From 67ce4926531417e9a6269eda7cfe5e2110dab48f Mon Sep 17 00:00:00 2001
From: Lexus Drumgold <unicornware@flexdevelopment.llc>
Date: Sun, 22 Oct 2023 18:58:52 -0400
Subject: [PATCH] ci(workflows): [`infrastructure`] use bot token

Signed-off-by: Lexus Drumgold <unicornware@flexdevelopment.llc>
---
 .github/workflows/infrastructure.yml | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/infrastructure.yml b/.github/workflows/infrastructure.yml
index 0c0e866..2b0be56 100644
--- a/.github/workflows/infrastructure.yml
+++ b/.github/workflows/infrastructure.yml
@@ -11,12 +11,13 @@
 # References:
 #
 # - https://docs.github.com/actions/learn-github-actions/contexts
+# - https://docs.github.com/actions/learn-github-actions/expressions
 # - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#push
 # - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
 # - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#push
 # - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_dispatch
-# - https://github.com/actions-cool/check-user-permission
 # - https://github.com/actions/checkout
+# - https://github.com/actions/create-github-app-token
 # - https://github.com/flex-development/rice-action
 # - https://github.com/hmarr/debug-action
 
@@ -36,26 +37,27 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   infrastructure:
+    if: contains(vars.MAINTAINERS, github.actor)
     runs-on: ubuntu-latest
     steps:
       - id: debug
         name: Print environment variables and event payload
         uses: hmarr/debug-action@v2.1.0
-      - id: check-actor-permission
-        name: Check @${{ github.actor }} permission level
-        uses: actions-cool/check-user-permission@v2.2.0
+      - id: bot-token
+        name: Get bot token
+        uses: actions/create-github-app-token@v1.5.0
         with:
-          require: admin
-          username: ${{ github.actor }}
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_PRIVATE_KEY }}
       - id: checkout
-        name: Checkout ${{ github.ref_name }}
+        name: Checkout ${{ github.ref_name }}@${{ github.sha }}
         uses: actions/checkout@v4.1.1
         with:
           persist-credentials: false
-          ref: ${{ github.ref }}
+          ref: ${{ github.sha }}
+          token: ${{ steps.bot-token.outputs.token }}
       - id: update
-        if: steps.check-actor-permission.outputs.require-result == 'true'
         name: Update repository infrastructure
         uses: flex-development/rice-action@1.0.0
         with:
-          token: ${{ secrets.PAT_REPO }}
+          token: ${{ steps.bot-token.outputs.token }}