github: use github app to have a token for creating pull requests

This then allows for triggering workflows
ahayzen · Apr 5, 2024 · 12d8fcd · 12d8fcd
1 parent f3763fe
commit 12d8fcd
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 32 deletions.
diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
@@ -4,7 +4,9 @@
 
 name: auto merge
 
-on: pull_request_target
+on:
+  pull_request_target:
+  workflow_dispatch:
 
 permissions:
   pull-requests: write
@@ -16,7 +18,7 @@ jobs:
     # Auto merge if this is
     # - dependabot
     # - update of flake.lock
-    if: "${{ github.event.pull_request.user.login == 'dependabot[bot]' || (github.event.pull_request.user.login == 'github-actions[bot]' && github.event.pull_request.title == 'chore: update flake.lock') }}"
+    if: "${{ github.event.pull_request.user.login == 'dependabot[bot]' || (github.event.pull_request.user.login == 'ahayzen-nix-config-bot' && github.event.pull_request.title == 'chore: update flake.lock') }}"
     steps:
       - name: approve the pr
         run: gh pr review $PR_URL --approve

diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
@@ -12,44 +12,27 @@ on:
     - cron: '1 22 * * *'
   workflow_dispatch:
 
-permissions:
-  # So that we can trigger the workflow
-  actions: write
-  # So that a pull request and commit can be created
-  pull-requests: write
-  contents: write
-
 jobs:
   lock-updater:
     name: nix flake update
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/nix-installer-action@v10
-      - uses: DeterminateSystems/update-flake-lock@v21
-        with:
-          pr-title: "chore: update flake.lock"
 
-      # We need to manually trigger CI status checks
-      # as github prevents workflows automatically running to prevent loops
-      - name: trigger ci status checks
-        uses: actions/github-script@v6
+      # Github action workflows can't trigger another workflow
+      # so we need to have a different token to do this
+      # https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#triggering-further-workflow-runs
+      #
+      # Using a Github app allows us a token limited to this repo
+      # https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens
+      - uses: actions/create-github-app-token@v1
+        id: generate-token
         with:
-          script: |
-            github.rest.actions.createWorkflowDispatch({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              workflow_id: 'check.yml',
-              ref: 'update_flake_lock_action',
-            })
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
 
-      - name: trigger auto merge
-        uses: actions/github-script@v6
+      - uses: DeterminateSystems/update-flake-lock@v21
         with:
-          script: |
-            github.rest.actions.createWorkflowDispatch({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              workflow_id: 'auto-merge.yml',
-              ref: 'update_flake_lock_action',
-            })
+          pr-title: "chore: update flake.lock"
+          token: ${{ steps.generate-token.outputs.token }}