chore(ci): use github app for tokens

nirinchev · nirinchev · commit 19e3a98199a8 · 2024-11-27T02:00:58.000+01:00
diff --git a/.github/workflows/authors-and-third-party-notices.yaml b/.github/workflows/authors-and-third-party-notices.yaml
@@ -16,18 +16,12 @@ jobs:
       HADRON_DISTRIBUTION: compass
     steps:
       - name: Create Github App Token
-        uses: actions/create-github-app-token@v1
+        uses: mongodb-js/devtools-shared/actions/setup-bot-token@ni/github-app-action
         id: app-token
         with:
           app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
           private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
 
-      - name: Get GitHub App User ID
-        id: get-user-id
-        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-
       - uses: actions/checkout@v4
         with:
           # don't checkout a detatched HEAD
@@ -38,11 +32,6 @@ jobs:
           fetch-depth: "0"
           token: ${{ steps.app-token.outputs.token }}
 
-      - name: Set up Git
-        run: |
-          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
-          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>'
-
       - uses: actions/setup-node@v4
         with:
           node-version: 20.16.0
diff --git a/.github/workflows/bump-packages.yaml b/.github/workflows/bump-packages.yaml
@@ -10,24 +10,22 @@ jobs:
     name: Bump packages
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Create Github App Token
+        uses: mongodb-js/devtools-shared/actions/setup-bot-token@ni/github-app-action
+        id: app-token
+        with:
+          app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
+          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v4
         with:
           # don't checkout a detatched HEAD
           ref: ${{ github.head_ref }}
 
-          # this is important so git log can pick up on
-          # the whole history to generate the list of AUTHORS
-          fetch-depth: '0'
-
-      - name: Setup git
-        run: |
-          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --local user.name "github-actions[bot]"
-
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
           node-version: 20.16.0
-          cache: 'npm'
+          cache: "npm"
 
       - name: Install npm@10.2.4
         run: |
@@ -40,21 +38,20 @@ jobs:
 
       - name: Bump packages
         env:
-          LAST_BUMP_COMMIT_MESSAGE: 'chore(release): bump package versions'
-          SKIP_BUMP_PACKAGES: 'mongodb-compass'
+          LAST_BUMP_COMMIT_MESSAGE: "chore(release): bump package versions"
+          SKIP_BUMP_PACKAGES: "mongodb-compass"
         run: |
           npm run bump-packages
           git add .
           git commit --no-allow-empty -m "$LAST_BUMP_COMMIT_MESSAGE" || true
 
       - name: Create Pull Request
-        id: cpr
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # 7.0.5
         with:
-          token: ${{ secrets.SVC_DEVTOOLSBOT_TOKEN }}
-          commit-message: 'chore(release): bump package versions'
+          token: ${{ steps.app-token.outputs.token }}
+          commit-message: "chore(release): bump package versions"
           branch: ci/bump-packages
-          title: 'chore(release): bump package versions'
+          title: "chore(release): bump package versions"
           labels: no-title-validation
           body: |
             - Bump package versions
diff --git a/.github/workflows/merge-bump-packages-pr.yaml b/.github/workflows/merge-bump-packages-pr.yaml
@@ -3,18 +3,23 @@ on:
   workflow_dispatch:
   schedule:
     # Each Tuesday at 5 AM UTC
-    - cron: '0 5 * * 2'
+    - cron: "0 5 * * 2"
 
 jobs:
   merge_bump_packages_pr:
     name: Merge bump packages PR
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Create Github App Token
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
+          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
 
       - name: Merge PR
         env:
-          GITHUB_TOKEN: ${{ secrets.SVC_DEVTOOLSBOT_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           set -e
           PR_NUMBER=$(gh pr list -s open --head=ci/bump-packages --limit=1 --json number | jq '.[0].number')
diff --git a/.github/workflows/update-electron.yaml b/.github/workflows/update-electron.yaml
@@ -11,44 +11,40 @@ jobs:
     name: Update Electron
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Create Github App Token
+        uses: mongodb-js/devtools-shared/actions/setup-bot-token@ni/github-app-action
+        id: app-token
+        with:
+          app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
+          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v4
         with:
           # don't checkout a detatched HEAD
           ref: ${{ github.head_ref }}
 
-          # this is important so git log can pick up on
-          # the whole history to generate the list of AUTHORS
-          fetch-depth: '0'
-
-      - name: Setup git
-        run: |
-          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --local user.name "github-actions[bot]"
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
           node-version: 20.16.0
-          cache: 'npm'
+          cache: "npm"
 
       - name: Install npm@10.2.4
         run: |
           npm install -g npm@10.2.4
+
       - name: Install Dependencies
-        run: |
-          npm -v
-          npm ci
+        run: npm ci
+
       - name: Bump packages
-        run: |
-          node scripts/update-electron.js
-          git add .
-          git commit --no-allow-empty -m "chore(deps): update electron" || true
+        run: node scripts/update-electron.js
+
       - name: Create Pull Request
-        id: cpr
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # 7.0.5
         with:
-          token: ${{ secrets.SVC_DEVTOOLSBOT_TOKEN }}
-          commit-message: 'chore(deps): update electron'
+          token: ${{ steps.app-token.outputs.token }}
+          commit-message: "chore(deps): update electron"
           branch: ci/update-electron
-          title: 'chore(deps): update electron'
+          title: "chore(deps): update electron"
           labels: no-title-validation
           body: |
             - Update electron
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -97,7 +97,7 @@ In particular each change to the `main` branch is analyzed to calculate a new ve
 
 Merging that PR will trigger another CI job that will publish to NPM any package which version is not yet present on the registry.
 
-The version of packages is calculated following conventional bumps: See https://github.com/mongodb-js/devtools-shared/tree/main/packages/bump-monorepo-packages for details.
+The version of packages is calculated following conventional bumps: See https://github.com/mongodb-js/devtools-shared/tree/main/packages/monorepo-tools for details.
 
 ## Add / Update / Remove Dependencies in Packages
 
