ci: use app-token-action for release and dependency updates (#357)

* ci: use app-token-action for release token * ci: set correct workflow permissions * ci: remove permissions again * ci: use app-token-action for dependency updates
philips-software · Mar 12, 2024 · 60949e1 · 60949e1
1 parent 8653908
commit 60949e1
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 2 deletions.
diff --git a/.github/workflows/linting-formatting.yml b/.github/workflows/linting-formatting.yml
@@ -25,6 +25,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: oxsecurity/megalinter/flavors/documentation@a7a0163b6c8ff7474a283d99a706e27483ddd80f # v7.10.0
         env:
           APPLY_FIXES: all

diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml
@@ -20,26 +20,42 @@ jobs:
       pull-requests: write
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
       - run: ./update-apt-dependencies.sh apt-requirements-base.json apt-requirements-clang.json
         working-directory: .devcontainer
+      - uses: philips-software/app-token-action@9f5d57062c9f2beaffafaa9a34f66f824ead63a9 # v2.0.0
+        id: token
+        with:
+          app_id: ${{ secrets.FOREST_RELEASER_APP_ID }}
+          app_base64_private_key: ${{ secrets.FOREST_RELEASER_APP_PRIVATE_KEY_BASE64 }}
+          auth_type: installation
       - uses: peter-evans/create-pull-request@a4f52f8033a6168103c2538976c07b467e8163bc # v6.0.1
         with:
           commit-message: "chore(deps): update dependencies"
           branch: feature/update-apt-dependencies
           title: "chore(deps): update dependencies"
           labels: dependencies,apt
-          token: ${{ secrets.AMP_RELEASER_TOKEN }}
+          token: ${{ steps.token.outputs.token }}
   update-vscode-extensions:
     runs-on: ubuntu-latest
     permissions:
       contents: write
       pull-requests: write
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/update-vscode-extensions
         id: update-extensions
         with:
           input-file: .devcontainer/devcontainer-metadata-vscode.json
+      - uses: philips-software/app-token-action@9f5d57062c9f2beaffafaa9a34f66f824ead63a9 # v2.0.0
+        id: token
+        with:
+          app_id: ${{ secrets.FOREST_RELEASER_APP_ID }}
+          app_base64_private_key: ${{ secrets.FOREST_RELEASER_APP_PRIVATE_KEY_BASE64 }}
+          auth_type: installation
       - uses: peter-evans/create-pull-request@a4f52f8033a6168103c2538976c07b467e8163bc # v6.0.1
         with:
           commit-message: "chore(deps): update ${{ join(fromJson(steps.update-extensions.outputs.updated-dependencies), ', ') }}"
@@ -51,4 +67,4 @@ jobs:
             > Before merging this PR, please conduct a manual test checking basic functionality of the updated plug-ins. There are no automated tests for the VS Code Extension updates.
           title: "chore(deps): update ${{ join(fromJson(steps.update-extensions.outputs.updated-dependencies), ', ') }}"
           labels: dependencies,vscode-extensions
-          token: ${{ secrets.AMP_RELEASER_TOKEN }}
+          token: ${{ steps.token.outputs.token }}