From 583241b9d2ae902b302fd00bb037ef0c844ca289 Mon Sep 17 00:00:00 2001
From: Kyle Harding <kyle@balena.io>
Date: Fri, 6 Dec 2024 11:10:00 -0500
Subject: [PATCH] Update the App Id and Private Key for ephemeral app tokens

This changes the yocto scripts workflow to use a dedicated
balenaOS CI app, rather than the Flowzone app.

Change-type: minor
Signed-off-by: Kyle Harding <kyle@balena.io>
---
 .github/workflows/yocto-build-deploy.yml | 24 ++++++++++--------------
 1 file changed, 10 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/yocto-build-deploy.yml b/.github/workflows/yocto-build-deploy.yml
index ac40835c1..cd2d79ad0 100644
--- a/.github/workflows/yocto-build-deploy.yml
+++ b/.github/workflows/yocto-build-deploy.yml
@@ -29,8 +29,8 @@ on:
       SIGN_API_KEY:
         description: balena API key that provides access to the signing server
         required: false
-      GH_APP_PRIVATE_KEY:
-        description: "GPG Private Key for GitHub App to generate ephemeral tokens (used with vars.FLOWZONE_APP_ID)"
+      BALENAOS_CI_APP_PRIVATE_KEY:
+        description: "GPG Private Key for GitHub App to generate ephemeral tokens (used with vars.BALENAOS_CI_APP_ID)"
         required: false
       PBDKF2_PASSPHRASE:
         description: "Passphrase used to encrypt/decrypt balenaOS assets at rest in GitHub."
@@ -251,10 +251,9 @@ jobs:
       - name: Create GitHub App installation token
         uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
         id: app-token
-        if: vars.FLOWZONE_APP_ID != ''
         with:
-          app-id: ${{ vars.FLOWZONE_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          app-id: ${{ vars.BALENAOS_CI_APP_ID }}
+          private-key: ${{ secrets.BALENAOS_CI_APP_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
 
       # Generate another app token for the balena-io organization
@@ -263,10 +262,9 @@ jobs:
       - name: Create GitHub App installation token (balena-io)
         uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
         id: app-token-balena-io
-        if: vars.FLOWZONE_APP_ID != ''
         with:
-          app-id: ${{ vars.FLOWZONE_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          app-id: ${{ vars.BALENAOS_CI_APP_ID }}
+          private-key: ${{ secrets.BALENAOS_CI_APP_PRIVATE_KEY }}
           owner: balena-io
 
       # https://github.com/actions/checkout
@@ -1100,10 +1098,9 @@ jobs:
       - name: Create GitHub App installation token
         uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
         id: app-token
-        if: vars.FLOWZONE_APP_ID != ''
         with:
-          app-id: ${{ vars.FLOWZONE_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          app-id: ${{ vars.BALENAOS_CI_APP_ID }}
+          private-key: ${{ secrets.BALENAOS_CI_APP_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
 
       # Generate another app token for the balena-io organization
@@ -1112,10 +1109,9 @@ jobs:
       - name: Create GitHub App installation token (balena-io)
         uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
         id: app-token-balena-io
-        if: vars.FLOWZONE_APP_ID != ''
         with:
-          app-id: ${{ vars.FLOWZONE_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          app-id: ${{ vars.BALENAOS_CI_APP_ID }}
+          private-key: ${{ secrets.BALENAOS_CI_APP_PRIVATE_KEY }}
           owner: balena-io
 
       # Clone the device respository to fetch Leviathan