From 6ab6314d06d25d77c3052fb00c4bdf3d7a5027a2 Mon Sep 17 00:00:00 2001
From: John Titor <50095635+JohnRTitor@users.noreply.github.com>
Date: Wed, 15 Jan 2025 10:29:29 +0530
Subject: [PATCH] workflows/periodic-merges: use nixpkgs-ci's token

---
 .github/workflows/periodic-merge-24h.yml |  4 +---
 .github/workflows/periodic-merge-6h.yml  |  4 +---
 .github/workflows/periodic-merge.yml     | 11 ++++++++++-
 3 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/periodic-merge-24h.yml b/.github/workflows/periodic-merge-24h.yml
index 1028b64a9176..c2bae9d5b9b9 100644
--- a/.github/workflows/periodic-merge-24h.yml
+++ b/.github/workflows/periodic-merge-24h.yml
@@ -14,9 +14,7 @@ on:
     - cron:  '0 0 * * *'
   workflow_dispatch:
 
-permissions:
-  contents: write  # for devmasx/merge-branch to merge branches
-  pull-requests: write  # for peter-evans/create-or-update-comment to create or update comment
+permissions: {}
 
 jobs:
   periodic-merge:
diff --git a/.github/workflows/periodic-merge-6h.yml b/.github/workflows/periodic-merge-6h.yml
index 9d72539dd02e..fcdc3994b7f7 100644
--- a/.github/workflows/periodic-merge-6h.yml
+++ b/.github/workflows/periodic-merge-6h.yml
@@ -14,9 +14,7 @@ on:
     - cron:  '0 */6 * * *'
   workflow_dispatch:
 
-permissions:
-  contents: write  # for devmasx/merge-branch to merge branches
-  pull-requests: write  # for peter-evans/create-or-update-comment to create or update comment
+permissions: {}
 
 jobs:
   periodic-merge:
diff --git a/.github/workflows/periodic-merge.yml b/.github/workflows/periodic-merge.yml
index e8307308218c..91ab0b25f146 100644
--- a/.github/workflows/periodic-merge.yml
+++ b/.github/workflows/periodic-merge.yml
@@ -17,6 +17,14 @@ jobs:
     runs-on: ubuntu-24.04
     name: ${{ inputs.from }} → ${{ inputs.into }}
     steps:
+      # Use a GitHub App to create the PR so that CI gets triggered
+      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
+      - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        id: app-token
+        with:
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Find merge base between two branches
@@ -38,7 +46,7 @@ jobs:
           type: now
           from_branch: ${{ steps.merge_base.outputs.merge_base || inputs.from }}
           target_branch: ${{ inputs.into }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ steps.app-token.outputs.token }}
 
       - name: Comment on failure
         uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
@@ -47,3 +55,4 @@ jobs:
           issue-number: 105153
           body: |
             Periodic merge from `${{ inputs.from }}` into `${{ inputs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).
+          token: ${{ steps.app-token.outputs.token }}