Merge pull request #669 from github/enterprise-3.8.4-backport-665-timreimherr/actions-46-multi-repo-token-scope

timreimherr · web-flow · commit 885f3cfd49f8 · 2023-10-20T11:11:45.000-05:00
Backport 665 for 3.8.4: Implement App Token
diff --git a/.github/workflows/build-and-release.yml b/.github/workflows/build-and-release.yml
@@ -4,10 +4,6 @@ name: Build and Release
 on:
   workflow_dispatch:
     inputs:
-      gh-token:
-        description: 'GitHub Token - used to create a commit in the backup-utils repo'
-        required: true
-        type: string
       version:
         description: 'Version - patch version of the release (e.g. x.y.z)'
         required: true
@@ -21,22 +17,20 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    outputs:
+      rc-app-token: ${{ steps.app-token.outputs.token }}
     steps:
-      # resulting token still gets denied by the backup-utils repo
-      # see: https://github.com/actions/create-github-app-token/pull/46
-      # - uses: timreimherr/create-github-app-token@main
-      #   id: app-token
-      #   with:
-      #     # required
-      #     app_id: ${{ vars.RELEASE_CONTROLLER_APP_ID }}
-      #     private_key: ${{ secrets.RELEASE_CONTROLLER_APP_PRIVATE_KEY }}
-      #     owner: ${{ github.repository_owner }}
-      #     repositories: backup-utils,backup-utils-private
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.RELEASE_CONTROLLER_APP_ID }}
+          private-key: ${{ secrets.RELEASE_CONTROLLER_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "backup-utils-private"
       - name: Checkout backup-utils-private
         uses: actions/checkout@v4
         with:
-          token: ${{ github.event.inputs.gh-token }}
-          repository: github/backup-utils-private
+          token: ${{ steps.app-token.outputs.token }}
       - name: Install dependencies
         run: |
           sudo apt-get update -y
@@ -79,35 +73,40 @@ jobs:
     outputs:
       commit_hash: ${{ steps.empty-commit.outputs.commit_hash }}
     steps:
-      # resulting token still gets denied by the backup-utils repo
-      # see: https://github.com/actions/create-github-app-token/pull/46
-      # - uses: timreimherr/create-github-app-token@main
-      #   id: app-token
-      #   with:
-      #     app_id: ${{ vars.RELEASE_CONTROLLER_APP_ID }}
-      #     private_key: ${{ secrets.RELEASE_CONTROLLER_APP_PRIVATE_KEY }}
-      #     owner: ${{ github.repository_owner }}
-      #     repositories: backup-utils,backup-utils-private
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.RELEASE_CONTROLLER_APP_ID }}
+          private-key: ${{ secrets.RELEASE_CONTROLLER_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "backup-utils,backup-utils-private"
+      - name: Get major-feature from version
+        id: get-major-feature
+        run: |
+          echo "MAJOR_FEATURE=$(echo ${{ github.event.inputs.version }} | cut -d '.' -f 1,2)" >> "$GITHUB_ENV"
+      - name: Verify major-feature
+        run: |
+          echo "major_feature: $MAJOR_FEATURE"
       - name: Checkout backup-utils
         uses: actions/checkout@v4
         with:
-          token: ${{ github.event.inputs.gh-token }}
+          token: ${{ steps.app-token.outputs.token }}
           repository: github/backup-utils
-          ref: master
       - name: Create empty commit
         uses: stefanzweifel/git-auto-commit-action@v4
         id: empty-commit
         with:
-          branch: master
+          branch: ${{ env.MAJOR_FEATURE }}-stable
           commit_message: "${{ github.event.inputs.version }} release"
-          commit_user_name: "${{ github.actor }}"
-          commit_user_email: "ghes-releases-team@github.com"
+          commit_user_name: "release-controller[bot]"
+          commit_user_email: "223695+release-controller[bot]@users.noreply.github.com"
           commit_options: "--allow-empty"
+          push_options: "--force"
           skip_dirty_check: true
-      - name: Checkout backup-utils
+      - name: Checkout backup-utils-private for release notes
         uses: actions/checkout@v4
         with:
-          token: ${{ github.event.inputs.gh-token }}
+          token: ${{ steps.app-token.outputs.token }}
           repository: github/backup-utils-private
       - name: Download deb artifact
         uses: actions/download-artifact@v3
@@ -120,20 +119,17 @@ jobs:
       - name: Create Release
         uses: ncipollo/release-action@v1
         with:
-          token: ${{ github.event.inputs.gh-token }}
+          token: ${{ steps.app-token.outputs.token }}
+          owner: github
           repo: backup-utils
           name: |
             GitHub Enterprise Server Backup Utilities v${{ github.event.inputs.version }}
           artifacts: |
-            github-backup-utils-v${{ github.event.inputs.version }}.tar.gz, \
+            github-backup-utils-v${{ github.event.inputs.version }}.tar.gz,
             github-backup-utils_${{ github.event.inputs.version }}_all.deb
           tag: v${{ github.event.inputs.version }}
-          commit: ${{ steps.empty-commit.outputs.commit_hash }}
+          commit: ${{ env.MAJOR_FEATURE }}-stable
           bodyFile: release-notes/${{ github.event.inputs.version }}.md
           draft: ${{ github.event.inputs.draft }}
           allowUpdates: true
-          artifactContentType: "raw"
-
-
-
-
+          artifactContentType: "raw"
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -18,7 +18,7 @@ jobs:
           # Full git history is needed to get a proper list of changed files within `super-linter`
           fetch-depth: 0
       - name: Lint Code Base
-        uses: github/super-linter@v4
+        uses: github/super-linter@v5
         env:
           VALIDATE_ALL_CODEBASE: false
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
