chore: use GitHub application token (#3616)

* chore: remove GitHub PAT token usage * chore: updated release to application token * chore: update changeset * chore: revert app usage * chore: renamed secret to `APP_PRIVATE_KEY` * chore: rollback changeset migration * chore: update private key secret * chore: favour action * chore: external GitHub token * chore: use internal app token * chore: updated docs token * Revert "chore: updated docs token" This reverts commit ef84180. * chore: removed un-need token usage * chore: update docs token * chore: remove any un-necessary app usage * chore: updated flow * chore: remove `INTERNAL_` prefix from app token * Update .github/workflows/changesets-pr.yaml * Update .github/workflows/release.yaml --------- Co-authored-by: Anderson Arboleya <[email protected]>
FuelLabs · Feb 18, 2025 · 4a26957 · 4a26957
1 parent dcec508
commit 4a26957
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 32 deletions.
diff --git a/.github/workflows/changesets-pr.yaml b/.github/workflows/changesets-pr.yaml
@@ -21,6 +21,20 @@ jobs:
       github.event.before != '0000000000000000000000000000000000000000'
 
     steps:
+      - name: Create the Internal GitHub App Token
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_KEY }}
+
+      - name: Create Fuel Docs GitHub Token
+        uses: actions/create-github-app-token@v1
+        id: docs-token
+        with:
+          app-id: ${{ vars.FUEL_DOCS_BOT_APP_ID }}
+          private-key: ${{ secrets.FUEL_DOCS_BOT_APP_KEY }}
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
@@ -38,8 +52,6 @@ jobs:
           echo "FUEL_CORE_VERSION=$(cat ./internal/fuel-core/VERSION)" >> $GITHUB_ENV
           echo "FORC_VERSION=$(cat ./internal/forc/VERSION)" >> $GITHUB_ENV
           git reset --hard
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set branch name and changeset PR title
         run: |
@@ -55,24 +67,23 @@ jobs:
           commit: "ci(release): versioning packages and changesets"
           title: ${{ env.CHANGESET_PR_TITLE }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
 
       - name: Prettify changelog
         run: pnpm changeset:update-changelog
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           REF_NAME: ${{ github.ref_name }}
           PUBLISHED: "false"
 
-      # # Commenting out as we require permissions to trigger across repos
-      # - name: Update docs
-      #   if: github.ref_name == 'master'
-      #   uses: benc-uk/workflow-dispatch@v1
-      #   with:
-      #     workflow: update-nightly.yml
-      #     ref: master
-      #     repo: FuelLabs/docs-hub
-      #     token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Update docs
+        if: github.ref_name == 'master'
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: update-nightly.yml
+          ref: master
+          repo: FuelLabs/docs-hub
+          token: ${{ steps.docs-token.outputs.token }}
 
       # Upload assets to S3
       - uses: unfor19/[email protected]

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -22,6 +22,13 @@ jobs:
       github.event.before != '0000000000000000000000000000000000000000'
 
     steps:
+      - name: Create Fuel Docs GitHub Token
+        uses: actions/create-github-app-token@v1
+        id: docs-token
+        with:
+          app-id: ${{ vars.FUEL_DOCS_BOT_APP_ID }}
+          private-key: ${{ secrets.FUEL_DOCS_BOT_APP_KEY }}
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
@@ -39,8 +46,6 @@ jobs:
           echo "FUEL_CORE_VERSION=$(cat ./internal/fuel-core/VERSION)" >> $GITHUB_ENV
           echo "FORC_VERSION=$(cat ./internal/forc/VERSION)" >> $GITHUB_ENV
           git reset --hard
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Ensure NPM access
         run: npm whoami
@@ -95,15 +100,14 @@ jobs:
           pnpm install --global vercel@latest
           vercel --prod --token=${{ secrets.VERCEL_TOKEN }}
 
-      # # Commenting out as we require permissions to trigger across repos
-      # - name: Update docs
-      #   if: github.ref_name == 'master'
-      #   uses: benc-uk/workflow-dispatch@v1
-      #   with:
-      #     workflow: update-nightly.yml
-      #     ref: master
-      #     repo: FuelLabs/docs-hub
-      #     token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Update docs
+        if: github.ref_name == 'master'
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: update-nightly.yml
+          ref: master
+          repo: FuelLabs/docs-hub
+          token: ${{ steps.docs-token.outputs.token }}
 
       - name: Create PR to apply latest release to master
         if: |
@@ -135,11 +139,10 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-    # # Commenting out as we require permissions to trigger across repos
-    # - name: Notify migrations and disclosures of the new release (breaking changes)
-    #   run: |
-    #     curl -X POST \
-    #       -H "Accept: application/vnd.github.v3+json" \
-    #       -H "Authorization: token ${{ secrets.MIGRATIONS_RELEASE_TRIGGER_TOKEN }}" \
-    #       https://api.github.com/repos/FuelLabs/migrations-and-disclosures/dispatches \
-    #       -d '{"event_type":"update_versions"}'
+      - name: Notify migrations and disclosures of the new release (breaking changes)
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: migrations.yml
+          ref: master
+          repo: FuelLabs/migrations-and-disclosures
+          token: ${{ steps.docs-token.outputs.token }}