ci: create pull requests as github app

tscpp · tscpp · commit 42d351971378 · 2024-06-23T10:45:38.000Z
diff --git a/.github/scripts/generate-jwt.js b/.github/scripts/generate-jwt.js
@@ -0,0 +1,13 @@
+import { readFileSync } from "fs";
+import jsonwebtoken from "jsonwebtoken";
+
+const { APP_ID } = process.env;
+
+const privateKey = readFileSync("/dev/stdin", "utf8");
+const payload = {
+  iat: Math.floor(Date.now() / 1000),
+  exp: Math.floor(Date.now() / 1000) + 10 * 60,
+  iss: APP_ID,
+};
+const token = jsonwebtoken.sign(payload, privateKey, { algorithm: "RS256" });
+console.log(token);
diff --git a/.github/scripts/package.json b/.github/scripts/package.json
@@ -5,6 +5,7 @@
   "type": "module",
   "dependencies": {
     "execa": "^9.2.0",
+    "jsonwebtoken": "^9.0.2",
     "octokit": "^4.0.2",
     "yn": "^5.0.0"
   }
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -45,19 +45,36 @@ jobs:
       - name: Install
         run: pnpm install --frozen-lockfile
 
-      - name: Setup Git User
-        run: node .github/scripts/setup-git-user.js
-
       - name: Build packages
         run: pnpm nx run-many -t build --projects=@knuckles/*
 
       - name: Publish packages
         run: pnpm nx release publish
 
+      - name: Setup Git User
+        run: node .github/scripts/setup-git-user.js
+
+      - name: Generate JWT and Get Installation Access Token
+        id: auth
+        run: |
+          # Generate JWT
+          JWT=$(APP_ID=${{ vars.GH_APP_ID }} \
+            node .github/scripts/generate-jwt.js \
+            <<< "${{ secrets.GH_APP_PRIVATE_KEY }}")
+
+          # Get Installation Access Token
+          INSTALLATION_TOKEN=$(curl -X POST \
+            -H "Authorization: Bearer $JWT" \
+            -H "Accept: application/vnd.github.v3+json" \
+            https://api.github.com/app/installations/${{ vars.GH_INSTALLATION_ID }}/access_tokens \
+            | jq -r .token)
+
+          echo "TOKEN=${INSTALLATION_TOKEN}" >> $GITHUB_ENV
+
       - name: Create Release Pull Request
         run: node .github/scripts/create-versioning-pull-request.js
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ env.TOKEN }}
           GITHUB_REPO: ${{ github.repository }}
           GITHUB_HEAD_BRANCH: "automated-versioning"
           GITHUB_BASE_BRANCH: "main"
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`	`"type": "module",`
`6`	`6`	`"dependencies": {`
`7`	`7`	`"execa": "^9.2.0",`
	`8`	`+ "jsonwebtoken": "^9.0.2",`
`8`	`9`	`"octokit": "^4.0.2",`
`9`	`10`	`"yn": "^5.0.0"`
`10`	`11`	`}`