GitHub app installation access token.

rgoldberg · rgoldberg · commit f69605f64916 · 2024-12-25T02:10:27.000-05:00
Signed-off-by: Ross Goldberg &lt;484615+rgoldberg@users.noreply.github.com&gt;
diff --git a/.github/workflows/release-published.yml b/.github/workflows/release-published.yml
@@ -17,12 +17,17 @@ jobs:
     steps:
       - name: 🚰 Apply pr-pull label to custom tap formula bump PR
         env:
-          GH_TOKEN: ${{secrets.HOMEBREW_GITHUB_API_TOKEN}}
+          TOKEN_APP_ID: ${{secrets.TOKEN_APP_ID}}
+          TOKEN_APP_INSTALLATION_ID: ${{secrets.TOKEN_APP_INSTALLATION_ID}}
+          TOKEN_APP_PRIVATE_KEY: ${{secrets.TOKEN_APP_PRIVATE_KEY}}
         run: |
+          export GH_TOKEN="$(script/generate_token)"
+
           unsetopt errexit
           bump_url="$(gh release -R "${GITHUB_REPOSITORY}" download "${GITHUB_REF_NAME}" -p bump.url -O - 2>/dev/null)"
           found_bump_url="${?}"
           setopt errexit
+
           if [[ "${found_bump_url}" -eq 0 ]]; then
             [[ -n "${bump_url}" ]] && gh pr edit "${bump_url}" --add-label pr-pull
             gh release -R "${GITHUB_REPOSITORY}" delete-asset "${GITHUB_REF_NAME}" bump.url -y
@@ -33,7 +38,7 @@ jobs:
       - name: 🍺 Bump homebrew-core formula
         if: ${{!github.event.release.prerelease}}
         env:
-          HOMEBREW_GITHUB_API_TOKEN: ${{secrets.HOMEBREW_GITHUB_API_TOKEN}}
+          HOMEBREW_GITHUB_API_TOKEN: ${{github.token}}
         run: |
           brew bump-formula-pr\
            --tag "${GITHUB_REF_NAME}"\
diff --git a/.github/workflows/tag-pushed.yml b/.github/workflows/tag-pushed.yml
@@ -58,9 +58,16 @@ jobs:
 
       - name: 🚰 Bump custom tap formula
         env:
-          HOMEBREW_GITHUB_API_TOKEN: ${{secrets.HOMEBREW_GITHUB_API_TOKEN}}
+          TOKEN_APP_ID: ${{secrets.TOKEN_APP_ID}}
+          TOKEN_APP_INSTALLATION_ID: ${{secrets.TOKEN_APP_INSTALLATION_ID}}
+          TOKEN_APP_PRIVATE_KEY: ${{secrets.TOKEN_APP_PRIVATE_KEY}}
         run: |
+          export HOMEBREW_GITHUB_API_TOKEN="$(script/generate_token)"
+
+          echo "${HOMEBREW_GITHUB_API_TOKEN}"
+
           brew tap "${GITHUB_REPOSITORY_OWNER}/tap"
+
           unsetopt errexit
           bump_output="$(brew bump-formula-pr\
            --tag "${GITHUB_REF_NAME}"\
@@ -74,8 +81,10 @@ jobs:
            2>&1)"
           exit_code="${?}"
           setopt errexit
+
           printf %s "${bump_output}"
           printf %s "${${(f)bump_output}[-1]}" > .build/bump.url
+
           exit "${exit_code}"
 
       - name: 📝 Create draft release
diff --git a/script/generate_token b/script/generate_token
@@ -0,0 +1,23 @@
+#!/bin/zsh -Ndefgku
+#
+# script/generate_token
+# mas
+#
+# Generates a GitHub App installation access token for GitHub Workflows.
+#
+
+. "${0:a:h}/_setup_script"
+
+header=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9
+payload="${${$(printf '{"iss":%s,"iat":%s,"exp":%s}' "${TOKEN_APP_ID}" "$(("$(date +%s)" - 60))"\
+ "$(("$(date +%s)" + 540))" | base64)//[=$'\n']}//\/+/_-}"
+
+
+# shellcheck disable=SC1009,SC1036,SC1072,SC1073
+curl\
+ -sX POST\
+ -H "Authorization: Bearer ${header}.${payload}.${${$(printf %s "${header}.${payload}" |
+  openssl dgst -sha256 -sign =(printf %s "${TOKEN_APP_PRIVATE_KEY}") | base64)//[=$'\n']}//\/+/_-}"\
+ -H 'Accept: application/vnd.github+json'\
+  "https://api.github.com/app/installations/${TOKEN_APP_INSTALLATION_ID}/access_tokens" |
+ jq -r .token
