replaced long running access token

kikofernandez · kikofernandez · commit 363959d14313 · 2025-09-16T10:18:33.000+02:00
replace long running access token by ephemeral (1h) tokens via
integration with an Erlang Bot App.
diff --git a/.github/scripts/create-openvex-pr.sh b/.github/scripts/create-openvex-pr.sh
@@ -32,9 +32,6 @@ if [ "$FOUND_PR" -ne 0 ]; then
   echo "A new PR will be created"
 fi
 
-git config user.name "github-actions[bot]"
-git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-
 # Check if PR is closed
 if [ "$PR_STATUS" = "CLOSED" ] || [ "$PR_STATUS" = "MERGED" ] || [ "$FOUND_PR" -ne 0 ]; then
   echo "Pull request #$BRANCH_NAME is CLOSED or MERGED."
diff --git a/.github/workflows/openvex-sync.yml b/.github/workflows/openvex-sync.yml
@@ -21,6 +21,7 @@
 ## Periodically syncs OpenVEX files against Erlang OTP Securities,
 ## creating an automatic PR with the missing published securities.
 name: OpenVEX Securities Syncing
+description: 'Sync OpenVEX Securities with Erlang/OTP published Securities'
 
 on:
   workflow_dispatch:
@@ -43,21 +44,35 @@ jobs:
         with:
           ref: 'master' # '' = default branch
 
-      - uses: erlef/setup-beam@5304e04ea2b355f03681464e683d92e3b2f18451 # racket:actions/checkout@v1
+      - uses: erlef/setup-beam@5304e04ea2b355f03681464e683d92e3b2f18451 # ratchet:actions/checkout@v1
         with:
           otp-version: '28'
 
       - uses: openvex/setup-vexctl@e85ca48f3c8a376289f6476129d59cda82147e71 # ratchet:openvex/setup-vexctl@v0.1.1
         with:
           vexctl-release: '0.3.0'
 
+      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # ratchet:actions/create-github-app-token@v2.1.4
+        id: app-token
+        with:
+          # required
+          app-id: ${{ vars.ERLANG_BOT_APP_ID }}
+          private-key: ${{ secrets.ERLANG_BOT_PRIVATE_KEY }}
+
       - name: Authenticate gh
         run: |
-          echo "${{ secrets.OPENVEX_TOKEN }}" | gh auth login --with-token
+          echo "${{ steps.app-token.outputs.token }}" | gh auth login --with-token
+
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+
+      - run: |
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
 
       - name: 'Open OpenVEX Pull Requests for newly released vulnerabilities'
         run: |
           .github/scripts/otp-compliance.es vex verify -p
-        # env:
-          # GH_TOKEN: ${{ secrets.OPENVEX_TOKEN }}
-          # REPO: ${{ github.repository }}
