diff --git a/.github/workflows/Actionlint.yml b/.github/workflows/Actionlint.yml index 1245fdcb6..0ef3ec561 100644 --- a/.github/workflows/Actionlint.yml +++ b/.github/workflows/Actionlint.yml @@ -2,10 +2,7 @@ name: ActionLint on: workflow_call env: - REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.CREW_PR_TOKEN }} - GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }} - REVIEWDOG_TOKEN: ${{ secrets.CREW_PR_TOKEN }} - SHELLCHECK_OPTS: "-e SC2129 -e SC2155" + SHELLCHECK_OPTS: "-e SC2086 -e SC2129 -e SC2155" jobs: actionlint: runs-on: ubuntu-24.04 @@ -13,9 +10,21 @@ jobs: contents: read pull-requests: write steps: - - uses: actions/checkout@v4 + - name: checkout + uses: actions/checkout@v4 + - name: Get GH Token + id: get_workflow_token + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.APPLICATION_ID }} + application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }} + organization: chromebrew - name: Actionlint uses: reviewdog/action-actionlint@v1 + env: + GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }} + REVIEWDOG_GITHUB_API_TOKEN: ${{ steps.get_workflow_token.outputs.token }} + REVIEWDOG_TOKEN: ${{ steps.get_workflow_token.outputs.token }} with: - fail_level: none + fail_level: any reporter: github-pr-review diff --git a/.github/workflows/Linter-Handoff.yml b/.github/workflows/Linter-Handoff.yml index edcd0b1e3..6b19c543f 100644 --- a/.github/workflows/Linter-Handoff.yml +++ b/.github/workflows/Linter-Handoff.yml @@ -43,22 +43,27 @@ jobs: needs: handoff if: contains(needs.handoff.outputs.category, 'Markdown') uses: ./.github/workflows/Markdown-lint.yml + secrets: inherit ruby: needs: handoff if: contains(needs.handoff.outputs.category, 'Ruby') uses: ./.github/workflows/Rubocop.yml + secrets: inherit bash: needs: handoff if: contains(needs.handoff.outputs.category, 'Bash') uses: ./.github/workflows/ShellCheck.yml + secrets: inherit yaml: needs: handoff if: contains(needs.handoff.outputs.category, 'YAML') uses: ./.github/workflows/YAMLlint.yml + secrets: inherit action-yaml: needs: handoff if: contains(needs.handoff.outputs.category, 'YAML') uses: ./.github/workflows/Actionlint.yml + secrets: inherit linter-tests: runs-on: ubuntu-24.04 needs: diff --git a/.github/workflows/Markdown-lint.yml b/.github/workflows/Markdown-lint.yml index 5c0c31796..907d339b3 100644 --- a/.github/workflows/Markdown-lint.yml +++ b/.github/workflows/Markdown-lint.yml @@ -1,9 +1,6 @@ --- name: Markdown-lint on: workflow_call -env: - REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.CREW_PR_TOKEN }} - GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }} jobs: markdown-lint: runs-on: ubuntu-24.04 @@ -12,8 +9,18 @@ jobs: pull-requests: write steps: - uses: actions/checkout@v4 + - name: Get GH Token + id: get_workflow_token + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.APPLICATION_ID }} + application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }} + organization: chromebrew - name: Markdown-lint uses: reviewdog/action-markdownlint@v0 + env: + GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }} + REVIEWDOG_GITHUB_API_TOKEN: ${{ steps.get_workflow_token.outputs.token }} with: fail_level: any markdownlint_flags: '-s .mdl_style.rb' diff --git a/.github/workflows/No-Compile-Needed.yml b/.github/workflows/No-Compile-Needed.yml index 8b30d7ee7..66a04d6b0 100644 --- a/.github/workflows/No-Compile-Needed.yml +++ b/.github/workflows/No-Compile-Needed.yml @@ -7,7 +7,6 @@ on: description: "Branch of chromebrew/chromebrew to run on, if different from this branch." required: false env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # setting GH_TOKEN for the entire workflow BRANCH: ${{ inputs.branch || github.ref_name }} permissions: actions: write @@ -332,10 +331,18 @@ jobs: git reset --hard "origin/${{ env.BRANCH }}" git pull --rebase origin master && git push -f git log --oneline -10 + - name: Get GH Token + id: get_workflow_token + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.APPLICATION_ID }} + application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }} + organization: chromebrew - name: Create Pull Request env: CHANGED_MANIFEST_FILES: ${{ steps.changed-manifest-files.outputs.all_changed_files }} CHANGED_PACKAGES: ${{ needs.setup.outputs.changed_packages }} + GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }} TIMESTAMP: ${{ needs.setup.outputs.timestamp }} i686_PACKAGES: ${{ needs.setup.outputs.i686_packages }} x86_64_PACKAGES: ${{ needs.setup.outputs.x86_64_packages }} @@ -365,7 +372,7 @@ jobs: echo "PR_NUMBER=${PR_NUMBER}" >> "$GITHUB_ENV" - name: Trigger Unit Test Workflow & Add Reviewer Team env: - GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }} + GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }} run: | echo "Flipping pr ${PR_NUMBER} state." gh pr close "${PR_NUMBER}" && gh pr reopen "${PR_NUMBER}" diff --git a/.github/workflows/Repology.yml b/.github/workflows/Repology.yml index e4b012dfa..117f4e268 100644 --- a/.github/workflows/Repology.yml +++ b/.github/workflows/Repology.yml @@ -27,11 +27,18 @@ jobs: LIBC_VERSION: 2.37 run: | ruby -Ctools json.rb + - name: Get GH Token + id: get_workflow_token + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.APPLICATION_ID }} + application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }} + organization: chromebrew - name: Create Pull Request id: cpr uses: peter-evans/create-pull-request@v7 with: - token: ${{ secrets.CREW_PR_TOKEN }} + token: ${{ steps.get_workflow_token.outputs.token }} add-paths: "tools/repology.json" title: "Update Repology JSON" body: "Automatic PR to update tools/repology.json" @@ -40,7 +47,7 @@ jobs: delete-branch: true - name: Trigger Unit Test Workflow & Add Reviewer Team env: - GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }} + GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }} PR_NUMBER: ${{ steps.cpr.outputs.pull-request-number }} run: | echo "Flipping pr ${PR_NUMBER} state." diff --git a/.github/workflows/Rubocop.yml b/.github/workflows/Rubocop.yml index 35cf867bc..4aedad555 100644 --- a/.github/workflows/Rubocop.yml +++ b/.github/workflows/Rubocop.yml @@ -1,9 +1,6 @@ --- name: Rubocop on: workflow_call -env: - REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.CREW_PR_TOKEN }} - GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }} jobs: rubocop: runs-on: ubuntu-24.04 @@ -15,8 +12,18 @@ jobs: - uses: ruby/setup-ruby@v1 with: ruby-version: '3.4' + - name: Get GH Token + id: get_workflow_token + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.APPLICATION_ID }} + application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }} + organization: chromebrew - name: Rubocop uses: reviewdog/action-rubocop@v2 + env: + GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }} + REVIEWDOG_GITHUB_API_TOKEN: ${{ steps.get_workflow_token.outputs.token }} with: fail_level: any filter_mode: nofilter diff --git a/.github/workflows/ShellCheck.yml b/.github/workflows/ShellCheck.yml index 44c669215..170613f55 100644 --- a/.github/workflows/ShellCheck.yml +++ b/.github/workflows/ShellCheck.yml @@ -1,9 +1,6 @@ --- name: ShellCheck on: workflow_call -env: - REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.CREW_PR_TOKEN }} - GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }} jobs: shellcheck: runs-on: ubuntu-24.04 @@ -12,8 +9,18 @@ jobs: pull-requests: write steps: - uses: actions/checkout@v4 + - name: Get GH Token + id: get_workflow_token + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.APPLICATION_ID }} + application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }} + organization: chromebrew - name: ShellCheck uses: reviewdog/action-shellcheck@v1 + env: + GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }} + REVIEWDOG_GITHUB_API_TOKEN: ${{ steps.get_workflow_token.outputs.token }} with: exclude: './tools/*' fail_level: any diff --git a/.github/workflows/Updater.yml b/.github/workflows/Updater.yml index d7c270c28..28347ffca 100644 --- a/.github/workflows/Updater.yml +++ b/.github/workflows/Updater.yml @@ -4,8 +4,6 @@ on: schedule: - cron: '0 0 * * *' # Daily workflow_dispatch: -env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # setting GH_TOKEN for the entire workflow permissions: # Global permissions configuration starts here actions: write contents: write @@ -98,9 +96,18 @@ jobs: uses: ad-m/github-push-action@master with: branch: ${{ steps.set-variables.outputs.UPDATE_BRANCH_NAME }} + - name: Get GH Token + id: get_workflow_token + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.APPLICATION_ID }} + application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }} + organization: chromebrew - name: Cancel if no updates id: no-update-cancel if: ${{ ( steps.pip-update-checks.outputs.PIP_UPDATED == 'false' ) && ( steps.gem-update-checks.outputs.GEM_UPDATED == 'false' ) }} + env: + GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }} run: | echo "PIP_UPDATED is ${{ steps.pip-update-checks.outputs.PIP_UPDATED }}." echo "GEM_UPDATED is ${{ steps.gem-update-checks.outputs.GEM_UPDATED }}." @@ -115,5 +122,14 @@ jobs: env: UPDATE_BRANCH_NAME: ${{ needs.update-check.outputs.update_branch_name }} steps: + - name: Get GH Token + id: get_workflow_token + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.APPLICATION_ID }} + application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }} + organization: chromebrew - name: gh_workflow_dispatch + env: + GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }} run: gh workflow -R chromebrew/chromebrew run Build.yml -f branch="${UPDATE_BRANCH_NAME}" diff --git a/.github/workflows/YAMLlint.yml b/.github/workflows/YAMLlint.yml index c10e38614..d9bf5d9fa 100644 --- a/.github/workflows/YAMLlint.yml +++ b/.github/workflows/YAMLlint.yml @@ -1,9 +1,6 @@ --- name: YAMLLint on: workflow_call -env: - REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.CREW_PR_TOKEN }} - GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }} jobs: yamllint: runs-on: ubuntu-24.04 @@ -11,9 +8,20 @@ jobs: contents: read pull-requests: write steps: - - uses: actions/checkout@v4 + - name: checkout + uses: actions/checkout@v4 + - name: Get GH Token + id: get_workflow_token + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.APPLICATION_ID }} + application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }} + organization: chromebrew - name: YAMLLint uses: reviewdog/action-yamllint@v1 + env: + GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }} + REVIEWDOG_GITHUB_API_TOKEN: ${{ steps.get_workflow_token.outputs.token }} with: fail_level: any reporter: github-pr-review diff --git a/.github/workflows/autocheck.yml b/.github/workflows/autocheck.yml index 13b17df46..4054f2806 100644 --- a/.github/workflows/autocheck.yml +++ b/.github/workflows/autocheck.yml @@ -4,8 +4,6 @@ on: schedule: - cron: '0 0 * * *' workflow_dispatch: -env: - GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }} permissions: actions: write contents: write @@ -20,7 +18,16 @@ jobs: - uses: actions/checkout@v4 with: persist-credentials: true + - name: Get GH Token + id: get_workflow_token + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.APPLICATION_ID }} + application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }} + organization: chromebrew - name: Run required checks if necessary + env: + GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }} run: | for pr in $(gh pr list -s open --author app/github-actions --json number | jq '.[].number') do diff --git a/.github/workflows/repo-merge-conflict.yaml b/.github/workflows/repo-merge-conflict.yaml index f3c099ce8..3733fa0ba 100644 --- a/.github/workflows/repo-merge-conflict.yaml +++ b/.github/workflows/repo-merge-conflict.yaml @@ -13,7 +13,14 @@ jobs: runs-on: ubuntu-24.04 if: ${{ contains(github.repository_owner, 'chromebrew') }} steps: + - name: Get GH Token + id: get_workflow_token + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.APPLICATION_ID }} + application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }} + organization: chromebrew - uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3 with: dirtyLabel: merge conflict - repoToken: ${{ secrets.CREW_PR_TOKEN }} + repoToken: ${{ steps.get_workflow_token.outputs.token }}