Skip to content

Commit

Permalink
Use Github App for pushing commits
Browse files Browse the repository at this point in the history
  • Loading branch information
rtyley committed Feb 10, 2024
1 parent 26b2cde commit eb9dee8
Showing 1 changed file with 22 additions and 1 deletion.
23 changes: 22 additions & 1 deletion .github/workflows/reusable-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,13 @@ name: Scala Library Release Workflow
on:
workflow_call:
inputs:
GITHUB_APP_ID:
description:
"App ID for a GitHub App that is allowed to push directly to the default branch. Eg, App ID on:
https://github.com/organizations/guardian/settings/apps/gu-scala-library-release"
default: '807361' # Only for use by the Guardian!
required: true
type: string
SONATYPE_PROFILE_NAME:
description: 'Sonatype account profile name, eg "com.gu", "org.xerial", etc (not your Sonatype username)'
default: 'com.gu' # Only for use by the Guardian!
Expand All @@ -28,6 +35,11 @@ on:
Should be in normal plaintext 'BEGIN PGP PUBLIC KEY BLOCK' (ASCII-armored) format, with no additional BASE64-encoding.
The passphrase can be removed from an existing key using 'gpg --edit-key <key-id> passwd' : https://unix.stackexchange.com/a/550538/46453"
required: true
GITHUB_APP_PRIVATE_KEY:
description:
"See https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/managing-private-keys-for-github-apps#generating-private-keys
Should be in normal plaintext '-----BEGIN RSA PRIVATE KEY-----' format"
required: true
outputs:
RELEASE_VERSION:
description: "The un-prefixed version number of the release, eg '3.0.1'"
Expand Down Expand Up @@ -143,9 +155,14 @@ jobs:
release_version: ${{ steps.create-commit.outputs.release_version }}
release_commit_id: ${{ steps.create-commit.outputs.release_commit_id }}
steps:
- id: generate-github-app-token
uses: actions/create-github-app-token@v1
with: { app-id: ${{ inputs.GITHUB_APP_ID }} , private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }} }
- uses: actions/checkout@v4
with:
path: repo
token: ${{ steps.generate-github-app-token.outputs.token }}
persist-credentials: true # Allow us to push as the GitHub App, and bypass branch ruleset
- uses: actions/cache/restore@v4
with:
path: repo-with-unsigned-version-update-commits.git
Expand Down Expand Up @@ -350,10 +367,12 @@ jobs:
env:
RELEASE_TAG: ${{ needs.push-release-commit.outputs.release_tag }}
RELEASE_VERSION: ${{ needs.push-release-commit.outputs.release_version }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.repository }}
GITHUB_REPO_URL: ${{ github.server_url }}/${{ github.repository }}
steps:
- id: generate-github-app-token
uses: actions/create-github-app-token@v1
with: { app-id: ${ { inputs.GITHUB_APP_ID } }, private-key: ${ { secrets.GITHUB_APP_PRIVATE_KEY } } }
- name: Common values
run: |
GITHUB_ACTIONS_PATH="$GITHUB_REPO_URL/actions"
Expand All @@ -367,11 +386,13 @@ jobs:
EndOfFile
- name: Create Github Release
if: needs.init.outputs.release_type == 'FULL_MAIN_BRANCH'
env: { GH_TOKEN: ${{ steps.generate-github-app-token.outputs.token }} }
run: |
gh release create $RELEASE_TAG --verify-tag --generate-notes --notes "Release run: $GITHUB_WORKFLOW_RUN_LINK"
echo "GitHub Release notes: [$RELEASE_TAG]($GITHUB_REPO_URL/releases/tag/$RELEASE_TAG)" >> $GITHUB_STEP_SUMMARY
- name: Update PR with comment
if: needs.init.outputs.release_type == 'PREVIEW_FEATURE_BRANCH'
env: { GH_TOKEN: ${{ steps.generate-github-app-token.outputs.token }} }
run: |
cat << EndOfFile > comment_body.txt
@${{github.actor}} has published a preview version of this PR with release workflow run $GITHUB_WORKFLOW_RUN_LINK, based on commit ${{ github.sha }}:
Expand Down

0 comments on commit eb9dee8

Please sign in to comment.