secrets.PAT }}
+          token: ${{ steps.app-token.outputs.token }}
           delete-branch: true
           labels: |
             skip-changelog
