GitHub app installation access token.

Signed-off-by: Ross Goldberg <484615+rgoldberg@users.noreply.github.com>

.github/workflows/release-published.yml

@@ -15,14 +15,26 @@ jobs:
     if: ${{!github.event.repository.fork}}
     runs-on: macos-15
     steps:
+      - name: 🛒 Checkout repo
+        env:
+          GIT_CONFIG_COUNT: 1
+          GIT_CONFIG_KEY_0: init.defaultBranch
+          GIT_CONFIG_VALUE_0: ${{github.event.repository.default_branch}}
+        uses: actions/checkout@v4
+
       - name: 🚰 Apply pr-pull label to custom tap formula bump PR
         env:
-          GH_TOKEN: ${{secrets.HOMEBREW_GITHUB_API_TOKEN}}
+          TOKEN_APP_ID: ${{secrets.TOKEN_APP_ID}}
+          TOKEN_APP_INSTALLATION_ID: ${{secrets.TOKEN_APP_INSTALLATION_ID}}
+          TOKEN_APP_PRIVATE_KEY: ${{secrets.TOKEN_APP_PRIVATE_KEY}}
         run: |
+          export GH_TOKEN="$(script/generate_token)"
+
           unsetopt errexit
           bump_url="$(gh release -R "${GITHUB_REPOSITORY}" download "${GITHUB_REF_NAME}" -p bump.url -O - 2>/dev/null)"
           found_bump_url="${?}"
           setopt errexit
+
           if [[ "${found_bump_url}" -eq 0 ]]; then
             [[ -n "${bump_url}" ]] && gh pr edit "${bump_url}" --add-label pr-pull
             gh release -R "${GITHUB_REPOSITORY}" delete-asset "${GITHUB_REF_NAME}" bump.url -y
@@ -33,7 +45,7 @@ jobs:
       - name: 🍺 Bump homebrew-core formula
         if: ${{!github.event.release.prerelease}}
         env:
-          HOMEBREW_GITHUB_API_TOKEN: ${{secrets.HOMEBREW_GITHUB_API_TOKEN}}
+          HOMEBREW_GITHUB_API_TOKEN: ${{github.token}}
         run: |
           brew bump-formula-pr\
            --tag "${GITHUB_REF_NAME}"\

.github/workflows/tag-pushed.yml

@@ -58,9 +58,14 @@ jobs:
 
       - name: 🚰 Bump custom tap formula
         env:
-          HOMEBREW_GITHUB_API_TOKEN: ${{secrets.HOMEBREW_GITHUB_API_TOKEN}}
+          TOKEN_APP_ID: ${{secrets.TOKEN_APP_ID}}
+          TOKEN_APP_INSTALLATION_ID: ${{secrets.TOKEN_APP_INSTALLATION_ID}}
+          TOKEN_APP_PRIVATE_KEY: ${{secrets.TOKEN_APP_PRIVATE_KEY}}
         run: |
+          export HOMEBREW_GITHUB_API_TOKEN="$(script/generate_token)"
+
           brew tap "${GITHUB_REPOSITORY_OWNER}/tap"
+
           unsetopt errexit
           bump_output="$(brew bump-formula-pr\
            --tag "${GITHUB_REF_NAME}"\
@@ -74,8 +79,10 @@ jobs:
            2>&1)"
           exit_code="${?}"
           setopt errexit
+
           printf %s "${bump_output}"
           printf %s "${${(f)bump_output}[-1]}" > .build/bump.url
+
           exit "${exit_code}"
 
       - name: 📝 Create draft release

script/generate_token

@@ -0,0 +1,23 @@
+#!/bin/zsh -Ndefgku
+#
+# script/generate_token
+# mas
+#
+# Generates a GitHub App installation access token for GitHub Workflows.
+#
+
+. "${0:a:h}/_setup_script"
+
+header=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9
+payload="${${$(printf '{"iss":%s,"iat":%s,"exp":%s}' "${TOKEN_APP_ID}" "$(("$(date +%s)" - 60))"\
+ "$(("$(date +%s)" + 540))" | base64)//[=$'\n']}//\/+/_-}"
+
+
+# shellcheck disable=SC1009,SC1036,SC1072,SC1073
+curl\
+ -sX POST\
+ -H "Authorization: Bearer ${header}.${payload}.${${$(printf %s "${header}.${payload}" |
+  openssl dgst -sha256 -sign =(printf %s "${TOKEN_APP_PRIVATE_KEY}") | base64)//[=$'\n']}//\/+/_-}"\
+ -H 'Accept: application/vnd.github+json'\
+  "https://api.github.com/app/installations/${TOKEN_APP_INSTALLATION_ID}/access_tokens" |
+ jq -r .token

script/release_cancel

@@ -19,7 +19,7 @@ if [[ -n "${bump_url}" ]]; then
   gh pr close "${bump_url}" -d
   printf $'\n'
 else
-  printf $'No custom tap formula bump PR URL found for draft release tag\'%s\'\n\n' "${tag}"
+  printf $'No custom tap formula bump PR URL found for draft release tag \'%s\'\n\n' "${tag}"
 fi
 
 gh release -R https://github.com/mas-cli/mas delete "${tag}" --cleanup-tag -y