diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml index f8ef4ed042..6b1f28b4dd 100644 --- a/.github/workflows/prepare-release.yml +++ b/.github/workflows/prepare-release.yml @@ -29,24 +29,8 @@ env: HOTFIX_RELEASE: ${{ inputs.hotfix }} jobs: - generate-token: - runs-on: ubuntu-latest - outputs: - token: ${{ steps.generate-token.outputs.token }} - steps: - - name: Generate token - id: generate-token - uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e - with: - app_id: ${{ vars.AUTOMATION_APP_ID }} - private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }} - prepare-release: - outputs: - pull-request-head-sha: ${{ steps.determine-pr-head-sha.outputs.pull-request-head-sha }} name: "Prepare release" - if: github.event_name == 'workflow_dispatch' - needs: generate-token runs-on: ubuntu-22.04 steps: - name: Checkout @@ -157,9 +141,21 @@ jobs: git commit -m "Update version" git push + - name: Generate token + id: generate-token + uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e + with: + app-id: ${{ vars.AUTOMATION_APP_ID }} + private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repository: "codeql-coding-standards" + - name: Create release PR env: - GITHUB_TOKEN: ${{ needs.generate-token.outputs.token }} + # Use the token from the `generate-token` step because we can't use the default workflow token + # to create a PR and generate PR events to trigger the next workflow because of recursive workflow + # trigger protection. + GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} run: | gh pr create \ -R $GITHUB_REPOSITORY \ @@ -167,4 +163,4 @@ jobs: --body "This PR releases codeql-coding-standards version $RELEASE_VERSION." \ --base rc/$RELEASE_VERSION \ --head feature/update-user-manual-for-$RELEASE_VERSION \ - --draft \ No newline at end of file + --draft diff --git a/.github/workflows/update-release-status.yml b/.github/workflows/update-release-status.yml index 0f0587a355..15e212f369 100644 --- a/.github/workflows/update-release-status.yml +++ b/.github/workflows/update-release-status.yml @@ -134,23 +134,11 @@ jobs: echo "check-run-head-sha=$CHECK_RUN_HEAD_SHA" >> "$GITHUB_OUTPUT" - generate-token: - runs-on: ubuntu-latest - outputs: - token: ${{ steps.generate-token.outputs.token }} - steps: - - name: Generate token - id: generate-token - uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e - with: - app_id: ${{ vars.AUTOMATION_APP_ID }} - private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }} - update-release: - needs: [validate-check-runs, generate-token] + needs: validate-check-runs if: needs.validate-check-runs.outputs.status == 'completed' uses: ./.github/workflows/update-release.yml with: head-sha: ${{ needs.validate-check-runs.outputs.check-run-head-sha }} secrets: - RELEASE_ENGINEERING_TOKEN: ${{ generate-token.outputs.token }} + AUTOMATION_PRIVATE_KEY: ${{ secrets.AUTOMATION_PRIVATE_KEY }} diff --git a/.github/workflows/update-release.yml b/.github/workflows/update-release.yml index f3541e0571..1a5f3fcfc4 100644 --- a/.github/workflows/update-release.yml +++ b/.github/workflows/update-release.yml @@ -15,29 +15,16 @@ on: The head SHA of the release PR to use for finalizing the release. required: true secrets: - RELEASE_ENGINEERING_TOKEN: + AUTOMATION_PRIVATE_KEY: description: | - The token to use for accessing the release engineering repository. + The private key to use to generate a token for accessing the release engineering repository. required: true env: HEAD_SHA: ${{ inputs.head-sha }} jobs: - generate-token: - runs-on: ubuntu-latest - outputs: - token: ${{ steps.generate-token.outputs.token }} - steps: - - name: Generate token - id: generate-token - uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e - with: - app_id: ${{ vars.AUTOMATION_APP_ID }} - private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }} - update-release: name: "Update release" - needs: generate-token runs-on: ubuntu-22.04 steps: - name: Checkout @@ -53,10 +40,19 @@ jobs: - name: Install dependencies run: pip install -r scripts/release/requirements.txt + - name: Generate token + id: generate-token + uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e + with: + app-id: ${{ vars.AUTOMATION_APP_ID }} + private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repository: "codeql-coding-standards-release-engineering" + - name: Update release assets env: GITHUB_TOKEN: ${{ github.token }} - RELEASE_ENGINEERING_TOKEN: ${{ generate-token.outputs.token }} + RELEASE_ENGINEERING_TOKEN: ${{ steps.generate-token.outputs.token }} run: | python scripts/release/update-release-assets.py \ --head-sha $HEAD_SHA \ diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml index 4a11c2790e..f04e30207b 100644 --- a/.github/workflows/validate-release.yml +++ b/.github/workflows/validate-release.yml @@ -14,18 +14,6 @@ env: HEAD_SHA: ${{ github.event.pull_request.head.sha }} jobs: - generate-token: - runs-on: ubuntu-latest - outputs: - token: ${{ steps.generate-token.outputs.token }} - steps: - - name: Generate token - id: generate-token - uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e - with: - app_id: ${{ vars.AUTOMATION_APP_ID }} - private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }} - pre-validate-performance: outputs: check-run-id: ${{ steps.create-check-run.outputs.check-run-id }} @@ -47,13 +35,21 @@ jobs: echo "check-run-id=$check_run_id" >> "$GITHUB_OUTPUT" validate-performance: - needs: [pre-validate-performance, generate-token] + needs: pre-validate-performance runs-on: ubuntu-22.04 steps: + - name: Generate token + id: generate-token + uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e + with: + app-id: ${{ vars.AUTOMATION_APP_ID }} + private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repository: "codeql-coding-standards-release-engineering" - name: Invoke performance test env: CHECK_RUN_ID: ${{ needs.pre-validate-performance.outputs.check-run-id }} - GH_TOKEN: ${{ generate-token.outputs.token }} + GH_TOKEN: ${{ steps.generate-token.outputs.token }} run: | jq -n \ --arg ref "$HEAD_SHA" \ @@ -108,13 +104,21 @@ jobs: echo "check-run-id=$check_run_id" >> "$GITHUB_OUTPUT" validate-compiler-compatibility: - needs: [pre-validate-compiler-compatibility, generate-token] + needs: pre-validate-compiler-compatibility runs-on: ubuntu-22.04 steps: + - name: Generate token + id: generate-token + uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e + with: + app-id: ${{ vars.AUTOMATION_APP_ID }} + private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repository: "codeql-coding-standards-release-engineering" - name: Invoke compiler compatibility test env: CHECK_RUN_ID: ${{ needs.pre-validate-compiler-compatibility.outputs.check-run-id }} - GITHUB_TOKEN: ${{ generate-token.outputs.token }} + GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} run: | jq -n \ --arg ref "$HEAD_SHA" \