gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

workflows/teams: use single token in team sync

Browse Source 
The nixpkgs-ci app now has all the privileges needed to see the member
lists anyway, so no need for two apps / tokens anymore.
This commit is contained in:
Wolfgang Walther
2025-11-06 12:11:34 +01:00
parent c58139723a
commit 1742aef1e9
1 changed files with 11 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
.github/workflows/teams.yml vendored
View File

@@ -16,13 +16,17 @@ jobs:
sync: sync:
runs-on: ubuntu-24.04-arm runs-on: ubuntu-24.04-arm
steps: steps:
# Use a GitHub App to create the PR so that CI gets triggered and to
# request team member lists.
- uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
id: team-token id: app-token
with: with:
app-id: ${{ vars.OWNER_APP_ID }} app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
permission-administration: read permission-administration: read
permission-contents: write
permission-members: read permission-members: read
permission-pull-requests: write
- name: Fetch source - name: Fetch source
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -38,7 +42,7 @@ jobs:
- name: Synchronise teams - name: Synchronise teams
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with: with:
github-token: ${{ steps.team-token.outputs.token }} github-token: ${{ steps.app-token.outputs.token }}
script: | script: |
require('./ci/github-script/get-teams.js')({ require('./ci/github-script/get-teams.js')({
github, github,
@@ -47,20 +51,11 @@ jobs:
outFile: "maintainers/github-teams.json" outFile: "maintainers/github-teams.json"
}) })
# Use a GitHub App to create the PR so that CI gets triggered
- uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
id: sync-token
with:
app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
permission-contents: write
permission-pull-requests: write
- name: Get GitHub App User Git String - name: Get GitHub App User Git String
id: user id: user
env: env:
GH_TOKEN: ${{ steps.sync-token.outputs.token }} GH_TOKEN: ${{ steps.app-token.outputs.token }}
APP_SLUG: ${{ steps.sync-token.outputs.app-slug }} APP_SLUG: ${{ steps.app-token.outputs.app-slug }}
run: | run: |
name="${APP_SLUG}[bot]" name="${APP_SLUG}[bot]"
userId=$(gh api "/users/$name" --jq .id) userId=$(gh api "/users/$name" --jq .id)
@@ -70,7 +65,7 @@ jobs:
- name: Create Pull Request - name: Create Pull Request
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
with: with:
token: ${{ steps.sync-token.outputs.token }} token: ${{ steps.app-token.outputs.token }}
add-paths: maintainers/github-teams.json add-paths: maintainers/github-teams.json
author: ${{ steps.user.outputs.git-string }} author: ${{ steps.user.outputs.git-string }}
committer: ${{ steps.user.outputs.git-string }} committer: ${{ steps.user.outputs.git-string }}