From d1defa476969826684d277f851861155deb3dbe1 Mon Sep 17 00:00:00 2001
From: Jeff Widman <jeff@jeffwidman.com>
Date: Tue, 23 May 2023 18:01:02 -0700
Subject: [PATCH] Switch to using an app token instead of a PAT (#362)

The app token will persist even as users come/go from the :dependabot:
team.

It also allows us more finegrained access controls from the app settings
page if we need to suddenly lockdown something, we don't have to rely on
the person who created the PAT.
---
 .github/workflows/dependabot-auto-merge.yml     |  9 ++++++++-
 .github/workflows/dependabot-build.yml          | 11 +++++++++--
 .github/workflows/release-bump-version.yml      | 11 +++++++++--
 .github/workflows/release-move-tracking-tag.yml |  9 ++++++++-
 4 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index bc4edd05..ad204e28 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -7,10 +7,17 @@ jobs:
 
     if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
+        with:
+          app_id: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_PRIVATE_KEY }}
+
       - name: Check out code
         uses: actions/checkout@v3
 
       - name: Auto-merge
         run: gh pr merge --auto --merge '${{ github.event.pull_request.html_url }}'
         env:
-          GITHUB_TOKEN: ${{ secrets.DEPENDABOT_AUTOMATION_PAT }}
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
diff --git a/.github/workflows/dependabot-build.yml b/.github/workflows/dependabot-build.yml
index ed0a702a..fff19a5c 100644
--- a/.github/workflows/dependabot-build.yml
+++ b/.github/workflows/dependabot-build.yml
@@ -31,11 +31,18 @@ jobs:
     # We only need to build the dist/ folder if the PR relates a production NPM dependency, otherwise we don't expect changes.
     if: needs.fetch-dependabot-metadata.outputs.package-ecosystem == 'npm_and_yarn' && needs.fetch-dependabot-metadata.outputs.dependency-type == 'direct:production'
     steps:
-      # Check out using a PAT so any pushed changes will trigger checkruns
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
+        with:
+          app_id: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_PRIVATE_KEY }}
+
       - uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.ref }}
-          token: ${{ secrets.DEPENDABOT_AUTOMATION_PAT }}
+          # Check out using an app token so any pushed changes will trigger checkruns
+          token: ${{ steps.generate_token.outputs.token }}
 
       - name: Setup Node.js
         uses: actions/setup-node@v3
diff --git a/.github/workflows/release-bump-version.yml b/.github/workflows/release-bump-version.yml
index 1fc9a2e3..2815ee07 100644
--- a/.github/workflows/release-bump-version.yml
+++ b/.github/workflows/release-bump-version.yml
@@ -18,11 +18,18 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
+        with:
+          app_id: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_PRIVATE_KEY }}
+
       - uses: actions/checkout@v3
         with:
           # Ensure we start from main in case the workflow is run from a branch
           ref: "main"
-          token: ${{ secrets.DEPENDABOT_AUTOMATION_PAT }}
+          token: ${{ steps.generate_token.outputs.token }}
 
       - uses: actions/setup-node@v3 # bin/bump-version needs npm
         with:
@@ -66,7 +73,7 @@ jobs:
           echo "PR created at URL: $PR_URL"
           echo "PR_URL=$PR_URL" >> $GITHUB_ENV
         env:
-          GH_TOKEN: ${{ secrets.DEPENDABOT_AUTOMATION_PAT }}
+          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
 
       - name: Set summary
         run: |
diff --git a/.github/workflows/release-move-tracking-tag.yml b/.github/workflows/release-move-tracking-tag.yml
index 610615ae..28176f41 100644
--- a/.github/workflows/release-move-tracking-tag.yml
+++ b/.github/workflows/release-move-tracking-tag.yml
@@ -28,9 +28,16 @@ jobs:
     # the road we increase the robustness of this.
 
     steps:
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
+        with:
+          app_id: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_PRIVATE_KEY }}
+
       - uses: actions/checkout@v3
         with:
-          token: ${{ secrets.DEPENDABOT_AUTOMATION_PAT }}
+          token: ${{ steps.generate_token.outputs.token }}
 
       - name: Move the tracking tag
         run: git tag -f v1