ci/update: use nix-community GitHub App

2025-06-21 00:25:42 +02:00 · 2025-05-23 19:19:44 +01:00 · 2025-05-23 19:19:44 +01:00 · ad7e489aa1
commit ad7e489aa1
parent fb2d007f95
1 changed files with 22 additions and 9 deletions
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@ -43,21 +43,34 @@ jobs:
      workflow_run_url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}

    steps:
+      - name: Create GitHub App token
+        uses: actions/create-github-app-token@v2
+        id: app-token
+        with:
+          app-id: ${{ vars.CI_APP_ID }}
+          private-key: ${{ secrets.CI_APP_PRIVATE_KEY }}
+
+      - name: Get GitHub App User ID
+        id: user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+
+      - name: Configure git
+        run: |
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
+
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
-          ssh-key: ${{ secrets.CI_UPDATE_SSH_KEY }}
+          token: ${{ steps.app-token.outputs.token }}

      - name: Install Nix
        uses: cachix/install-nix-action@v31
        with:
          nix_path: nixpkgs=channel:nixos-unstable
-          github_access_token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Configure git
-        run: |
-          git config user.name 'github-actions[bot]'
-          git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
+          github_access_token: ${{ steps.app-token.outputs.token }}

      - name: Create update branch
        run: |
@ -67,7 +80,7 @@ jobs:
      - name: Get info on the current PR
        id: open_pr_info
        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
        run: |
          # Query for info about the already open update PR
          info=$(
@ -179,7 +192,7 @@ jobs:
        id: updated_pr
        if: steps.diff.outputs.count
        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
          pr_num: ${{ steps.open_pr_info.outputs.number }}
          title: |
            [${{ github.ref_name }}] Update flake.lock & generated files