Merge pull request #102 from telekom-mms/use_github_app

use github app in release workflow
telekom-mms · Nov 10, 2023 · 4c28b42 · 4c28b42
2 parents 1f681d9 + b22a069
commit 4c28b42
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,6 +14,9 @@ jobs:
     name: create release draft
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
 
       - name: 'Get Previous tag'
         id: previoustag
@@ -39,10 +42,21 @@ jobs:
           name: ${{ inputs.files }}
         if: ${{ inputs.files != '' }}
 
+      # the token is needed so the github app can push to the repository
+      # the github app can bypass the branch protection rule (need a PR to merge)
+      # this way it can directly commit to main
+      - name: Obtain a GitHub App Installation Access Token
+        id: githubAppAuth
+        run: |
+          TOKEN="$(npx obtain-github-app-installation-access-token ci ${{ secrets.GH_BRANCH_PROTECTION_APP_TOKEN }})"
+          echo "::add-mask::$TOKEN"
+          echo token=${TOKEN} >> $GITHUB_OUTPUT
+
       - name: update and push due to new release
         uses: github-actions-x/commit@722d56b8968bf00ced78407bbe2ead81062d8baa # v2.9
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          # use the token obtained in the step before
+          github-token: ${{ steps.githubAppAuth.outputs.token }}
           push-branch: 'main'
           commit-message: 'update due to new release'
           force-add: 'true'

diff --git a/README.md b/README.md
@@ -174,6 +174,9 @@ It should only run on `push` to master/main branch.
 The action creates a new *draft* release and updates the changelog. Furthermore it adds defined files (e.g. created in other workflows) to the release.
 The user then has to publish the new release.
 
+The push step of this action used the [Github app](https://github.com/organizations/telekom-mms/settings/installations) "MMS branch protection as code"
+to push to the main branch, bypassing branch protection rules.
+
 #### Inputs
 
 | inputs | description                                   | type   | required |