From 4dd49f9b62f975a79dd486b458f6541d137fdb97 Mon Sep 17 00:00:00 2001
From: risson <18313093+rissson@users.noreply.github.com>
Date: Wed, 31 May 2023 14:23:04 +0200
Subject: [PATCH] ci: replace github bot account with github app (#5819)

Co-authored-by: Jens Langhammer <jens@goauthentik.io>
---
 .github/workflows/ghcr-retention.yml      |  7 ++++++-
 .github/workflows/release-tag.yml         |  9 +++++++--
 .github/workflows/translation-compile.yml |  9 +++++++--
 .github/workflows/web-api-publish.yml     | 11 ++++++++---
 4 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/ghcr-retention.yml b/.github/workflows/ghcr-retention.yml
index 308c1351a..b7dc6c447 100644
--- a/.github/workflows/ghcr-retention.yml
+++ b/.github/workflows/ghcr-retention.yml
@@ -10,6 +10,11 @@ jobs:
     name: Delete old unused container images
     runs-on: ubuntu-latest
     steps:
+      - id: generate_token
+        uses: tibdex/github-app-token@v1
+        with:
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Delete 'dev' containers older than a week
         uses: snok/container-retention-policy@v2
         with:
@@ -18,5 +23,5 @@ jobs:
           account-type: org
           org-name: goauthentik
           untagged-only: false
-          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          token: ${{ steps.generate_token.outputs.token }}
           skip-tags: gh-next,gh-main
diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml
index 6673cc4f2..7598c58f1 100644
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -22,18 +22,23 @@ jobs:
           docker-compose up --no-start
           docker-compose start postgresql redis
           docker-compose run -u root server test-all
+      - id: generate_token
+        uses: tibdex/github-app-token@v1
+        with:
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Extract version number
         id: get_version
         uses: actions/github-script@v6
         with:
-          github-token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          github-token: ${{ steps.generate_token.outputs.token }}
           script: |
             return context.payload.ref.replace(/\/refs\/tags\/version\//, '');
       - name: Create Release
         id: create_release
         uses: actions/create-release@v1.1.4
         env:
-          GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
         with:
           tag_name: ${{ github.ref }}
           release_name: Release ${{ steps.get_version.outputs.result }}
diff --git a/.github/workflows/translation-compile.yml b/.github/workflows/translation-compile.yml
index 6084493d9..8fa655213 100644
--- a/.github/workflows/translation-compile.yml
+++ b/.github/workflows/translation-compile.yml
@@ -15,9 +15,14 @@ jobs:
   compile:
     runs-on: ubuntu-latest
     steps:
+      - id: generate_token
+        uses: tibdex/github-app-token@v1
+        with:
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@v3
         with:
-          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          token: ${{ steps.generate_token.outputs.token }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: run compile
@@ -26,7 +31,7 @@ jobs:
         uses: peter-evans/create-pull-request@v5
         id: cpr
         with:
-          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          token: ${{ steps.generate_token.outputs.token }}
           branch: compile-backend-translation
           commit-message: "core: compile backend translations"
           title: "core: compile backend translations"
diff --git a/.github/workflows/web-api-publish.yml b/.github/workflows/web-api-publish.yml
index 1b8521d87..6bd1fd570 100644
--- a/.github/workflows/web-api-publish.yml
+++ b/.github/workflows/web-api-publish.yml
@@ -9,9 +9,14 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
+      - id: generate_token
+        uses: tibdex/github-app-token@v1
+        with:
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@v3
         with:
-          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          token: ${{ steps.generate_token.outputs.token }}
       - uses: actions/setup-node@v3.6.0
         with:
           node-version: "20"
@@ -33,7 +38,7 @@ jobs:
       - uses: peter-evans/create-pull-request@v5
         id: cpr
         with:
-          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          token: ${{ steps.generate_token.outputs.token }}
           branch: update-web-api-client
           commit-message: "web: bump API Client version"
           title: "web: bump API Client version"
@@ -44,6 +49,6 @@ jobs:
           author: authentik bot <github-bot@goauthentik.io>
       - uses: peter-evans/enable-pull-request-automerge@v3
         with:
-          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          token: ${{ steps.generate_token.outputs.token }}
           pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
           merge-method: squash