From 67cc2cdd299c1d84eef1167e38671d6c7263c7f7 Mon Sep 17 00:00:00 2001
From: Luke Cartey <lcartey@github.com>
Date: Wed, 2 Oct 2024 11:16:23 +0100
Subject: [PATCH 1/2] Replace PAT with GitHub App

---
 .github/workflows/dispatch-matrix-check.yml           | 11 ++++++++++-
 .github/workflows/dispatch-matrix-test-on-comment.yml | 11 ++++++++++-
 .../workflows/dispatch-release-performance-check.yml  | 11 ++++++++++-
 3 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/dispatch-matrix-check.yml b/.github/workflows/dispatch-matrix-check.yml
index afe78c948c..f9b0260594 100644
--- a/.github/workflows/dispatch-matrix-check.yml
+++ b/.github/workflows/dispatch-matrix-check.yml
@@ -20,11 +20,20 @@ jobs:
         with:
           minimum-permission: "write"
 
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        with:
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "codeql-coding-standards-release-engineering"
+
       - name: Dispatch Matrix Testing Job
         if: steps.check-write-permission.outputs.has-permission
         uses: peter-evans/repository-dispatch@v2
         with:
-          token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
+          token: ${{ steps.generate-token.outputs.token }}
           repository: github/codeql-coding-standards-release-engineering
           event-type: matrix-test
           client-payload: '{"pr": "${{ github.event.number }}"}'
diff --git a/.github/workflows/dispatch-matrix-test-on-comment.yml b/.github/workflows/dispatch-matrix-test-on-comment.yml
index 98e1f9b7ba..6500e3f6bc 100644
--- a/.github/workflows/dispatch-matrix-test-on-comment.yml
+++ b/.github/workflows/dispatch-matrix-test-on-comment.yml
@@ -17,11 +17,20 @@ jobs:
         with:
           minimum-permission: "write"
 
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        with:
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "codeql-coding-standards-release-engineering"
+
       - name: Dispatch Matrix Testing Job
         if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') && steps.check-write-permission.outputs.has-permission }}
         uses: peter-evans/repository-dispatch@v2
         with:
-          token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
+          token: ${{ steps.generate-token.outputs.token }}
           repository: github/codeql-coding-standards-release-engineering
           event-type: matrix-test
           client-payload: '{"pr": "${{ github.event.issue.number }}"}'
diff --git a/.github/workflows/dispatch-release-performance-check.yml b/.github/workflows/dispatch-release-performance-check.yml
index 64863b8b05..d6311babb3 100644
--- a/.github/workflows/dispatch-release-performance-check.yml
+++ b/.github/workflows/dispatch-release-performance-check.yml
@@ -17,11 +17,20 @@ jobs:
         with:
           minimum-permission: "write"
 
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        with:
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "codeql-coding-standards-release-engineering"
+
       - name: Dispatch Performance Testing Job
         if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') && steps.check-write-permission.outputs.has-permission }}
         uses: peter-evans/repository-dispatch@v2
         with:
-          token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
+          token: ${{ steps.generate-token.outputs.token }}
           repository: github/codeql-coding-standards-release-engineering
           event-type: performance-test
           client-payload: '{"pr": "${{ github.event.issue.number }}"}'

From b946bd8850a15ac69c6de2af78dffa09fab644cf Mon Sep 17 00:00:00 2001
From: Luke Cartey <lcartey@github.com>
Date: Thu, 3 Oct 2024 10:21:53 +0100
Subject: [PATCH 2/2] Pin actions/create-github-app-token to v1

---
 .github/workflows/dispatch-matrix-check.yml              | 2 +-
 .github/workflows/dispatch-matrix-test-on-comment.yml    | 2 +-
 .github/workflows/dispatch-release-performance-check.yml | 2 +-
 .github/workflows/finalize-release.yml                   | 2 +-
 .github/workflows/prepare-release.yml                    | 2 +-
 .github/workflows/update-release.yml                     | 2 +-
 .github/workflows/validate-release.yml                   | 4 ++--
 7 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/dispatch-matrix-check.yml b/.github/workflows/dispatch-matrix-check.yml
index f9b0260594..845a8fc4ae 100644
--- a/.github/workflows/dispatch-matrix-check.yml
+++ b/.github/workflows/dispatch-matrix-check.yml
@@ -22,7 +22,7 @@ jobs:
 
       - name: Generate token
         id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        uses: actions/create-github-app-token@v1
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
diff --git a/.github/workflows/dispatch-matrix-test-on-comment.yml b/.github/workflows/dispatch-matrix-test-on-comment.yml
index 6500e3f6bc..4f9f9a5b1e 100644
--- a/.github/workflows/dispatch-matrix-test-on-comment.yml
+++ b/.github/workflows/dispatch-matrix-test-on-comment.yml
@@ -19,7 +19,7 @@ jobs:
 
       - name: Generate token
         id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        uses: actions/create-github-app-token@v1
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
diff --git a/.github/workflows/dispatch-release-performance-check.yml b/.github/workflows/dispatch-release-performance-check.yml
index d6311babb3..7e28a9c4f9 100644
--- a/.github/workflows/dispatch-release-performance-check.yml
+++ b/.github/workflows/dispatch-release-performance-check.yml
@@ -19,7 +19,7 @@ jobs:
 
       - name: Generate token
         id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        uses: actions/create-github-app-token@v1
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
diff --git a/.github/workflows/finalize-release.yml b/.github/workflows/finalize-release.yml
index d3f511caba..7afc516aac 100644
--- a/.github/workflows/finalize-release.yml
+++ b/.github/workflows/finalize-release.yml
@@ -103,7 +103,7 @@ jobs:
       - name: Generate token
         if: env.HOTFIX_RELEASE == 'false'
         id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        uses: actions/create-github-app-token@v1
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml
index 9bbd27ce26..ba258e06f5 100644
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -143,7 +143,7 @@ jobs:
 
       - name: Generate token
         id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        uses: actions/create-github-app-token@v1
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
diff --git a/.github/workflows/update-release.yml b/.github/workflows/update-release.yml
index 21838c1d9f..c825fab347 100644
--- a/.github/workflows/update-release.yml
+++ b/.github/workflows/update-release.yml
@@ -43,7 +43,7 @@ jobs:
 
       - name: Generate token
         id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        uses: actions/create-github-app-token@v1
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml
index 5f5382f5dd..63aa9e90e3 100644
--- a/.github/workflows/validate-release.yml
+++ b/.github/workflows/validate-release.yml
@@ -40,7 +40,7 @@ jobs:
     steps:
       - name: Generate token
         id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        uses: actions/create-github-app-token@v1
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
@@ -108,7 +108,7 @@ jobs:
     steps:
       - name: Generate token
         id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        uses: actions/create-github-app-token@v1
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}