From 9e712afcefd995460fc94ed63b98a10e20ab43e4 Mon Sep 17 00:00:00 2001
From: Johannes Schindelin <johannes.schindelin@gmx.de>
Date: Mon, 17 Feb 2025 15:21:23 +0100
Subject: [PATCH 1/2] build-and-deploy: save on an unnecessary step

The step that writes out the token required to upload to the Azure Blob
container is unneeded; The `pacman-helper.sh` script accepts it as an
environment variable (using a lower-cased name), too.

The `release-git` workflow already does it that way, and so can the
`build-and-deploy` workflow.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
 .github/workflows/build-and-deploy.yml | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml
index 1fee68c5..dd499c32 100644
--- a/.github/workflows/build-and-deploy.yml
+++ b/.github/workflows/build-and-deploy.yml
@@ -306,22 +306,13 @@ jobs:
           name: artifacts
           path: artifacts
 
-      - name: Prepare home directory for deploying to the Pacman repository
-        if: env.BUILD_ONLY != 'true' && env.AZURE_BLOBS_TOKEN != ''
-        env:
-          AZURE_BLOBS_TOKEN: ${{secrets.AZURE_BLOBS_TOKEN}}
-        shell: bash
-        run: |
-          echo "::add-mask::$(echo "$AZURE_BLOBS_TOKEN" | base64 -w 0)" &&
-          echo "$AZURE_BLOBS_TOKEN" >"$HOME"/.azure-blobs-token
-
       - name: ${{ env.BUILD_ONLY == 'true' && 'Test-deploy' || 'Deploy' }} Pacman packages
-        if: env.BUILD_ONLY == 'true' || env.AZURE_BLOBS_TOKEN != ''
+        if: env.BUILD_ONLY == 'true' || env.azure_blobs_token != ''
         shell: bash
         env:
           GPGKEY: ${{secrets.GPGKEY}}
           PACMANDRYRUN: ${{env.BUILD_ONLY}}
-          AZURE_BLOBS_TOKEN: ${{secrets.AZURE_BLOBS_TOKEN}}
+          azure_blobs_token: ${{secrets.AZURE_BLOBS_TOKEN}}
         run: /usr/src/build-extra/pacman-helper.sh quick_add artifacts/*
 
       - name: Clean up temporary files

From 82d0492722120d8f5f3fc27ce5e8fbeb1297610b Mon Sep 17 00:00:00 2001
From: Johannes Schindelin <johannes.schindelin@gmx.de>
Date: Mon, 17 Feb 2025 15:33:51 +0100
Subject: [PATCH 2/2] build-and-deploy/release-git: support the new Pacman
 repository

In https://github.com/git-for-windows/build-extra/pull/595, I started
the official transition of Git for Windows' Pacman repository away from
an Azure Blob container in my personal account to
https://github.com/git-for-windows/pacman-repo.

For the transition period, this still requires the token to upload to
the Azure Blob container, but it also already requires the token to push
to `pacman-repo` and to create GitHub releases there.

The two users of `pacman-helper.sh quick_add` that now need this token
are hereby adapted accordingly.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
 .github/actions/pacman-packages/action.yml | 8 ++++++++
 .github/workflows/build-and-deploy.yml     | 9 +++++++++
 2 files changed, 17 insertions(+)

diff --git a/.github/actions/pacman-packages/action.yml b/.github/actions/pacman-packages/action.yml
index 6292d6ba..5854fe56 100644
--- a/.github/actions/pacman-packages/action.yml
+++ b/.github/actions/pacman-packages/action.yml
@@ -118,12 +118,20 @@ runs:
         mkdir -p "$HOME" &&
         echo '${{ inputs.priv-gpg-key }}' | tr % '\n' | gpg $GPG_OPTIONS --import &&
         git config --global gpg.program "$RUNNER_TEMP/build-extra/gnupg-with-gpgkey.sh"
+    - uses: actions/create-github-app-token@v1
+      id: pacman-repo-token
+      with:
+        app-id: ${{ inputs.app-id }}
+        private-key: ${{ inputs.private-key }}
+        owner: ${{ inputs.owner }}
+        repositories: pacman-repo
     - name: Upload Pacman packages
       shell: bash
       env:
         GPG_OPTIONS: "--batch --yes --no-tty --list-options no-show-photos --verify-options no-show-photos --pinentry-mode loopback"
         GPGKEY: ${{ inputs.gpg-key }}
         azure_blobs_token: ${{ inputs.azure-blobs-token }}
+        GITHUB_TOKEN: ${{ steps.pacman-repo-token.outputs.token }}
       run: |
         "$RUNNER_TEMP"/build-extra/pacman-helper.sh quick_add pkg-x86_64/*.tar.* pkg-i686/*.tar.* pkg-aarch64/*.tar.*
     - name: update check-run
diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml
index dd499c32..5e9dd669 100644
--- a/.github/workflows/build-and-deploy.yml
+++ b/.github/workflows/build-and-deploy.yml
@@ -306,6 +306,14 @@ jobs:
           name: artifacts
           path: artifacts
 
+      - uses: actions/create-github-app-token@v1
+        id: pacman-repo-token
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: pacman-repo
+
       - name: ${{ env.BUILD_ONLY == 'true' && 'Test-deploy' || 'Deploy' }} Pacman packages
         if: env.BUILD_ONLY == 'true' || env.azure_blobs_token != ''
         shell: bash
@@ -313,6 +321,7 @@ jobs:
           GPGKEY: ${{secrets.GPGKEY}}
           PACMANDRYRUN: ${{env.BUILD_ONLY}}
           azure_blobs_token: ${{secrets.AZURE_BLOBS_TOKEN}}
+          GITHUB_TOKEN: ${{ steps.pacman-repo-token.outputs.token }}
         run: /usr/src/build-extra/pacman-helper.sh quick_add artifacts/*
 
       - name: Clean up temporary files