From c233d4c84cbfed6b4beaf93b43e5fda7c084afc4 Mon Sep 17 00:00:00 2001 From: Kyle Harding Date: Tue, 19 Dec 2023 14:48:53 -0500 Subject: [PATCH] BREAKING: switch to official actions/create-github-app-token This deprecates support for the token_scope input for custom actions which wasn't used anywhere anyway. It also deprecates support for the installation_id input as the installation will be derived from the repo owner. The old token action is still in use to enable auto-merge where custom token scopes were still required. This will be removed in the future when custom permissions are supported by the new action. See: https://github.com/tibdex/github-app-token/issues/99 See: https://github.com/actions/create-github-app-token/issues/3 Resolves: https://github.com/product-os/flowzone/issues/790 Change-type: major Signed-off-by: Kyle Harding --- .github/workflows/flowzone.yml | 585 +++++++++++---------------------- README.md | 15 +- flowzone.yml | 184 +++-------- 3 files changed, 223 insertions(+), 561 deletions(-) diff --git a/.github/workflows/flowzone.yml b/.github/workflows/flowzone.yml index a23cd7097..5adf8d7fb 100644 --- a/.github/workflows/flowzone.yml +++ b/.github/workflows/flowzone.yml @@ -122,23 +122,10 @@ on: required: false default: ${{ vars.APP_ID || '291899' }} installation_id: - description: GitHub App installation id + description: GitHub App installation id (deprecated) type: string required: false default: ${{ vars.INSTALLATION_ID || '34040165' }} - token_scope: - description: Ephemeral token scope(s) - type: string - required: false - default: |- - { - "administration": "write", - "contents": "write", - "metadata": "read", - "packages": "write", - "pages": "write", - "pull_requests": "read" - } jobs_timeout_minutes: description: Timeout for the job(s). type: number @@ -506,22 +493,14 @@ jobs: GH_REPO: ${{ github.repository }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "administration": "write", - "contents": "write", - "metadata": "read", - "pull_requests": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout refs/pull/${{ github.event.number }}/merge uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -727,20 +706,14 @@ jobs: node_versions: ${{ steps.node_versions.outputs.json }} npm_access: ${{ steps.access.outputs.access }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -862,20 +835,14 @@ jobs: docker_bake_json: ${{ steps.docker_bake.outputs.json }} docker_test_matrix: ${{ steps.docker_test.outputs.build }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -990,20 +957,14 @@ jobs: python_versions: ${{ steps.python_versions.outputs.json }} pypi_publish: ${{ steps.python_poetry.outputs.pypi_publish }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -1087,20 +1048,14 @@ jobs: cargo_targets: ${{ steps.cargo_targets.outputs.build }} cargo: ${{ steps.cargo_yml.outputs.enabled }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -1141,20 +1096,14 @@ jobs: balena_slugs: ${{ steps.balena_slugs.outputs.build }} balena_yml: ${{ steps.balena_yml.outputs.enabled }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -1200,20 +1149,14 @@ jobs: custom_publish_matrix: ${{ steps.custom_publish_matrix.outputs.build }} custom_finalize_matrix: ${{ steps.custom_finalize_matrix.outputs.build }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -1286,20 +1229,14 @@ jobs: outputs: has_readme: ${{ steps.has_readme.outputs.enabled }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -1333,20 +1270,14 @@ jobs: stacks: ${{ steps.cloudformation_stacks.outputs.matrix }} includes: ${{ steps.cloudformation_stacks.outputs.includes }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -1449,20 +1380,14 @@ jobs: sha_tag: ${{ steps.meta.outputs.sha_tag }} version_tag: ${{ steps.meta.outputs.version_tag }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -1633,20 +1558,14 @@ jobs: working-directory: . shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Sort node versions id: node_versions env: @@ -1688,22 +1607,14 @@ jobs: working-directory: . shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "pages": "write", - "contents": "read", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Sort node versions id: node_versions env: @@ -1749,20 +1660,14 @@ jobs: env: DOCKER_BUILDKIT: "1" steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2271,20 +2176,14 @@ jobs: image: ${{ fromJSON(needs.is_docker.outputs.docker_images) }} target: ${{ fromJSON(needs.is_docker.outputs.bake_targets) }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2499,20 +2398,14 @@ jobs: working-directory: ${{ inputs.working_directory }} shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2587,20 +2480,14 @@ jobs: working-directory: ${{ inputs.working_directory }} shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2672,20 +2559,14 @@ jobs: matrix: python-version: ${{ fromJSON(needs.is_python.outputs.python_versions) }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2758,20 +2639,14 @@ jobs: working-directory: ${{ inputs.working_directory }} shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2832,20 +2707,14 @@ jobs: working-directory: ${{ inputs.working_directory }} shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2887,20 +2756,14 @@ jobs: (github.event.action != 'closed' || github.event.pull_request.merged == true) && needs.is_website.result == 'success' steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2956,21 +2819,14 @@ jobs: working-directory: . shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "write", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Delete draft GitHub release run: gh release delete --yes '${{ github.event.pull_request.head.ref }}' || true env: @@ -2996,21 +2852,14 @@ jobs: working-directory: . shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "write", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Delete draft GitHub release run: gh release delete --yes '${{ github.event.pull_request.head.ref }}' || true env: @@ -3056,20 +2905,14 @@ jobs: working-directory: . shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "write", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3140,20 +2983,14 @@ jobs: sha_tag: ${{ steps.meta.outputs.sha_tag }} version_tag: ${{ steps.meta.outputs.version_tag }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3218,20 +3055,14 @@ jobs: matrix: target: ${{ fromJSON(needs.is_cargo.outputs.cargo_targets) }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3280,20 +3111,14 @@ jobs: working-directory: ${{ inputs.working_directory }} shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3336,16 +3161,14 @@ jobs: echo "::error::Custom actions are disabled for external contributors and will be skipped. \ Please contact a member of the organization for assistance." exit 1 - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: ${{ inputs.token_scope }} + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3401,16 +3224,14 @@ jobs: echo "::error::Custom actions are disabled for external contributors and will be skipped. \ Please contact a member of the organization for assistance." exit 1 - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: ${{ inputs.token_scope }} + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3460,16 +3281,14 @@ jobs: echo "::error::Custom actions are disabled for external contributors and will be skipped. \ Please contact a member of the organization for assistance." exit 1 - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: ${{ inputs.token_scope }} + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3515,16 +3334,14 @@ jobs: echo "::error::Custom actions are disabled for external contributors and will be skipped. \ Please contact a member of the organization for assistance." exit 1 - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: ${{ inputs.token_scope }} + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3569,16 +3386,14 @@ jobs: echo "::error::Custom actions are disabled for external contributors and will be skipped. \ Please contact a member of the organization for assistance." exit 1 - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: ${{ inputs.token_scope }} + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3622,20 +3437,14 @@ jobs: ATTEMPTS: 5 TIMEOUT: 3 steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -4009,20 +3818,14 @@ jobs: KUBE_NAMESPACE: ${{ vars.KUBE_NAMESPACE }} LOCK_TIMEOUT: 300s steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -4115,20 +3918,14 @@ jobs: KUBE_NAMESPACE: ${{ vars.KUBE_NAMESPACE }} LOCK_TIMEOUT: 300s steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -4204,22 +4001,14 @@ jobs: env: BRANCH_PROTECTION_URI: repos/${{ github.repository }}/branches/${{ github.event.repository.default_branch }}/protection steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "administration": "write", - "contents": "read", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Get branch protection rules id: branch_protection shell: bash --noprofile --norc -eo pipefail -x {0} @@ -4424,22 +4213,14 @@ jobs: github.event.pull_request.merged == true && inputs.repo_config == true steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "administration": "write", - "contents": "read", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Configure repository env: GH_DEBUG: "true" @@ -4585,8 +4366,8 @@ jobs: id: gh_app_token with: app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} + installation_retrieval_mode: organization + installation_retrieval_payload: ${{ github.repository_owner }} private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} permissions: |- { diff --git a/README.md b/README.md index 654c1d8b1..92916e391 100644 --- a/README.md +++ b/README.md @@ -206,24 +206,11 @@ jobs: # Required: false app_id: ${{ vars.APP_ID || '291899' }} - # GitHub App installation id + # GitHub App installation id (deprecated) # Type: string # Required: false installation_id: ${{ vars.INSTALLATION_ID || '34040165' }} - # Ephemeral token scope(s) - # Type: string - # Required: false - token_scope: > - { - "administration": "write", - "contents": "write", - "metadata": "read", - "packages": "write", - "pages": "write", - "pull_requests": "read" - } - # Timeout for the job(s). # Type: number # Required: false diff --git a/flowzone.yml b/flowzone.yml index b0e89c652..e3bbe86e5 100644 --- a/flowzone.yml +++ b/flowzone.yml @@ -11,22 +11,16 @@ - &ifPublicRepository if: github.event.repository.private != true - - &getGitHubAppToken # https://github.com/marketplace/actions/github-app-token - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + - &getGitHubAppToken # https://github.com/actions/create-github-app-token + name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token - with: &getGitHubAppTokenWith - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - # permissions: ${{ inputs.token_scope }} - permissions: >- - { - "contents": "read", - "metadata": "read" - } + with: + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + # Create a token for all repositories in the current owner's installation + owner: ${{ github.repository_owner }} # optionally attempt to get AWS login short-lived session credentials over OIDC - &configureAWSCredentials # https://github.com/aws-actions/configure-aws-credentials @@ -817,27 +811,12 @@ on: default: "${{ vars.APP_ID || '291899' }}" # not needed if installed on this current org/repo installation_id: - description: "GitHub App installation id" + description: "GitHub App installation id (deprecated)" type: string required: false # https://github.com/organizations/product-os/settings/installations # https://github.com/organizations/product-os/settings/variables/actions/INSTALLATION_ID default: "${{ vars.INSTALLATION_ID || '34040165' }}" - token_scope: - description: "Ephemeral token scope(s)" - type: string - required: false - # https://github.com/organizations/product-os/settings/installations/34040165 - # https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#create-a-scoped-access-token - default: >- - { - "administration": "write", - "contents": "write", - "metadata": "read", - "packages": "write", - "pages": "write", - "pull_requests": "read" - } jobs_timeout_minutes: description: "Timeout for the job(s)." type: number @@ -1161,17 +1140,8 @@ jobs: <<: *gitHubCliEnvironment steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # admin permission is currently required to bypass branch protection rules - permissions: >- - { - "administration": "write", - "contents": "write", - "metadata": "read", - "pull_requests": "read" - } + # currently requires repo:admin:write to bypass branch protection + - *getGitHubAppToken # Checkout the merge ref for open PRs - <<: *checkoutMergeRef @@ -2194,18 +2164,7 @@ jobs: <<: *rootWorkingDirectory steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # need permissions to publish to github pages - permissions: >- - { - "pages": "write", - "contents": "read", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' - + - *getGitHubAppToken - *sortNodeVersions # https://github.com/dawidd6/action-download-artifact @@ -2850,19 +2809,11 @@ jobs: if: | github.event.action == 'closed' && github.event.pull_request.merged == false + <<: *rootWorkingDirectory - steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # contents:write permissions for managing releases - permissions: >- - { - "contents": "write", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' + steps: + - *getGitHubAppToken - *deleteDraftGitHubRelease github_publish: @@ -2882,17 +2833,7 @@ jobs: <<: *rootWorkingDirectory steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # contents:write permissions for managing releases - permissions: >- - { - "contents": "write", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' - + - *getGitHubAppToken - *deleteDraftGitHubRelease - name: Download all artifacts @@ -2935,16 +2876,7 @@ jobs: <<: *rootWorkingDirectory steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # contents:write permissions for managing releases - permissions: >- - { - "contents": "write", - "metadata": "read" - } - + - *getGitHubAppToken - *checkoutVersionedSha - *getReleaseNotes @@ -3154,12 +3086,7 @@ jobs: steps: - *rejectExternalCustomActions - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # use permissions from the token_scope input - permissions: ${{ inputs.token_scope }} - + - *getGitHubAppToken - *checkoutVersionedSha - *resetGitHubDirectory - *createLocalRefs @@ -3201,13 +3128,7 @@ jobs: steps: - *rejectExternalCustomActions - - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # use permissions from the token_scope input - permissions: ${{ inputs.token_scope }} - + - *getGitHubAppToken - *checkoutVersionedSha - *resetGitHubDirectory - *createLocalRefs @@ -3242,13 +3163,7 @@ jobs: steps: - *rejectExternalCustomActions - - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # use permissions from the token_scope input - permissions: ${{ inputs.token_scope }} - + - *getGitHubAppToken - *checkoutVersionedSha - *resetGitHubDirectory @@ -3281,13 +3196,7 @@ jobs: steps: - *rejectExternalCustomActions - - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # use permissions from the token_scope input - permissions: ${{ inputs.token_scope }} - + - *getGitHubAppToken - *checkoutVersionedSha - *resetGitHubDirectory @@ -3318,13 +3227,7 @@ jobs: steps: - *rejectExternalCustomActions - - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # use permissions from the token_scope input - permissions: ${{ inputs.token_scope }} - + - *getGitHubAppToken - *checkoutVersionedSha - *resetGitHubDirectory @@ -3752,18 +3655,8 @@ jobs: BRANCH_PROTECTION_URI: repos/${{ github.repository }}/branches/${{ github.event.repository.default_branch }}/protection steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # admin permission is required to set branch protection - permissions: >- - { - "administration": "write", - "contents": "read", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' - + # repo:admin:write permission is required to set branch protection + - *getGitHubAppToken - *getBranchProtectionRules - *isDraftPullRequest @@ -3901,17 +3794,8 @@ jobs: github.event.pull_request.merged == true && inputs.repo_config == true steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # admin permission is required modify repo config - permissions: >- - { - "administration": "write", - "contents": "read", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' + # repo:admin:write permission is required to set repository settings + - *getGitHubAppToken - name: Configure repository env: @@ -4031,10 +3915,20 @@ jobs: BRANCH_PROTECTION_URI: repos/${{ github.repository }}/branches/${{ github.event.pull_request.base.ref }}/protection steps: - - <<: *getGitHubAppToken + # https://github.com/marketplace/actions/github-app-token + # FIXME: switch to actions/create-github-app-token as soon as custom permissions are supported + # https://github.com/actions/create-github-app-token/issues/3 + - name: Generate GitHub App installation token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + continue-on-error: true + id: gh_app_token with: - <<: *getGitHubAppTokenWith - # avoid providing any permissions here that are able to bypass branch protections! + app_id: ${{ inputs.app_id }} + installation_retrieval_mode: organization + installation_retrieval_payload: ${{ github.repository_owner }} + private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} + # DO NOT include any permissions here that would bypass branch protections! + # e.g. admin:write would merge PRs before required checks have passed permissions: >- { "administration": "read",