ci: use new token app for workflows

tboerger · tboerger · commit fdc7a0ffe01e · 2025-12-03T19:59:48.000+01:00
diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml
@@ -11,7 +11,6 @@ name: automerge
 permissions:
   contents: write
   pull-requests: write
-  issues: write
 
 jobs:
   dependabot:
@@ -21,14 +20,13 @@ jobs:
     steps:
       - name: Generate token
         id: token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
+        uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2
         with:
-          app_id: ${{ secrets.TOKEN_EXCHANGE_APP }}
-          installation_retrieval_mode: id
-          installation_retrieval_payload: ${{ secrets.TOKEN_EXCHANGE_INSTALL }}
-          private_key: ${{ secrets.TOKEN_EXCHANGE_KEY }}
-          permissions: >-
-            {"contents": "write", "pull_requests": "write", "issues": "write"}
+          app-id: ${{ secrets.TOKEN_EXCHANGE_APP }}
+          private-key: ${{ secrets.TOKEN_EXCHANGE_KEY }}
+          permission-contents: write
+          permission-pull-requests: write
+          permission-issues: write
 
       - name: Fetch metadata
         uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2
diff --git a/.github/workflows/flake.yml b/.github/workflows/flake.yml
@@ -17,14 +17,11 @@ jobs:
     steps:
       - name: Generate token
         id: token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
+        uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2
         with:
-          app_id: ${{ secrets.TOKEN_EXCHANGE_APP }}
-          installation_retrieval_mode: id
-          installation_retrieval_payload: ${{ secrets.TOKEN_EXCHANGE_INSTALL }}
-          private_key: ${{ secrets.TOKEN_EXCHANGE_KEY }}
-          permissions: >-
-            {"contents": "write"}
+          app-id: ${{ secrets.TOKEN_EXCHANGE_APP }}
+          private-key: ${{ secrets.TOKEN_EXCHANGE_KEY }}
+          permission-contents: write
 
       - name: Checkout source
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -18,14 +18,13 @@ jobs:
     steps:
       - name: Generate token
         id: token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
+        uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2
         with:
-          app_id: ${{ secrets.TOKEN_EXCHANGE_APP }}
-          installation_retrieval_mode: id
-          installation_retrieval_payload: ${{ secrets.TOKEN_EXCHANGE_INSTALL }}
-          private_key: ${{ secrets.TOKEN_EXCHANGE_KEY }}
-          permissions: >-
-            {"contents": "write", "pull_requests": "write", "issues": "write"}
+          app-id: ${{ secrets.TOKEN_EXCHANGE_APP }}
+          private-key: ${{ secrets.TOKEN_EXCHANGE_KEY }}
+          permission-contents: write
+          permission-pull-requests: write
+          permission-issues: write
 
       - name: Checkout source
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
diff --git a/.github/workflows/tools.yml b/.github/workflows/tools.yml
@@ -18,14 +18,13 @@ jobs:
     steps:
       - name: Generate token
         id: token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
+        uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2
         with:
-          app_id: ${{ secrets.TOKEN_EXCHANGE_APP }}
-          installation_retrieval_mode: id
-          installation_retrieval_payload: ${{ secrets.TOKEN_EXCHANGE_INSTALL }}
-          private_key: ${{ secrets.TOKEN_EXCHANGE_KEY }}
-          permissions: >-
-            {"contents": "write", "pull_requests": "write", "issues": "write"}
+          app-id: ${{ secrets.TOKEN_EXCHANGE_APP }}
+          private-key: ${{ secrets.TOKEN_EXCHANGE_KEY }}
+          permission-contents: write
+          permission-pull-requests: write
+          permission-issues: write
 
       - name: Checkout source
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
@@ -80,6 +79,6 @@ jobs:
         if: steps.request.outputs.pull-request-operation == 'created'
         run: gh pr merge --rebase --auto "${{ steps.request.outputs.pull-request-number }}"
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.token.outputs.token }}
 
 ...
