ci: create pull requests as github app

tscpp · Jun 23, 2024 · a746af5 · a746af5
1 parent e688a1c
commit a746af5
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 4 deletions.
diff --git a/.github/scripts/generate-jwt.js b/.github/scripts/generate-jwt.js
@@ -0,0 +1,13 @@
+import { readFileSync } from "fs";
+import { sign } from "jsonwebtoken";
+
+const { APP_ID } = process.env;
+
+const privateKey = readFileSync("/dev/stdin", "utf8");
+const payload = {
+  iat: Math.floor(Date.now() / 1000),
+  exp: Math.floor(Date.now() / 1000) + 10 * 60,
+  iss: APP_ID,
+};
+const token = sign(payload, privateKey, { algorithm: "RS256" });
+console.log(token);
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -45,19 +45,38 @@ jobs:
       - name: Install
         run: pnpm install --frozen-lockfile
 
-      - name: Setup Git User
-        run: node .github/scripts/setup-git-user.js
-
       - name: Build packages
         run: pnpm nx run-many -t build --projects=@knuckles/*
 
       - name: Publish packages
         run: pnpm nx release publish
 
+      - name: Setup Git User
+        run: node .github/scripts/setup-git-user.js
+
+      - name: Generate JWT and Get Installation Access Token
+        id: auth
+        run: |
+          PRIVATE_KEY=$(echo "${{ secrets.GH_APP_PRIVATE_KEY }}" | base64 --decode)
+          APP_ID=${{ vars.GH_APP_ID }}
+          INSTALLATION_ID=${{ vars.GH_INSTALLATION_ID }}
+
+          # Generate JWT
+          JWT=$(node .github/scripts/generate-jwt.js <<< "$PRIVATE_KEY")
+
+          # Get Installation Access Token
+          INSTALLATION_TOKEN=$(curl -X POST \
+            -H "Authorization: Bearer $JWT" \
+            -H "Accept: application/vnd.github.v3+json" \
+            https://api.github.com/app/installations/${INSTALLATION_ID}/access_tokens \
+            | jq -r .token)
+
+          echo "TOKEN=${INSTALLATION_TOKEN}" >> $GITHUB_ENV
+
       - name: Create Release Pull Request
         run: node .github/scripts/create-versioning-pull-request.js
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ env.TOKEN }}
           GITHUB_REPO: ${{ github.repository }}
           GITHUB_HEAD_BRANCH: "automated-versioning"
           GITHUB_BASE_BRANCH: "main"