diff --git a/.github/workflows/flowzone.yml b/.github/workflows/flowzone.yml index a23cd7097..1f438aac6 100644 --- a/.github/workflows/flowzone.yml +++ b/.github/workflows/flowzone.yml @@ -122,23 +122,9 @@ on: required: false default: ${{ vars.APP_ID || '291899' }} installation_id: - description: GitHub App installation id + description: GitHub App installation id (deprecated, installation is derived from repo owner) type: string required: false - default: ${{ vars.INSTALLATION_ID || '34040165' }} - token_scope: - description: Ephemeral token scope(s) - type: string - required: false - default: |- - { - "administration": "write", - "contents": "write", - "metadata": "read", - "packages": "write", - "pages": "write", - "pull_requests": "read" - } jobs_timeout_minutes: description: Timeout for the job(s). type: number @@ -506,22 +492,14 @@ jobs: GH_REPO: ${{ github.repository }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "administration": "write", - "contents": "write", - "metadata": "read", - "pull_requests": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout refs/pull/${{ github.event.number }}/merge uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -727,20 +705,14 @@ jobs: node_versions: ${{ steps.node_versions.outputs.json }} npm_access: ${{ steps.access.outputs.access }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -862,20 +834,14 @@ jobs: docker_bake_json: ${{ steps.docker_bake.outputs.json }} docker_test_matrix: ${{ steps.docker_test.outputs.build }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -990,20 +956,14 @@ jobs: python_versions: ${{ steps.python_versions.outputs.json }} pypi_publish: ${{ steps.python_poetry.outputs.pypi_publish }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -1087,20 +1047,14 @@ jobs: cargo_targets: ${{ steps.cargo_targets.outputs.build }} cargo: ${{ steps.cargo_yml.outputs.enabled }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -1141,20 +1095,14 @@ jobs: balena_slugs: ${{ steps.balena_slugs.outputs.build }} balena_yml: ${{ steps.balena_yml.outputs.enabled }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -1200,20 +1148,14 @@ jobs: custom_publish_matrix: ${{ steps.custom_publish_matrix.outputs.build }} custom_finalize_matrix: ${{ steps.custom_finalize_matrix.outputs.build }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -1286,20 +1228,14 @@ jobs: outputs: has_readme: ${{ steps.has_readme.outputs.enabled }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -1333,20 +1269,14 @@ jobs: stacks: ${{ steps.cloudformation_stacks.outputs.matrix }} includes: ${{ steps.cloudformation_stacks.outputs.includes }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -1449,20 +1379,14 @@ jobs: sha_tag: ${{ steps.meta.outputs.sha_tag }} version_tag: ${{ steps.meta.outputs.version_tag }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -1633,20 +1557,14 @@ jobs: working-directory: . shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Sort node versions id: node_versions env: @@ -1688,22 +1606,14 @@ jobs: working-directory: . shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "pages": "write", - "contents": "read", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Sort node versions id: node_versions env: @@ -1749,20 +1659,14 @@ jobs: env: DOCKER_BUILDKIT: "1" steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2271,20 +2175,14 @@ jobs: image: ${{ fromJSON(needs.is_docker.outputs.docker_images) }} target: ${{ fromJSON(needs.is_docker.outputs.bake_targets) }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2499,20 +2397,14 @@ jobs: working-directory: ${{ inputs.working_directory }} shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2587,20 +2479,14 @@ jobs: working-directory: ${{ inputs.working_directory }} shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2672,20 +2558,14 @@ jobs: matrix: python-version: ${{ fromJSON(needs.is_python.outputs.python_versions) }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2758,20 +2638,14 @@ jobs: working-directory: ${{ inputs.working_directory }} shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2832,20 +2706,14 @@ jobs: working-directory: ${{ inputs.working_directory }} shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2887,20 +2755,14 @@ jobs: (github.event.action != 'closed' || github.event.pull_request.merged == true) && needs.is_website.result == 'success' steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -2956,21 +2818,14 @@ jobs: working-directory: . shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "write", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Delete draft GitHub release run: gh release delete --yes '${{ github.event.pull_request.head.ref }}' || true env: @@ -2996,21 +2851,14 @@ jobs: working-directory: . shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "write", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Delete draft GitHub release run: gh release delete --yes '${{ github.event.pull_request.head.ref }}' || true env: @@ -3056,20 +2904,14 @@ jobs: working-directory: . shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "write", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3140,20 +2982,14 @@ jobs: sha_tag: ${{ steps.meta.outputs.sha_tag }} version_tag: ${{ steps.meta.outputs.version_tag }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3218,20 +3054,14 @@ jobs: matrix: target: ${{ fromJSON(needs.is_cargo.outputs.cargo_targets) }} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3280,20 +3110,14 @@ jobs: working-directory: ${{ inputs.working_directory }} shell: bash --noprofile --norc -eo pipefail -x {0} steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3336,16 +3160,14 @@ jobs: echo "::error::Custom actions are disabled for external contributors and will be skipped. \ Please contact a member of the organization for assistance." exit 1 - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: ${{ inputs.token_scope }} + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3401,16 +3223,14 @@ jobs: echo "::error::Custom actions are disabled for external contributors and will be skipped. \ Please contact a member of the organization for assistance." exit 1 - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: ${{ inputs.token_scope }} + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3460,16 +3280,14 @@ jobs: echo "::error::Custom actions are disabled for external contributors and will be skipped. \ Please contact a member of the organization for assistance." exit 1 - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: ${{ inputs.token_scope }} + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3515,16 +3333,14 @@ jobs: echo "::error::Custom actions are disabled for external contributors and will be skipped. \ Please contact a member of the organization for assistance." exit 1 - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: ${{ inputs.token_scope }} + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3569,16 +3385,14 @@ jobs: echo "::error::Custom actions are disabled for external contributors and will be skipped. \ Please contact a member of the organization for assistance." exit 1 - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: ${{ inputs.token_scope }} + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -3622,20 +3436,14 @@ jobs: ATTEMPTS: 5 TIMEOUT: 3 steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -4009,20 +3817,14 @@ jobs: KUBE_NAMESPACE: ${{ vars.KUBE_NAMESPACE }} LOCK_TIMEOUT: 300s steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -4115,20 +3917,14 @@ jobs: KUBE_NAMESPACE: ${{ vars.KUBE_NAMESPACE }} LOCK_TIMEOUT: 300s steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "contents": "read", - "metadata": "read" - } + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout ${{ needs.versioned_source.outputs.sha }} uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -4204,22 +4000,14 @@ jobs: env: BRANCH_PROTECTION_URI: repos/${{ github.repository }}/branches/${{ github.event.repository.default_branch }}/protection steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "administration": "write", - "contents": "read", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Get branch protection rules id: branch_protection shell: bash --noprofile --norc -eo pipefail -x {0} @@ -4424,22 +4212,14 @@ jobs: github.event.pull_request.merged == true && inputs.repo_config == true steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + - name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "administration": "write", - "contents": "read", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Configure repository env: GH_DEBUG: "true" @@ -4585,8 +4365,8 @@ jobs: id: gh_app_token with: app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} + installation_retrieval_mode: organization + installation_retrieval_payload: ${{ github.repository_owner }} private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} permissions: |- { diff --git a/README.md b/README.md index 654c1d8b1..16bf89888 100644 --- a/README.md +++ b/README.md @@ -206,23 +206,10 @@ jobs: # Required: false app_id: ${{ vars.APP_ID || '291899' }} - # GitHub App installation id + # GitHub App installation id (deprecated, installation is derived from repo owner) # Type: string # Required: false - installation_id: ${{ vars.INSTALLATION_ID || '34040165' }} - - # Ephemeral token scope(s) - # Type: string - # Required: false - token_scope: > - { - "administration": "write", - "contents": "write", - "metadata": "read", - "packages": "write", - "pages": "write", - "pull_requests": "read" - } + installation_id: # Timeout for the job(s). # Type: number diff --git a/flowzone.yml b/flowzone.yml index b0e89c652..feed56436 100644 --- a/flowzone.yml +++ b/flowzone.yml @@ -11,22 +11,16 @@ - &ifPublicRepository if: github.event.repository.private != true - - &getGitHubAppToken # https://github.com/marketplace/actions/github-app-token - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + - &getGitHubAppToken # https://github.com/actions/create-github-app-token + name: Create GitHub App installation token + uses: actions/create-github-app-token@v1.6.2 continue-on-error: true id: gh_app_token - with: &getGitHubAppTokenWith - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - # permissions: ${{ inputs.token_scope }} - permissions: >- - { - "contents": "read", - "metadata": "read" - } + with: + app-id: ${{ inputs.app_id }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + # Create a token for all repositories in the current owner's installation + owner: ${{ github.repository_owner }} # optionally attempt to get AWS login short-lived session credentials over OIDC - &configureAWSCredentials # https://github.com/aws-actions/configure-aws-credentials @@ -815,29 +809,10 @@ on: # https://github.com/organizations/product-os/settings/apps/flowzone-app # https://github.com/organizations/product-os/settings/variables/actions/APP_ID default: "${{ vars.APP_ID || '291899' }}" - # not needed if installed on this current org/repo installation_id: - description: "GitHub App installation id" - type: string - required: false - # https://github.com/organizations/product-os/settings/installations - # https://github.com/organizations/product-os/settings/variables/actions/INSTALLATION_ID - default: "${{ vars.INSTALLATION_ID || '34040165' }}" - token_scope: - description: "Ephemeral token scope(s)" + description: "GitHub App installation id (deprecated, installation is derived from repo owner)" type: string required: false - # https://github.com/organizations/product-os/settings/installations/34040165 - # https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#create-a-scoped-access-token - default: >- - { - "administration": "write", - "contents": "write", - "metadata": "read", - "packages": "write", - "pages": "write", - "pull_requests": "read" - } jobs_timeout_minutes: description: "Timeout for the job(s)." type: number @@ -1161,17 +1136,8 @@ jobs: <<: *gitHubCliEnvironment steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # admin permission is currently required to bypass branch protection rules - permissions: >- - { - "administration": "write", - "contents": "write", - "metadata": "read", - "pull_requests": "read" - } + # currently requires repo:admin:write to bypass branch protection + - *getGitHubAppToken # Checkout the merge ref for open PRs - <<: *checkoutMergeRef @@ -2194,18 +2160,7 @@ jobs: <<: *rootWorkingDirectory steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # need permissions to publish to github pages - permissions: >- - { - "pages": "write", - "contents": "read", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' - + - *getGitHubAppToken - *sortNodeVersions # https://github.com/dawidd6/action-download-artifact @@ -2850,19 +2805,11 @@ jobs: if: | github.event.action == 'closed' && github.event.pull_request.merged == false + <<: *rootWorkingDirectory - steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # contents:write permissions for managing releases - permissions: >- - { - "contents": "write", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' + steps: + - *getGitHubAppToken - *deleteDraftGitHubRelease github_publish: @@ -2882,17 +2829,7 @@ jobs: <<: *rootWorkingDirectory steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # contents:write permissions for managing releases - permissions: >- - { - "contents": "write", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' - + - *getGitHubAppToken - *deleteDraftGitHubRelease - name: Download all artifacts @@ -2935,16 +2872,7 @@ jobs: <<: *rootWorkingDirectory steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # contents:write permissions for managing releases - permissions: >- - { - "contents": "write", - "metadata": "read" - } - + - *getGitHubAppToken - *checkoutVersionedSha - *getReleaseNotes @@ -3154,12 +3082,7 @@ jobs: steps: - *rejectExternalCustomActions - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # use permissions from the token_scope input - permissions: ${{ inputs.token_scope }} - + - *getGitHubAppToken - *checkoutVersionedSha - *resetGitHubDirectory - *createLocalRefs @@ -3201,13 +3124,7 @@ jobs: steps: - *rejectExternalCustomActions - - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # use permissions from the token_scope input - permissions: ${{ inputs.token_scope }} - + - *getGitHubAppToken - *checkoutVersionedSha - *resetGitHubDirectory - *createLocalRefs @@ -3242,13 +3159,7 @@ jobs: steps: - *rejectExternalCustomActions - - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # use permissions from the token_scope input - permissions: ${{ inputs.token_scope }} - + - *getGitHubAppToken - *checkoutVersionedSha - *resetGitHubDirectory @@ -3281,13 +3192,7 @@ jobs: steps: - *rejectExternalCustomActions - - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # use permissions from the token_scope input - permissions: ${{ inputs.token_scope }} - + - *getGitHubAppToken - *checkoutVersionedSha - *resetGitHubDirectory @@ -3318,13 +3223,7 @@ jobs: steps: - *rejectExternalCustomActions - - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # use permissions from the token_scope input - permissions: ${{ inputs.token_scope }} - + - *getGitHubAppToken - *checkoutVersionedSha - *resetGitHubDirectory @@ -3752,18 +3651,8 @@ jobs: BRANCH_PROTECTION_URI: repos/${{ github.repository }}/branches/${{ github.event.repository.default_branch }}/protection steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # admin permission is required to set branch protection - permissions: >- - { - "administration": "write", - "contents": "read", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' - + # repo:admin:write permission is required to set branch protection + - *getGitHubAppToken - *getBranchProtectionRules - *isDraftPullRequest @@ -3901,17 +3790,8 @@ jobs: github.event.pull_request.merged == true && inputs.repo_config == true steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # admin permission is required modify repo config - permissions: >- - { - "administration": "write", - "contents": "read", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' + # repo:admin:write permission is required to set repository settings + - *getGitHubAppToken - name: Configure repository env: @@ -4031,10 +3911,20 @@ jobs: BRANCH_PROTECTION_URI: repos/${{ github.repository }}/branches/${{ github.event.pull_request.base.ref }}/protection steps: - - <<: *getGitHubAppToken + # https://github.com/marketplace/actions/github-app-token + # FIXME: switch to actions/create-github-app-token as soon as custom permissions are supported + # https://github.com/actions/create-github-app-token/issues/3 + - name: Generate GitHub App installation token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + continue-on-error: true + id: gh_app_token with: - <<: *getGitHubAppTokenWith - # avoid providing any permissions here that are able to bypass branch protections! + app_id: ${{ inputs.app_id }} + installation_retrieval_mode: organization + installation_retrieval_payload: ${{ github.repository_owner }} + private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} + # DO NOT include any permissions here that would bypass branch protections! + # e.g. admin:write would merge PRs before required checks have passed permissions: >- { "administration": "read",