ci: remove repository dispatch token usage

.github/workflows/hive-consensus-tests.yml

@@ -1,9 +1,9 @@
-name: 'Hive consensus tests'
+name: "Hive consensus tests"
 
 on:
   push:
     branches: [release/*]
-    
+
   workflow_dispatch:
     inputs:
       parallelism:
@@ -13,7 +13,7 @@ on:
         type: choice
         options: ['1', '2', '3', '4', '8', '16']
 
-concurrency: 
+concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
@@ -24,83 +24,90 @@ jobs:
       cleanRef: ${{ steps.prepare_ref.outputs.cleanRef }}
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
-      with:
-        ref: ${{ github.ref }}
-
-    - name: Prepare docker tag
-      id: prepare_ref
-      run: |
-        REF_NAME=${{ github.ref }}
-        CLEAN_REF=$(echo "${REF_NAME/refs\/heads\//}" | sed 's/[^a-zA-Z0-9._-]/-/g')
-        echo "CLEAN_REF=$CLEAN_REF" >> $GITHUB_ENV
-        echo "cleanRef=$CLEAN_REF" >> $GITHUB_OUTPUT
-
-    - name: Set Repo and Org Variables
-      id: cleanup
-      run: |
-        echo "ORG_NAME=${{ github.repository_owner }}" >> $GITHUB_ENV
-        echo "REPO_NAME=${{ github.event.repository.name }}" >> $GITHUB_ENV
-
-    - name: Check if master or release branch
-      id: check_conditions
-      run: |
-        ref="${{ github.ref }}"
-        event_name="${{ github.event_name }}"
-
-        # Append "refs/heads/" prefix if it's not already there
-        if [[ $ref != refs/heads/* ]]; then
-          ref="refs/heads/$ref"
-        fi
-
-        # Initialize variables
-        skip_docker_build="false"
-        skip_wait_for_docker="false"
-
-        # Set conditions based on branch and event type
-        if [[ "$ref" == "refs/heads/master" || $ref == refs/heads/release* ]]; then
-          skip_docker_build="true"
-
-          if [[ "$event_name" == "workflow_dispatch" ]]; then
-            skip_wait_for_docker="true"
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Authenticate App
+        id: gh-app
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
+      - name: Prepare docker tag
+        id: prepare_ref
+        run: |
+          REF_NAME=${{ github.ref }}
+          CLEAN_REF=$(echo "${REF_NAME/refs\/heads\//}" | sed 's/[^a-zA-Z0-9._-]/-/g')
+          echo "CLEAN_REF=$CLEAN_REF" >> $GITHUB_ENV
+          echo "cleanRef=$CLEAN_REF" >> $GITHUB_OUTPUT
+
+      - name: Set Repo and Org Variables
+        id: cleanup
+        run: |
+          echo "ORG_NAME=${{ github.repository_owner }}" >> $GITHUB_ENV
+          echo "REPO_NAME=${{ github.event.repository.name }}" >> $GITHUB_ENV
+
+      - name: Check if master or release branch
+        id: check_conditions
+        run: |
+          ref="${{ github.ref }}"
+          event_name="${{ github.event_name }}"
+
+          # Append "refs/heads/" prefix if it's not already there
+          if [[ $ref != refs/heads/* ]]; then
+            ref="refs/heads/$ref"
+          fi
+
+          # Initialize variables
+          skip_docker_build="false"
+          skip_wait_for_docker="false"
+
+          # Set conditions based on branch and event type
+          if [[ "$ref" == "refs/heads/master" || $ref == refs/heads/release* ]]; then
+            skip_docker_build="true"
+
+            if [[ "$event_name" == "workflow_dispatch" ]]; then
+              skip_wait_for_docker="true"
+            fi
           fi
-        fi
-
-        # Output the variables
-        echo "skip_docker_build=$skip_docker_build" >> $GITHUB_OUTPUT
-        echo "skip_wait_for_docker=$skip_wait_for_docker" >> $GITHUB_OUTPUT
-
-    - name: Trigger Docker Build Action with Cleaned Ref
-      if: steps.check_conditions.outputs.skip_docker_build != 'true'
-      uses: benc-uk/workflow-dispatch@v1
-      env:
-        ADDITIONAL_OPTIONS: ${{ inputs.additional_options }}
-      with:
+
+          # Output the variables
+          echo "skip_docker_build=$skip_docker_build" >> $GITHUB_OUTPUT
+          echo "skip_wait_for_docker=$skip_wait_for_docker" >> $GITHUB_OUTPUT
+
+      - name: Trigger Docker Build Action with Cleaned Ref
+        if: steps.check_conditions.outputs.skip_docker_build != 'true'
+        uses: benc-uk/workflow-dispatch@v1
+        env:
+          ADDITIONAL_OPTIONS: ${{ inputs.additional_options }}
+        with:
           workflow: publish-docker.yml
           ref: "${{ github.ref }}"
-          token: "${{ secrets.REPOSITORY_DISPATCH_TOKEN }}"
+          token: "${{ steps.gh-app.outputs.token }}"
           inputs: '{
-              "tag": "${{ env.CLEAN_REF }}",
-              "dockerfile": "Dockerfile",
-              "build-config": "release"
-           }'
-
-    - name: Wait for Docker Build Action to complete
-      if: steps.check_conditions.outputs.skip_wait_for_docker != 'true'
-      env:
-        GITHUB_TOKEN: ${{ secrets.REPOSITORY_DISPATCH_TOKEN }}
-        WORKFLOW_ID: 'publish-docker.yml'
-        MAX_WAIT_MINUTES: '5'
-        INTERVAL: '5'
-        TIMEOUT: '10'
-        ORG_NAME: ${{ env.ORG_NAME }}
-        REPO_NAME: ${{ env.REPO_NAME }}
-        REF: ${{ github.ref }}
-      run: |
-        chmod +x scripts/wait-for-workflow-completed.sh
-        ./scripts/wait-for-workflow-completed.sh
-      working-directory: ${{ github.workspace }}
+            "tag": "${{ env.CLEAN_REF }}",
+            "dockerfile": "Dockerfile",
+            "build-config": "release"
+            }'
+
+      - name: Wait for Docker Build Action to complete
+        if: steps.check_conditions.outputs.skip_wait_for_docker != 'true'
+        env:
+          GITHUB_TOKEN: ${{ steps.gh-app.outputs.token }}
+          WORKFLOW_ID: 'publish-docker.yml'
+          MAX_WAIT_MINUTES: '5'
+          INTERVAL: '5'
+          TIMEOUT: '10'
+          ORG_NAME: ${{ env.ORG_NAME }}
+          REPO_NAME: ${{ env.REPO_NAME }}
+          REF: ${{ github.ref }}
+        run: |
+          chmod +x scripts/wait-for-workflow-completed.sh
+          ./scripts/wait-for-workflow-completed.sh
+        working-directory: ${{ github.workspace }}
 
   generate_hive_consensus_tests:
     name: "Prepare all hive tests to be started"
@@ -113,7 +120,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: nethermind
-          submodules: 'recursive'
+          submodules: "recursive"
       - name: Generate Hive Json For Matrix
         id: set-matrix
         run: |

.github/workflows/publish-packages.yml

@@ -98,11 +98,20 @@ jobs:
     env:
       FORMULA: nethermind.rb
     steps:
+      - name: Authenticate App
+        id: gh-app
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          repositories: "homebrew-nethermind"
+
       - name: Check out homebrew-nethermind repository
         uses: actions/checkout@v4
         with:
           repository: NethermindEth/homebrew-nethermind
-          token: ${{ secrets.REPOSITORY_DISPATCH_TOKEN }}
+          token: ${{ steps.gh-app.outputs.token }}
+
       - name: Update formula file
         run: |
           json=$(curl -sL ${{ github.event.release.assets_url }})
@@ -117,7 +126,7 @@ jobs:
           awk -i inplace -v n=2 '/sha256/ { if (++count == n) sub(/sha256.*/, "sha256 \"'$arm64_hash'\""); } 1' $FORMULA
       - name: Submit package
         env:
-          GH_TOKEN: ${{ secrets.REPOSITORY_DISPATCH_TOKEN }}
+          GH_TOKEN: ${{ steps.gh-app.outputs.token }}
         run: |
           head_branch=feature/v${{ github.event.release.tag_name }}-${{ github.run_number }}-${{ github.run_attempt }}
           message="Update for v${{ github.event.release.tag_name }}"

.github/workflows/release.yml

@@ -116,14 +116,20 @@ jobs:
     steps:
       - name: Check out Nethermind repository
         uses: actions/checkout@v4
+      - name: Authenticate App
+        id: gh-app
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
       - name: Download artifacts
         uses: actions/download-artifact@v4
         with:
           path: ${{ github.workspace }}/${{ env.PACKAGE_DIR }}
       - name: Publish
         env:
           GIT_TAG: ${{ github.event.inputs.tag }}
-          GITHUB_TOKEN: ${{ secrets.REPOSITORY_DISPATCH_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.gh-app.outputs.token }}
           PACKAGE_PREFIX: ${{ needs.build.outputs.package-prefix }}
           PRERELEASE: ${{ needs.build.outputs.prerelease }}
         run: |
@@ -165,6 +171,12 @@ jobs:
     steps:
       - name: Check out Nethermind repository
         uses: actions/checkout@v4
+      - name: Authenticate App
+        id: gh-app
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
@@ -195,4 +207,4 @@ jobs:
           curl -s -X POST https://api.github.com/repos/$GITHUB_REPOSITORY/dispatches \
             -H "Accept: application/vnd.github.everest-preview+json" -H "Content-Type: application/json" \
             -d '{"event_type":"dappnode","client_payload":{"tag":"${{ github.event.inputs.tag }}"}}' \
-            -u "${{ secrets.REPOSITORY_DISPATCH_TOKEN }}"
+            -u "${{ steps.gh-app.outputs.token }}"