diff --git a/.github/workflows/release-published.yml b/.github/workflows/release-published.yml index 1f5b37ef..1997a1cb 100644 --- a/.github/workflows/release-published.yml +++ b/.github/workflows/release-published.yml @@ -15,14 +15,26 @@ jobs: if: ${{!github.event.repository.fork}} runs-on: macos-15 steps: + - name: 🛒 Checkout repo + env: + GIT_CONFIG_COUNT: 1 + GIT_CONFIG_KEY_0: init.defaultBranch + GIT_CONFIG_VALUE_0: ${{github.event.repository.default_branch}} + uses: actions/checkout@v4 + - name: 🚰 Apply pr-pull label to custom tap formula bump PR env: - GH_TOKEN: ${{secrets.HOMEBREW_GITHUB_API_TOKEN}} + TOKEN_APP_ID: ${{secrets.TOKEN_APP_ID}} + TOKEN_APP_INSTALLATION_ID: ${{secrets.TOKEN_APP_INSTALLATION_ID}} + TOKEN_APP_PRIVATE_KEY: ${{secrets.TOKEN_APP_PRIVATE_KEY}} run: | + export GH_TOKEN="$(script/generate_token)" + unsetopt errexit bump_url="$(gh release -R "${GITHUB_REPOSITORY}" download "${GITHUB_REF_NAME}" -p bump.url -O - 2>/dev/null)" found_bump_url="${?}" setopt errexit + if [[ "${found_bump_url}" -eq 0 ]]; then [[ -n "${bump_url}" ]] && gh pr edit "${bump_url}" --add-label pr-pull gh release -R "${GITHUB_REPOSITORY}" delete-asset "${GITHUB_REF_NAME}" bump.url -y @@ -33,7 +45,7 @@ jobs: - name: 🍺 Bump homebrew-core formula if: ${{!github.event.release.prerelease}} env: - HOMEBREW_GITHUB_API_TOKEN: ${{secrets.HOMEBREW_GITHUB_API_TOKEN}} + HOMEBREW_GITHUB_API_TOKEN: ${{github.token}} run: | brew bump-formula-pr\ --tag "${GITHUB_REF_NAME}"\ diff --git a/.github/workflows/tag-pushed.yml b/.github/workflows/tag-pushed.yml index d83b8e7d..3c0ba475 100644 --- a/.github/workflows/tag-pushed.yml +++ b/.github/workflows/tag-pushed.yml @@ -58,9 +58,14 @@ jobs: - name: 🚰 Bump custom tap formula env: - HOMEBREW_GITHUB_API_TOKEN: ${{secrets.HOMEBREW_GITHUB_API_TOKEN}} + TOKEN_APP_ID: ${{secrets.TOKEN_APP_ID}} + TOKEN_APP_INSTALLATION_ID: ${{secrets.TOKEN_APP_INSTALLATION_ID}} + TOKEN_APP_PRIVATE_KEY: ${{secrets.TOKEN_APP_PRIVATE_KEY}} run: | + export HOMEBREW_GITHUB_API_TOKEN="$(script/generate_token)" + brew tap "${GITHUB_REPOSITORY_OWNER}/tap" + unsetopt errexit bump_output="$(brew bump-formula-pr\ --tag "${GITHUB_REF_NAME}"\ @@ -74,8 +79,10 @@ jobs: 2>&1)" exit_code="${?}" setopt errexit + printf %s "${bump_output}" printf %s "${${(f)bump_output}[-1]}" > .build/bump.url + exit "${exit_code}" - name: 📝 Create draft release diff --git a/script/generate_token b/script/generate_token new file mode 100755 index 00000000..696b2ae0 --- /dev/null +++ b/script/generate_token @@ -0,0 +1,23 @@ +#!/bin/zsh -Ndefgku +# +# script/generate_token +# mas +# +# Generates a GitHub App installation access token for GitHub Workflows. +# + +. "${0:a:h}/_setup_script" + +header=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9 +payload="${${$(printf '{"iss":%s,"iat":%s,"exp":%s}' "${TOKEN_APP_ID}" "$(("$(date +%s)" - 60))"\ + "$(("$(date +%s)" + 540))" | base64)//[=$'\n']}//\/+/_-}" + + +# shellcheck disable=SC1009,SC1036,SC1072,SC1073 +curl\ + -sX POST\ + -H "Authorization: Bearer ${header}.${payload}.${${$(printf %s "${header}.${payload}" | + openssl dgst -sha256 -sign =(printf %s "${TOKEN_APP_PRIVATE_KEY}") | base64)//[=$'\n']}//\/+/_-}"\ + -H 'Accept: application/vnd.github+json'\ + "https://api.github.com/app/installations/${TOKEN_APP_INSTALLATION_ID}/access_tokens" | + jq -r .token diff --git a/script/release_cancel b/script/release_cancel index b7d7a65c..11246ee4 100755 --- a/script/release_cancel +++ b/script/release_cancel @@ -19,7 +19,7 @@ if [[ -n "${bump_url}" ]]; then gh pr close "${bump_url}" -d printf $'\n' else - printf $'No custom tap formula bump PR URL found for draft release tag\'%s\'\n\n' "${tag}" + printf $'No custom tap formula bump PR URL found for draft release tag \'%s\'\n\n' "${tag}" fi gh release -R https://github.com/mas-cli/mas delete "${tag}" --cleanup-tag -y