diff options
| -rw-r--r-- | .github/workflows/commit-built-file-changes.yml | 44 |
1 files changed, 42 insertions, 2 deletions
diff --git a/.github/workflows/commit-built-file-changes.yml b/.github/workflows/commit-built-file-changes.yml index 426dd31f08..52ce676c89 100644 --- a/.github/workflows/commit-built-file-changes.yml +++ b/.github/workflows/commit-built-file-changes.yml @@ -24,6 +24,7 @@ jobs: # - Attempts to download the artifact containing the PR diff. # - Checks for the existence of an artifact. # - Unzips the artifact. + # - Generates a token for authenticating with the GitHub App. # - Checks out the repository. # - Applies the patch file. # - Displays the result of git diff. @@ -83,6 +84,42 @@ jobs: if: ${{ steps.artifact-check.outputs.exists == 'true' }} run: unzip pr-built-file-changes.zip + - name: Generate Installation Token + id: generate_token + if: ${{ steps.artifact-check.outputs.exists == 'true' }} + env: + GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }} + GH_APP_PRIVATE_KEY: ${{ secrets.GH_PR_BUILT_FILES_PRIVATE_KEY }} + run: | + echo "$GH_APP_PRIVATE_KEY" > private-key.pem + + # Generate JWT + JWT=$(python3 - <<EOF + import jwt, time + private_key = open("private-key.pem", "r").read() + payload = { + "iat": int(time.time()), + "exp": int(time.time()) + 600, # 10-minute expiration + "iss": $GH_APP_ID + } + print(jwt.encode(payload, private_key, algorithm="RS256")) + EOF + ) + + # Get Installation ID + INSTALLATION_ID=$(curl -s -X GET -H "Authorization: Bearer $JWT" \ + -H "Accept: application/vnd.github.v3+json" \ + https://api.github.com/app/installations | jq -r '.[0].id') + + # Request Installation Access Token + ACCESS_TOKEN=$(curl -s -X POST -H "Authorization: Bearer $JWT" \ + -H "Accept: application/vnd.github.v3+json" \ + "https://api.github.com/app/installations/$INSTALLATION_ID/access_tokens" | jq -r '.token') + + echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV" + + rm -f private-key.pem + - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 if: ${{ steps.artifact-check.outputs.exists == 'true' }} @@ -91,6 +128,7 @@ jobs: ref: ${{ github.event.workflow_run.head_branch }} path: 'pr-repo' show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + token: ${{ env.ACCESS_TOKEN }} - name: Apply patch if: ${{ steps.artifact-check.outputs.exists == 'true' }} @@ -105,9 +143,11 @@ jobs: - name: Configure git user name and email if: ${{ steps.artifact-check.outputs.exists == 'true' }} working-directory: 'pr-repo' + env: + GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }} run: | - git config user.name "WordPress Build Script Bot[bot]" - git config user.email wordpress@users.noreply.github.com + git config user.name "wordpress-develop-pr-bot[bot]" + git config user.email ${{ env.GH_APP_ID }}+wordpress-develop-pr-bot[bot]@users.noreply.github.com - name: Stage changes if: ${{ steps.artifact-check.outputs.exists == 'true' }} |