Merge pull request #438 from rvermeulen/rvermeulen/address-incorrect-…

…create-githubapp-token-usage

Address incorrect create githubapp token usage

.github/workflows/prepare-release.yml

@@ -29,24 +29,8 @@ env:
   HOTFIX_RELEASE: ${{ inputs.hotfix }}
 
 jobs:
-  generate-token:
-    runs-on: ubuntu-latest
-    outputs:
-      token: ${{ steps.generate-token.outputs.token }}
-    steps:
-      - name: Generate token
-        id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
-        with:
-          app_id: ${{ vars.AUTOMATION_APP_ID }}
-          private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
-
   prepare-release:
-    outputs:
-      pull-request-head-sha: ${{ steps.determine-pr-head-sha.outputs.pull-request-head-sha }}
     name: "Prepare release"
-    if: github.event_name == 'workflow_dispatch'
-    needs: generate-token
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
@@ -157,14 +141,26 @@ jobs:
           git commit -m "Update version"
           git push
 
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        with:
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repository: "codeql-coding-standards"
+
       - name: Create release PR
         env:
-          GITHUB_TOKEN: ${{ needs.generate-token.outputs.token }}
+          # Use the token from the `generate-token` step because we can't use the default workflow token
+          # to create a PR and generate PR events to trigger the next workflow because of recursive workflow
+          # trigger protection.
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
           gh pr create \
           -R $GITHUB_REPOSITORY \
           --title "Release v$RELEASE_VERSION" \
           --body "This PR releases codeql-coding-standards version $RELEASE_VERSION." \
           --base rc/$RELEASE_VERSION \
           --head feature/update-user-manual-for-$RELEASE_VERSION \
-          --draft
+          --draft

.github/workflows/update-release-status.yml

@@ -134,23 +134,11 @@ jobs:
 
           echo "check-run-head-sha=$CHECK_RUN_HEAD_SHA" >> "$GITHUB_OUTPUT"
 
-  generate-token:
-    runs-on: ubuntu-latest
-    outputs:
-      token: ${{ steps.generate-token.outputs.token }}
-    steps:
-      - name: Generate token
-        id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
-        with:
-          app_id: ${{ vars.AUTOMATION_APP_ID }}
-          private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
-
   update-release:
-    needs: [validate-check-runs, generate-token]
+    needs: validate-check-runs
     if: needs.validate-check-runs.outputs.status == 'completed'
     uses: ./.github/workflows/update-release.yml
     with:
       head-sha: ${{ needs.validate-check-runs.outputs.check-run-head-sha }}
     secrets:
-      RELEASE_ENGINEERING_TOKEN: ${{ generate-token.outputs.token }}
+      AUTOMATION_PRIVATE_KEY: ${{ secrets.AUTOMATION_PRIVATE_KEY }}

.github/workflows/update-release.yml

@@ -15,29 +15,16 @@ on:
           The head SHA of the release PR to use for finalizing the release.
         required: true
     secrets:
-      RELEASE_ENGINEERING_TOKEN:
+      AUTOMATION_PRIVATE_KEY:
         description: |
-          The token to use for accessing the release engineering repository.
+          The private key to use to generate a token for accessing the release engineering repository.
         required: true
 env:
   HEAD_SHA: ${{ inputs.head-sha }}
 
 jobs:
-  generate-token:
-    runs-on: ubuntu-latest
-    outputs:
-      token: ${{ steps.generate-token.outputs.token }}
-    steps:
-      - name: Generate token
-        id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
-        with:
-          app_id: ${{ vars.AUTOMATION_APP_ID }}
-          private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
-
   update-release:
     name: "Update release"
-    needs: generate-token
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
@@ -53,10 +40,19 @@ jobs:
       - name: Install dependencies
         run: pip install -r scripts/release/requirements.txt
 
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        with:
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repository: "codeql-coding-standards-release-engineering"
+
       - name: Update release assets
         env:
           GITHUB_TOKEN: ${{ github.token }}
-          RELEASE_ENGINEERING_TOKEN: ${{ generate-token.outputs.token }}
+          RELEASE_ENGINEERING_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
           python scripts/release/update-release-assets.py \
             --head-sha $HEAD_SHA \

.github/workflows/validate-release.yml

@@ -14,18 +14,6 @@ env:
   HEAD_SHA: ${{ github.event.pull_request.head.sha }}
 
 jobs:
-  generate-token:
-    runs-on: ubuntu-latest
-    outputs:
-      token: ${{ steps.generate-token.outputs.token }}
-    steps:
-      - name: Generate token
-        id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
-        with:
-          app_id: ${{ vars.AUTOMATION_APP_ID }}
-          private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
-
   pre-validate-performance:
     outputs:
       check-run-id: ${{ steps.create-check-run.outputs.check-run-id }}
@@ -47,13 +35,21 @@ jobs:
           echo "check-run-id=$check_run_id" >> "$GITHUB_OUTPUT"
 
   validate-performance:
-    needs: [pre-validate-performance, generate-token]
+    needs: pre-validate-performance
     runs-on: ubuntu-22.04
     steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        with:
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repository: "codeql-coding-standards-release-engineering"
       - name: Invoke performance test
         env:
           CHECK_RUN_ID: ${{ needs.pre-validate-performance.outputs.check-run-id }}
-          GH_TOKEN: ${{ generate-token.outputs.token }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
           jq -n \
           --arg ref "$HEAD_SHA" \
@@ -108,13 +104,21 @@ jobs:
           echo "check-run-id=$check_run_id" >> "$GITHUB_OUTPUT"
 
   validate-compiler-compatibility:
-    needs: [pre-validate-compiler-compatibility, generate-token]
+    needs: pre-validate-compiler-compatibility
     runs-on: ubuntu-22.04
     steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        with:
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repository: "codeql-coding-standards-release-engineering"
       - name: Invoke compiler compatibility test
         env:
           CHECK_RUN_ID: ${{ needs.pre-validate-compiler-compatibility.outputs.check-run-id }}
-          GITHUB_TOKEN: ${{ generate-token.outputs.token }}
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
           jq -n \
           --arg ref "$HEAD_SHA" \