chore(ci): use github app instead of bot user

nirinchev · nirinchev · commit 60561e8ffe47 · 2024-11-27T14:16:07.000+01:00
diff --git a/.github/workflows/bump-packages.yaml b/.github/workflows/bump-packages.yaml
@@ -10,25 +10,39 @@ jobs:
     name: Bump packages
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
+          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
+
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        shell: bash
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+
+      - name: Set up Git
+        run: |
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>'
+        shell: bash
+
+      - uses: actions/checkout@v4
         with:
           # don't checkout a detatched HEAD
           ref: ${{ github.head_ref }}
 
           # this is important so git log can pick up on
           # the whole history to generate the list of AUTHORS
-          fetch-depth: '0'
-
-      - name: Setup git
-        run: |
-          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --local user.name "github-actions[bot]"
+          fetch-depth: "0"
 
       - name: Setup Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: 20.x
-          cache: 'npm'
+          cache: "npm"
 
       - name: Install npm
         run: npm install -g npm@8
@@ -46,21 +60,4 @@ jobs:
           npm run bump-packages
           git add .
           git commit --no-allow-empty -m "chore(ci): bump packages" || true
-
-      - name: Create Pull Request
-        id: cpr
-        uses: peter-evans/create-pull-request@v6
-        with:
-          commit-message: 'chore(ci): bump packages'
-          branch: ci/bump-packages
-          title: 'chore(ci): bump packages'
-          body: |
-            - Bump package versions
-
-      - name: Merge PR
-        if: ${{steps.cpr.outputs.pull-request-operation == 'created'}}
-        env:
-          PULL_REQUEST_NUMBER: ${{steps.cpr.outputs.pull-request-number}}
-          GITHUB_TOKEN: ${{secrets.PAT}}
-        run: |
-          gh pr merge $PULL_REQUEST_NUMBER --squash --delete-branch
+          git push
diff --git a/.github/workflows/check-test.yaml b/.github/workflows/check-test.yaml
@@ -46,25 +46,25 @@ jobs:
 
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Setup Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: 20.x
-          cache: 'npm'
+          cache: "npm"
 
       - name: Install npm
         run: npm install -g npm@8
 
       - name: Use python@3.11
         # Default Python (3.12) doesn't have support for distutils
         # https://github.com/nodejs/node-gyp/issues/2869
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
-          python-version: '3.11'
+          python-version: "3.11"
 
       - name: Install Dependencies
         run: |
diff --git a/.github/workflows/publish-packages.yaml b/.github/workflows/publish-packages.yaml
@@ -18,45 +18,45 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
-      with:
-        # don't checkout a detatched HEAD
-        ref: ${{ github.head_ref }}
-
-        # this is important so git log has the whole history
-        fetch-depth: '0'
-
-    - name: Setup git
-      run: |
-        git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-        git config --local user.name "github-actions[bot]"
-
-    - name: Setup Node.js
-      uses: actions/setup-node@v3
-      with:
-        node-version: 20.x
-        cache: 'npm'
-
-    - name: Install npm
-      run: npm install -g npm@8
-
-    - name: Install Dependencies
-      run: |
-        npm run bootstrap-ci
-      shell: bash
-
-    - name: "Publish what is not already in NPM"
-      env:
-        NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-      run: |
-        echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc
-        git update-index --assume-unchanged .npmrc
-        npm run publish-packages
-
-    - name: "Publish tags"
-      run: |
-        npx lerna list -a --json | \
-          jq -r '.[] | .name + "@" + .version' | \
-          xargs -i sh -c "git tag -a {} -m {} || true"
-        git push --follow-tags
-
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
+          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v4
+        with:
+          # don't checkout a detatched HEAD
+          ref: ${{ github.head_ref }}
+
+          # this is important so git log has the whole history
+          fetch-depth: "0"
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          cache: "npm"
+
+      - name: Install npm
+        run: npm install -g npm@8
+
+      - name: Install Dependencies
+        run: |
+          npm run bootstrap-ci
+        shell: bash
+
+      - name: "Publish what is not already in NPM"
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc
+          git update-index --assume-unchanged .npmrc
+          npm run publish-packages
+
+      - name: "Publish tags"
+        run: |
+          npx lerna list -a --json | \
+            jq -r '.[] | .name + "@" + .version' | \
+            xargs -i sh -c "git tag -a {} -m {} || true"
+          git push --follow-tags
diff --git a/.github/workflows/update-cidrs.yaml b/.github/workflows/update-cidrs.yaml
@@ -11,15 +11,18 @@ jobs:
     name: Update automatically generated files
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/create-github-app-token@v1
+        id: app-token
         with:
-          node-version: ^18.x
-          cache: 'npm'
+          app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
+          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
 
-      - name: Install npm@8
-        run: |
-          npm install -g npm@8
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ^20.x
+          cache: "npm"
 
       - name: Install Dependencies
         run: |
@@ -31,22 +34,8 @@ jobs:
       - name: Update cidrs.json
         run: npm run -w packages/mongodb-cloud-info update-cidrs
 
-      - name: Create Pull Request
-        id: cpr
-        uses: peter-evans/create-pull-request@v6
-        with:
-          commit-message: Update report
-          branch: ci/update-cidrs
-          title: 'chore: update cidrs.json'
-          add-paths: |
-            resources/cidrs.json
-          body: |
-            - Update `cidrs.json`
-
-      - name: Merge PR
-        env:
-          PULL_REQUEST_NUMBER: ${{steps.cpr.outputs.pull-request-number}}
-          # NOTE: we don't use a PAT so to not trigger further automation
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Commit and push
         run: |
-          gh pr merge $PULL_REQUEST_NUMBER --squash --delete-branch
+          git add resources/cidrs.json
+          git commit --no-allow-empty -m "chore: update cidrs.json [skip ci]" || true
+          git push
