From 72ca9ebf39694e18c56099f1b45255aadc9784c3 Mon Sep 17 00:00:00 2001
From: Remco Vermeulen <rvermeulen@users.noreply.github.com>
Date: Mon, 20 Nov 2023 13:00:35 -0800
Subject: [PATCH 1/4] Generate tokens in a step

The initial job setup doesn't work to communicate a token so this
change:

- Integrate the token generation as a step in a job.
- Scopes the token to the repository it is used against.
---
 .github/workflows/prepare-release.yml       | 27 +++++++---------
 .github/workflows/update-release-status.yml | 16 ++-------
 .github/workflows/update-release.yml        | 26 +++++++--------
 .github/workflows/validate-release.yml      | 36 ++++++++++++---------
 4 files changed, 44 insertions(+), 61 deletions(-)

diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml
index f8ef4ed042..fee9201265 100644
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -29,24 +29,10 @@ env:
   HOTFIX_RELEASE: ${{ inputs.hotfix }}
 
 jobs:
-  generate-token:
-    runs-on: ubuntu-latest
-    outputs:
-      token: ${{ steps.generate-token.outputs.token }}
-    steps:
-      - name: Generate token
-        id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
-        with:
-          app_id: ${{ vars.AUTOMATION_APP_ID }}
-          private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
-
   prepare-release:
     outputs:
       pull-request-head-sha: ${{ steps.determine-pr-head-sha.outputs.pull-request-head-sha }}
     name: "Prepare release"
-    if: github.event_name == 'workflow_dispatch'
-    needs: generate-token
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
@@ -157,9 +143,18 @@ jobs:
           git commit -m "Update version"
           git push
 
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        with:
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repository: "codeql-coding-standards"
+
       - name: Create release PR
         env:
-          GITHUB_TOKEN: ${{ needs.generate-token.outputs.token }}
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
           gh pr create \
           -R $GITHUB_REPOSITORY \
@@ -167,4 +162,4 @@ jobs:
           --body "This PR releases codeql-coding-standards version $RELEASE_VERSION." \
           --base rc/$RELEASE_VERSION \
           --head feature/update-user-manual-for-$RELEASE_VERSION \
-          --draft
\ No newline at end of file
+          --draft
diff --git a/.github/workflows/update-release-status.yml b/.github/workflows/update-release-status.yml
index 0f0587a355..15e212f369 100644
--- a/.github/workflows/update-release-status.yml
+++ b/.github/workflows/update-release-status.yml
@@ -134,23 +134,11 @@ jobs:
 
           echo "check-run-head-sha=$CHECK_RUN_HEAD_SHA" >> "$GITHUB_OUTPUT"
 
-  generate-token:
-    runs-on: ubuntu-latest
-    outputs:
-      token: ${{ steps.generate-token.outputs.token }}
-    steps:
-      - name: Generate token
-        id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
-        with:
-          app_id: ${{ vars.AUTOMATION_APP_ID }}
-          private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
-
   update-release:
-    needs: [validate-check-runs, generate-token]
+    needs: validate-check-runs
     if: needs.validate-check-runs.outputs.status == 'completed'
     uses: ./.github/workflows/update-release.yml
     with:
       head-sha: ${{ needs.validate-check-runs.outputs.check-run-head-sha }}
     secrets:
-      RELEASE_ENGINEERING_TOKEN: ${{ generate-token.outputs.token }}
+      AUTOMATION_PRIVATE_KEY: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
diff --git a/.github/workflows/update-release.yml b/.github/workflows/update-release.yml
index f3541e0571..bb2a712c20 100644
--- a/.github/workflows/update-release.yml
+++ b/.github/workflows/update-release.yml
@@ -15,7 +15,7 @@ on:
           The head SHA of the release PR to use for finalizing the release.
         required: true
     secrets:
-      RELEASE_ENGINEERING_TOKEN:
+      AUTOMATION_PRIVATE_KEY:
         description: |
           The token to use for accessing the release engineering repository.
         required: true
@@ -23,21 +23,8 @@ env:
   HEAD_SHA: ${{ inputs.head-sha }}
 
 jobs:
-  generate-token:
-    runs-on: ubuntu-latest
-    outputs:
-      token: ${{ steps.generate-token.outputs.token }}
-    steps:
-      - name: Generate token
-        id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
-        with:
-          app_id: ${{ vars.AUTOMATION_APP_ID }}
-          private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
-
   update-release:
     name: "Update release"
-    needs: generate-token
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
@@ -53,10 +40,19 @@ jobs:
       - name: Install dependencies
         run: pip install -r scripts/release/requirements.txt
 
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        with:
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repository: "codeql-coding-standards-release-engineering"
+
       - name: Update release assets
         env:
           GITHUB_TOKEN: ${{ github.token }}
-          RELEASE_ENGINEERING_TOKEN: ${{ generate-token.outputs.token }}
+          RELEASE_ENGINEERING_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
           python scripts/release/update-release-assets.py \
             --head-sha $HEAD_SHA \
diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml
index 4a11c2790e..f04e30207b 100644
--- a/.github/workflows/validate-release.yml
+++ b/.github/workflows/validate-release.yml
@@ -14,18 +14,6 @@ env:
   HEAD_SHA: ${{ github.event.pull_request.head.sha }}
 
 jobs:
-  generate-token:
-    runs-on: ubuntu-latest
-    outputs:
-      token: ${{ steps.generate-token.outputs.token }}
-    steps:
-      - name: Generate token
-        id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
-        with:
-          app_id: ${{ vars.AUTOMATION_APP_ID }}
-          private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
-
   pre-validate-performance:
     outputs:
       check-run-id: ${{ steps.create-check-run.outputs.check-run-id }}
@@ -47,13 +35,21 @@ jobs:
           echo "check-run-id=$check_run_id" >> "$GITHUB_OUTPUT"
 
   validate-performance:
-    needs: [pre-validate-performance, generate-token]
+    needs: pre-validate-performance
     runs-on: ubuntu-22.04
     steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        with:
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repository: "codeql-coding-standards-release-engineering"
       - name: Invoke performance test
         env:
           CHECK_RUN_ID: ${{ needs.pre-validate-performance.outputs.check-run-id }}
-          GH_TOKEN: ${{ generate-token.outputs.token }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
           jq -n \
           --arg ref "$HEAD_SHA" \
@@ -108,13 +104,21 @@ jobs:
           echo "check-run-id=$check_run_id" >> "$GITHUB_OUTPUT"
 
   validate-compiler-compatibility:
-    needs: [pre-validate-compiler-compatibility, generate-token]
+    needs: pre-validate-compiler-compatibility
     runs-on: ubuntu-22.04
     steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        with:
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repository: "codeql-coding-standards-release-engineering"
       - name: Invoke compiler compatibility test
         env:
           CHECK_RUN_ID: ${{ needs.pre-validate-compiler-compatibility.outputs.check-run-id }}
-          GITHUB_TOKEN: ${{ generate-token.outputs.token }}
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
           jq -n \
           --arg ref "$HEAD_SHA" \

From e97cd143c9c514cc244ba38baeb103b9c01fc219 Mon Sep 17 00:00:00 2001
From: Remco Vermeulen <rvermeulen@users.noreply.github.com>
Date: Mon, 20 Nov 2023 13:02:45 -0800
Subject: [PATCH 2/4] Remove remnant output parameter

---
 .github/workflows/prepare-release.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml
index fee9201265..e21eddb119 100644
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -30,8 +30,6 @@ env:
 
 jobs:
   prepare-release:
-    outputs:
-      pull-request-head-sha: ${{ steps.determine-pr-head-sha.outputs.pull-request-head-sha }}
     name: "Prepare release"
     runs-on: ubuntu-22.04
     steps:

From 4771d4a9fcf4543a4ef75114e4f27b7455f74d0c Mon Sep 17 00:00:00 2001
From: Remco Vermeulen <rvermeulen@users.noreply.github.com>
Date: Mon, 20 Nov 2023 13:05:54 -0800
Subject: [PATCH 3/4] Add clarifying comment for using different token

---
 .github/workflows/prepare-release.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml
index e21eddb119..6b1f28b4dd 100644
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -152,6 +152,9 @@ jobs:
 
       - name: Create release PR
         env:
+          # Use the token from the `generate-token` step because we can't use the default workflow token
+          # to create a PR and generate PR events to trigger the next workflow because of recursive workflow
+          # trigger protection.
           GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
           gh pr create \

From 528720831a537197c0109c77675674eaa3d58b79 Mon Sep 17 00:00:00 2001
From: Remco Vermeulen <rvermeulen@users.noreply.github.com>
Date: Mon, 20 Nov 2023 13:09:37 -0800
Subject: [PATCH 4/4] Correct the secret input description

---
 .github/workflows/update-release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/update-release.yml b/.github/workflows/update-release.yml
index bb2a712c20..1a5f3fcfc4 100644
--- a/.github/workflows/update-release.yml
+++ b/.github/workflows/update-release.yml
@@ -17,7 +17,7 @@ on:
     secrets:
       AUTOMATION_PRIVATE_KEY:
         description: |
-          The token to use for accessing the release engineering repository.
+          The private key to use to generate a token for accessing the release engineering repository.
         required: true
 env:
   HEAD_SHA: ${{ inputs.head-sha }}