ci: use gh app

2026-01-24 13:32:50 -05:00 · 2025-11-30 01:42:15 -05:00
parent c53836040f
commit d62ef635a7
3 changed files with 91 additions and 98 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -132,19 +132,26 @@ jobs:
    runs-on: ubuntu-latest
    needs: build-core
    steps:
+      - name: Create GitHub App token
+        id: app_token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
      - name: Checkout
        uses: actions/checkout@v4
        with:
-          token: ${{ secrets.GH_PAT }}
+          token: ${{ steps.app_token.outputs.token }}
          fetch-depth: 0

      - name: Update VERSION
        env:
-          GH_PAT: ${{ secrets.GH_PAT }}
+          GH_TOKEN: ${{ steps.app_token.outputs.token }}
        run: |
          set -euo pipefail
-          git config user.name "dms-ci"
-          git config user.email "dms-ci@users.noreply.github.com"
+          git config user.name "dms-ci[bot]"
+          git config user.email "dms-ci[bot]@users.noreply.github.com"

          version="${GITHUB_REF#refs/tags/}"
          echo "Updating to version: $version"
@@ -153,11 +160,12 @@ jobs:

          if ! git diff --cached --quiet; then
            git commit -m "chore: bump version to $version"
-            git push https://x-access-token:${GH_PAT}@github.com/${{ github.repository }}.git HEAD:master
+            git pull --rebase origin master
+            git push https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git HEAD:master
          fi

          git tag -f "${version}"
-          git push -f https://x-access-token:${GH_PAT}@github.com/${{ github.repository }}.git "${version}"
+          git push -f https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git "${version}"

  release:
    runs-on: ubuntu-24.04
--- a/.github/workflows/update-vendor-hash.yml
+++ b/.github/workflows/update-vendor-hash.yml
@@ -9,14 +9,25 @@ on:
    branches:
      - master

+permissions:
+  contents: write
+
 jobs:
  update-vendor-hash:
    runs-on: ubuntu-latest
    steps:
+      - name: Create GitHub App token
+        id: app_token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
+          token: ${{ steps.app_token.outputs.token }}

      - name: Install Nix
        uses: cachix/install-nix-action@v31
@@ -24,56 +35,32 @@ jobs:
      - name: Update vendorHash in flake.nix
        run: |
          set -euo pipefail
-
-          # Try to build and capture the expected hash from error message
          echo "Attempting nix build to get new vendorHash..."
-
          if output=$(nix build .#dmsCli 2>&1); then
            echo "Build succeeded, no hash update needed"
            exit 0
          fi
-
-          # Extract the expected hash from the error message
          new_hash=$(echo "$output" | grep -oP "got:\s+\K\S+" | head -n1)
-
-          if [ -z "$new_hash" ]; then
-            echo "Could not extract new vendorHash from build output"
-            echo "Build output:"
-            echo "$output"
-            exit 1
-          fi
-
-          echo "New vendorHash: $new_hash"
-
-          # Get current hash from flake.nix
+          [ -n "$new_hash" ] || { echo "Could not extract new vendorHash"; echo "$output"; exit 1; }
          current_hash=$(grep -oP 'vendorHash = "\K[^"]+' flake.nix)
-          echo "Current vendorHash: $current_hash"
-
-          if [ "$current_hash" = "$new_hash" ]; then
-            echo "vendorHash is already up to date"
-            exit 0
-          fi
-
-          # Update the hash in flake.nix
+          [ "$current_hash" = "$new_hash" ] && { echo "vendorHash already up to date"; exit 0; }
          sed -i "s|vendorHash = \"$current_hash\"|vendorHash = \"$new_hash\"|" flake.nix
-
-          # Verify the build works with the new hash
          echo "Verifying build with new vendorHash..."
          nix build .#dmsCli
-
          echo "vendorHash updated successfully!"

      - name: Commit and push vendorHash update
        env:
-          GH_PAT: ${{ secrets.GH_PAT }}
+          GH_TOKEN: ${{ steps.app_token.outputs.token }}
        run: |
          set -euo pipefail
          if ! git diff --quiet flake.nix; then
-            git config user.name "dms-ci"
-            git config user.email "dms-ci@users.noreply.github.com"
+            git config user.name "dms-ci[bot]"
+            git config user.email "dms-ci[bot]@users.noreply.github.com"
            git add flake.nix
            git commit -m "nix: update vendorHash for go.mod changes" || exit 0
-            git push https://x-access-token:${GH_PAT}@github.com/${{ github.repository }}.git HEAD:master
+            git pull --rebase origin master
+            git push https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git HEAD:master
          else
            echo "No changes to flake.nix"
          fi