Switch to using an app token instead of a PAT

The app token will persist even as users come/go from the team. It also allows us more finegrained access controls from the app settings page if we need to suddenly lockdown something, we don't have to rely on the person who created the PAT.
dependabot · May 17, 2023 · 8fda4b7 · 8fda4b7
1 parent f2b323a
commit 8fda4b7
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 6 deletions.
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -8,6 +8,13 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
+        with:
+          app_id: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_PRIVATE_KEY }}
+
       - name: Check out code
         uses: actions/checkout@v3
 
@@ -19,4 +26,5 @@ jobs:
         run: gh pr merge --auto --merge "$PR_URL"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
-          GITHUB_TOKEN: ${{ secrets.DEPENDABOT_AUTOMATION_PAT }}
+          # TODO the app token doesn't currently have perms to merge PR's, so need to add that before merging this...
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
diff --git a/.github/workflows/dependabot-build.yml b/.github/workflows/dependabot-build.yml
@@ -34,11 +34,18 @@ jobs:
     # We only need to build the dist/ folder if the PR relates a production NPM dependency, otherwise we don't expect changes.
     if: needs.fetch-dependabot-metadata.outputs.package-ecosystem == 'npm_and_yarn' && needs.fetch-dependabot-metadata.outputs.dependency-type == 'direct:production'
     steps:
-      # Check out using a PAT so any pushed changes will trigger checkruns
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
+        with:
+          app_id: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_PRIVATE_KEY }}
+
       - uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.ref }}
-          token: ${{ secrets.DEPENDABOT_AUTOMATION_PAT }}
+          # Check out using an app token so any pushed changes will trigger checkruns
+          token: ${{ steps.generate_token.outputs.token }}
 
       - name: Read .nvmrc
         id: nvm

diff --git a/.github/workflows/release-bump-version.yml b/.github/workflows/release-bump-version.yml
@@ -18,11 +18,18 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
+        with:
+          app_id: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_PRIVATE_KEY }}
+
       - uses: actions/checkout@v3
         with:
           # Ensure we start from main in case the workflow is run from a branch
           ref: "main"
-          token: ${{ secrets.DEPENDABOT_AUTOMATION_PAT }}
+          token: ${{ steps.generate_token.outputs.token }}
 
       - name: Read .nvmrc
         id: nvm
@@ -70,7 +77,7 @@ jobs:
           echo "PR created at URL: $PR_URL"
           echo "PR_URL=$PR_URL" >> $GITHUB_ENV
         env:
-          GH_TOKEN: ${{ secrets.DEPENDABOT_AUTOMATION_PAT }}
+          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
 
       - name: Set summary
         run: |

diff --git a/.github/workflows/release-move-tracking-tag.yml b/.github/workflows/release-move-tracking-tag.yml
@@ -17,9 +17,16 @@ jobs:
     # Safer, but more of a hassle and also an unnecessary precaution 99% of the time.
 
     steps:
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
+        with:
+          app_id: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_PRIVATE_KEY }}
+
       - uses: actions/checkout@v3
         with:
-          token: ${{ secrets.DEPENDABOT_AUTOMATION_PAT }}
+          token: ${{ steps.generate_token.outputs.token }}
 
       - name: Move the tracking tag
         run: git tag -f v1