see token permissions

timreimherr · timreimherr · commit 765260fb48e7 · 2023-09-26T16:04:16.000Z
diff --git a/.github/workflows/build-and-release.yml b/.github/workflows/build-and-release.yml
@@ -24,110 +24,113 @@ jobs:
     steps:
       # resulting token still gets denied by the backup-utils repo
       # see: https://github.com/actions/create-github-app-token/pull/46
-      # - uses: timreimherr/create-github-app-token@main
-      #   id: app-token
-      #   with:
-      #     # required
-      #     app_id: ${{ vars.RELEASE_CONTROLLER_APP_ID }}
-      #     private_key: ${{ secrets.RELEASE_CONTROLLER_APP_PRIVATE_KEY }}
-      #     owner: ${{ github.repository_owner }}
-      #     repositories: backup-utils,backup-utils-private
-      - name: Checkout backup-utils-private
-        uses: actions/checkout@v4
+      - uses: timreimherr/create-github-app-token@main
+        id: app-token
         with:
-          token: ${{ github.event.inputs.gh-token }}
-          repository: github/backup-utils-private
-      - name: Install dependencies
+          # required
+          app_id: ${{ vars.RELEASE_CONTROLLER_APP_ID }}
+          private_key: ${{ secrets.RELEASE_CONTROLLER_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: backup-utils,backup-utils-private
+      - name: Print app permissions
         run: |
-          sudo apt-get update -y
-          sudo apt-get install -y moreutils debhelper help2man devscripts gzip
-      - name: Create tag # this is required for the build scripts
-        run: |
-          git config user.name "${{ github.actor }}"
-          git config user.email "ghes-releases-team@github.com"
-          git tag -a "v${{ github.event.inputs.version }}" -m "v${{ github.event.inputs.version }}"
-          git push origin "v${{ github.event.inputs.version }}"
-      - name: Package deb
-        run: |
-          ./script/package-deb
-      # many need to remove this once release-notes compilation is automated
-      - name: Rename deb artifact
-        run: |
-            for file in dist/github-backup-utils_*_all.deb; do
-              if [[ -f "$file" ]]; then
-                mv "$file" "dist/github-backup-utils_${{ github.event.inputs.version }}_all.deb"
-              fi
-            done
-      - name: Upload deb artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: github-backup-utils_${{ github.event.inputs.version }}_all.deb
-          path: |
-            dist/github-backup-utils_${{ github.event.inputs.version }}_all.deb
-      - name: Package tarball
-        run: |
-          ./script/package-tarball
-      - name: Upload tarball artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: github-backup-utils-v${{ github.event.inputs.version }}.tar.gz
-          path: |
-            dist/github-backup-utils-v${{ github.event.inputs.version }}.tar.gz
-  release:
-    needs: build
-    runs-on: ubuntu-latest
-    outputs:
-      commit_hash: ${{ steps.empty-commit.outputs.commit_hash }}
-    steps:
-      # resulting token still gets denied by the backup-utils repo
-      # see: https://github.com/actions/create-github-app-token/pull/46
-      # - uses: timreimherr/create-github-app-token@main
-      #   id: app-token
-      #   with:
-      #     app_id: ${{ vars.RELEASE_CONTROLLER_APP_ID }}
-      #     private_key: ${{ secrets.RELEASE_CONTROLLER_APP_PRIVATE_KEY }}
-      #     owner: ${{ github.repository_owner }}
-      #     repositories: backup-utils,backup-utils-private
-      - name: Checkout backup-utils
-        uses: actions/checkout@v4
-        with:
-          token: ${{ github.event.inputs.gh-token }}
-          repository: github/backup-utils
-          ref: master
-      - name: Create empty commit
-        uses: stefanzweifel/git-auto-commit-action@v4
-        id: empty-commit
-        with:
-          branch: master
-          commit_message: "${{ github.event.inputs.version }} release"
-          commit_user_name: "${{ github.actor }}"
-          commit_user_email: "ghes-releases-team@github.com"
-          commit_options: "--allow-empty"
-          skip_dirty_check: true
-      - name: Download deb artifact
-        uses: actions/download-artifact@v3
-        with:
-          name: github-backup-utils_${{ github.event.inputs.version }}_all.deb
-      - name: Download tarball artifact
-        uses: actions/download-artifact@v3
-        with:
-          name: github-backup-utils-v${{ github.event.inputs.version }}.tar.gz
-      - name: Create Release
-        uses: ncipollo/release-action@v1
-        with:
-          token: ${{ github.event.inputs.gh-token }}
-          repo: backup-utils
-          name: |
-            GitHub Enterprise Server Backup Utilities v${{ github.event.inputs.version }}
-          artifacts: |
-            github-backup-utils-v${{ github.event.inputs.version }}.tar.gz, \
-            github-backup-utils_${{ github.event.inputs.version }}_all.deb
-          tag: v${{ github.event.inputs.version }}
-          commit: ${{ steps.empty-commit.outputs.commit_hash }}
-          bodyFile: release-notes/${{ github.event.inputs.version }}.md
-          draft: ${{ github.event.inputs.draft }}
-          allowUpdates: true
-          artifactContentType: "raw"
+              curl -H "Authorization: Bearer ${{ steps.app-token.outputs.token }}" -H "Accept: application/vnd.github.v3+json" https://api.github.com/app/installations | jq '.[] | {permissions: .permissions, target_type: .target_type, repository_selection: .repository_selection}'
+  #     - name: Checkout backup-utils-private
+  #       uses: actions/checkout@v4
+  #       with:
+  #         token: ${{ github.event.inputs.gh-token }}
+  #         repository: github/backup-utils-private
+  #     - name: Install dependencies
+  #       run: |
+  #         sudo apt-get update -y
+  #         sudo apt-get install -y moreutils debhelper help2man devscripts gzip
+  #     - name: Create tag # this is required for the build scripts
+  #       run: |
+  #         git config user.name "${{ github.actor }}"
+  #         git config user.email "ghes-releases-team@github.com"
+  #         git tag -a "v${{ github.event.inputs.version }}" -m "v${{ github.event.inputs.version }}"
+  #         git push origin "v${{ github.event.inputs.version }}"
+  #     - name: Package deb
+  #       run: |
+  #         ./script/package-deb
+  #     # many need to remove this once release-notes compilation is automated
+  #     - name: Rename deb artifact
+  #       run: |
+  #           for file in dist/github-backup-utils_*_all.deb; do
+  #             if [[ -f "$file" ]]; then
+  #               mv "$file" "dist/github-backup-utils_${{ github.event.inputs.version }}_all.deb"
+  #             fi
+  #           done
+  #     - name: Upload deb artifact
+  #       uses: actions/upload-artifact@v3
+  #       with:
+  #         name: github-backup-utils_${{ github.event.inputs.version }}_all.deb
+  #         path: |
+  #           dist/github-backup-utils_${{ github.event.inputs.version }}_all.deb
+  #     - name: Package tarball
+  #       run: |
+  #         ./script/package-tarball
+  #     - name: Upload tarball artifact
+  #       uses: actions/upload-artifact@v3
+  #       with:
+  #         name: github-backup-utils-v${{ github.event.inputs.version }}.tar.gz
+  #         path: |
+  #           dist/github-backup-utils-v${{ github.event.inputs.version }}.tar.gz
+  # release:
+  #   needs: build
+  #   runs-on: ubuntu-latest
+  #   outputs:
+  #     commit_hash: ${{ steps.empty-commit.outputs.commit_hash }}
+  #   steps:
+  #     # resulting token still gets denied by the backup-utils repo
+  #     # see: https://github.com/actions/create-github-app-token/pull/46
+  #     # - uses: timreimherr/create-github-app-token@main
+  #     #   id: app-token
+  #     #   with:
+  #     #     app_id: ${{ vars.RELEASE_CONTROLLER_APP_ID }}
+  #     #     private_key: ${{ secrets.RELEASE_CONTROLLER_APP_PRIVATE_KEY }}
+  #     #     owner: ${{ github.repository_owner }}
+  #     #     repositories: backup-utils,backup-utils-private
+  #     - name: Checkout backup-utils
+  #       uses: actions/checkout@v4
+  #       with:
+  #         token: ${{ github.event.inputs.gh-token }}
+  #         repository: github/backup-utils
+  #         ref: master
+  #     - name: Create empty commit
+  #       uses: stefanzweifel/git-auto-commit-action@v4
+  #       id: empty-commit
+  #       with:
+  #         branch: master
+  #         commit_message: "${{ github.event.inputs.version }} release"
+  #         commit_user_name: "${{ github.actor }}"
+  #         commit_user_email: "ghes-releases-team@github.com"
+  #         commit_options: "--allow-empty"
+  #         skip_dirty_check: true
+  #     - name: Download deb artifact
+  #       uses: actions/download-artifact@v3
+  #       with:
+  #         name: github-backup-utils_${{ github.event.inputs.version }}_all.deb
+  #     - name: Download tarball artifact
+  #       uses: actions/download-artifact@v3
+  #       with:
+  #         name: github-backup-utils-v${{ github.event.inputs.version }}.tar.gz
+  #     - name: Create Release
+  #       uses: ncipollo/release-action@v1
+  #       with:
+  #         token: ${{ github.event.inputs.gh-token }}
+  #         repo: backup-utils
+  #         name: |
+  #           GitHub Enterprise Server Backup Utilities v${{ github.event.inputs.version }}
+  #         artifacts: |
+  #           github-backup-utils-v${{ github.event.inputs.version }}.tar.gz, \
+  #           github-backup-utils_${{ github.event.inputs.version }}_all.deb
+  #         tag: v${{ github.event.inputs.version }}
+  #         commit: ${{ steps.empty-commit.outputs.commit_hash }}
+  #         bodyFile: release-notes/${{ github.event.inputs.version }}.md
+  #         draft: ${{ github.event.inputs.draft }}
+  #         allowUpdates: true
+  #         artifactContentType: "raw"
 
 
 
