From 4fbdbdbb65264dff19a4dde5572bb3c7c1e9100c Mon Sep 17 00:00:00 2001
From: Subeom Choi <subumm1@gmail.com>
Date: Wed, 26 Jun 2024 01:34:55 +0900
Subject: [PATCH] feature: support fetching github token from github app

---
 .github/workflows/gitflow.yml | 31 +++++++++++++++++++++++++++++--
 changelog.md                  |  4 ++++
 readme.md                     |  5 ++++-
 3 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/gitflow.yml b/.github/workflows/gitflow.yml
index 70df2af..ff0c3c7 100644
--- a/.github/workflows/gitflow.yml
+++ b/.github/workflows/gitflow.yml
@@ -53,9 +53,18 @@ on:
         default: 'changelog.md'
         required: false
     secrets:
-      TOKEN:
+      GITHUB_TOKEN:
         description: 'GitHub token (Default: GitHub Action token)'
         required: false
+      GITHUB_APP_ID:
+        description: 'GitHub app id for fetching GitHub token'
+        required: false
+      GITHUB_APP_PRIVATE_KEY:
+        description: 'GitHub app private key for fetching GitHub token'
+        required: false
+      GITHUB_APP_OWNER:
+        description: 'GitHub app owner for fetching GitHub token'
+        required: false
 
 env:
   MAIN_BRANCH: ${{ inputs.MAIN_BRANCH || 'main' }}
@@ -66,7 +75,10 @@ env:
   VERSION_EXPRESSION: ${{ inputs.VERSION_EXPRESSION || '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*' }}
   VERSION_HEADER: ${{ inputs.VERSION_HEADER || '## ' }}
   CHANGELOG: ${{ inputs.CHANGELOG || 'changelog.md' }}
-  GITHUB_TOKEN: ${{ secrets.TOKEN || github.token }}
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN || github.token }}
+  GITHUB_APP_ID: ${{ secrets.GITHUB_APP_ID }}
+  GITHUB_APP_PRIVATE_KEY: ${{ secrets.GITHUB_APP_PRIVATE_KEY }}
+  GITHUB_APP_OWNER: ${{ secrets.GITHUB_APP_OWNER }}
   SOURCE_BRANCH: ${{ github.event.pull_request.head.ref }}
   SOURCE_COMMIT: ${{ github.event.pull_request.head.sha }}
   DESTINATION_BRANCH: ${{ github.event.pull_request.base.ref }}
@@ -76,6 +88,21 @@ jobs:
   gitflow:
     runs-on: ubuntu-latest
     steps:
+      - name: Fetching GitHub Token
+        id: fetching-github-token
+        if: ${{ env.GITHUB_APP_ID && env.GITHUB_APP_PRIVATE_KEY && env.GITHUB_APP_OWNER }}
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ env.GITHUB_APP_ID }}
+          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
+          owner: ${{ env.GITHUB_APP_OWNER }}
+
+      - name: Using GitHub Token
+        if: ${{ env.GITHUB_APP_ID && env.GITHUB_APP_PRIVATE_KEY && env.GITHUB_APP_OWNER }}
+        run: |
+          echo '::add-mask::${{ steps.fetching-github-token.outputs.token }}'
+          echo 'GITHUB_TOKEN=${{ steps.fetching-github-token.outputs.token }}' >> $GITHUB_ENV
+
       - name: Check branch
         id: check-branch
         run: |
diff --git a/changelog.md b/changelog.md
index 4c1a5bd..e8b0179 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,3 +1,7 @@
+## 2.2.0
+
+- feature: support fetching github token from github app
+
 ## 2.1.2
 
 - fix: solve issue that DEVELOP_BRANCH input is not used
diff --git a/readme.md b/readme.md
index 4937ec6..f4749e5 100644
--- a/readme.md
+++ b/readme.md
@@ -34,7 +34,10 @@ A implementation of workflows of GitHub Actions to support using gitflow on GitH
         #   VERSION_HEADER: ... # Default: '## '
         #   CHANGELOG: ... # Default: 'changelog.md'
         # secrets:
-        #   TOKEN: ... # Default: Github Action token
+        #   GITHUB_TOKEN: ... # Default: GitHub Action token
+        #   GITHUB_APP_ID: ... # Default: GitHub App ID for fetching GitHub token
+        #   GITHUB_APP_PRIVATE_KEY: ... # Default: GitHub App ID for fetching GitHub token
+        #   GITHUB_APP_OWNER: ... # Default: GitHub App ID for fetching GitHub token
     ```
 4. Set `Workflow permissions` as checking `Read and write permissions` and `Allow GitHub Actions to create and approve pull requests`.
 5. Do not check `Automatically delete head branches`.