Use GitHub app token in workflows that open PRs

This token has permissions to create PRs and will trigger the usual workflows.
opensafely-core · Oct 24, 2024 · da3e912 · da3e912
1 parent 4cb4443
commit da3e912
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 22 deletions.
diff --git a/.github/workflows/update-external-studies.yml b/.github/workflows/update-external-studies.yml
@@ -27,6 +27,13 @@ jobs:
       - name: Disable pre-commit hooks
         run: git config core.hooksPath /dev/null
 
+      - name: Generate app token
+        uses: actions/create-github-app-token@v1
+        id: generate-token
+        with:
+          app-id: 1031449  # opensafely-core Create PR app
+          private-key: ${{ secrets.CREATE_PR_APP_PRIVATE_KEY }}
+
       - name: Create a Pull Request if there are any changes
         id: create_pr
         uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
@@ -38,20 +45,11 @@ jobs:
           committer: "opensafely-github-bot <[email protected]>"
           commit-message: "chore: Update `external_studies` test code"
           title: "Update `external_studies` test code"
-          body: |
-            To get tests to run on this PR there's an odd workflow:
-             - Approve it
-             - Close it
-             - Re-open it
-             - Re-enable automerge
-
-            You can read more on why this is needed in the `create-pull-request` [docs][1].
-
-            [1]: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#triggering-further-workflow-runs
+          token: ${{ steps.generate-token.outputs.token }}
 
       # The PR will still require manual approval, this just reduces it to a one-click process
       - name: Enable automerge
         if: steps.create_pr.outputs.pull-request-operation == 'created'
         run: gh pr merge --auto --squash ${{ steps.create_pr.outputs.pull-request-number }}
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
diff --git a/.github/workflows/update-pledge.yml b/.github/workflows/update-pledge.yml
@@ -20,6 +20,13 @@ jobs:
       - name: "Ensure `bin/pledge` is at latest version"
         run: just update-pledge
 
+      - name: Generate app token
+        uses: actions/create-github-app-token@v1
+        id: generate-token
+        with:
+          app-id: 1031449  # opensafely-core Create PR app
+          private-key: ${{ secrets.CREATE_PR_APP_PRIVATE_KEY }}
+
       - name: "Create a Pull Request if there are any changes"
         id: create_pr
         uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
@@ -31,20 +38,11 @@ jobs:
           committer: "opensafely-github-bot <[email protected]>"
           commit-message: "fix: Update `bin/pledge`"
           title: "Update `bin/pledge`"
-          body: |
-            To get tests to run on this PR there's an odd workflow:
-             - Approve it
-             - Close it
-             - Re-open it
-             - Re-enable automerge
-
-            You can read more on why this is needed in the `create-pull-request` [docs][1].
-
-            [1]: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#triggering-further-workflow-runs
+          token: ${{ steps.generate-token.outputs.token }}
 
       # The PR will still require manual approval, this just reduces it to a one-click process
       - name: Enable automerge
         if: steps.create_pr.outputs.pull-request-operation == 'created'
         run: gh pr merge --auto --squash ${{ steps.create_pr.outputs.pull-request-number }}
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}