refactor: Consolidate GitHub credentials and git operations in workflows

arturcic · arturcic · commit 7ba7f0e7e30c · 2026-03-18T16:38:47.000+01:00
diff --git a/.github/workflows/gittools-actions.yml b/.github/workflows/gittools-actions.yml
@@ -32,24 +32,24 @@ jobs:
             $version = "${{ github.event.inputs.tag-name }}"
           }
           "version=$version" >> $env:GITHUB_OUTPUT
-      -
-        name: Load GitHub App credentials
-        id: gh-app-creds
-        uses: gittools/cicd/gh-app-creds@v1
+
+      - name: Load GitHub App credentials
+        id: github-app-creds
+        uses: gittools/cicd/github-app-creds@v1
         with:
           op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-      -
-        name: Generate GitHub App Token
+
+      - name: Generate GitHub App Token
         id: app-token
         uses: actions/create-github-app-token@v3
         with:
-          app-id: ${{ steps.gh-app-creds.outputs.gh_app_id }}
-          private-key: ${{ steps.gh-app-creds.outputs.gh_app_private_key }}
+          app-id: ${{ steps.github-app-creds.outputs.gh_app_id }}
+          private-key: ${{ steps.github-app-creds.outputs.gh_app_private_key }}
           owner: ${{ github.repository_owner }}
           repositories: actions
           permission-contents: write
-      -
-        uses: peter-evans/repository-dispatch@v4
+
+      - uses: peter-evans/repository-dispatch@v4
         name: Update GitTools Actions
         with:
           token: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/homebrew.yml b/.github/workflows/homebrew.yml
@@ -28,34 +28,23 @@ jobs:
             $version = "${{ github.event.inputs.tag-name }}"
           }
           "version=$version" >> $env:GITHUB_OUTPUT
-      -
-        name: Load GitHub App credentials
-        id: gh-app-creds
-        uses: gittools/cicd/gh-app-creds@v1
+
+      - name: Load GitHub release token
+        id: github-creds
+        uses: gittools/cicd/github-creds@v1
         with:
           op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-      -
-        name: Generate GitHub App Token
-        id: app-token
-        uses: actions/create-github-app-token@v3
-        with:
-          app-id: ${{ steps.gh-app-creds.outputs.gh_app_id }}
-          private-key: ${{ steps.gh-app-creds.outputs.gh_app_private_key }}
-          owner: ${{ github.repository_owner }}
-          repositories: homebrew-core
-          permission-contents: write
-          permission-pull-requests: write
-      -
-        uses: mislav/bump-homebrew-formula-action@v3
+
+      - uses: mislav/bump-homebrew-formula-action@v3
         name: Bump Homebrew formula
         with:
           formula-name: gitversion
           tag-name: ${{ steps.get-version.outputs.version }}
           download-url: https://github.com/GitTools/GitVersion/archive/refs/tags/${{ steps.get-version.outputs.version }}.tar.gz
-          push-to: ${{ github.repository_owner }}/homebrew-core
+          push-to: gittools-bot/homebrew-core
           commit-message: |
             {{formulaName}} {{version}}
 
             For additional details see https://github.com/GitTools/GitVersion/releases/tag/${{ steps.get-version.outputs.version }}
         env:
-          COMMITTER_TOKEN: ${{ steps.app-token.outputs.token }}
+          COMMITTER_TOKEN: ${{ steps.github-creds.outputs.github_release_token }}
diff --git a/.github/workflows/mkdocs.yml b/.github/workflows/mkdocs.yml
@@ -24,41 +24,27 @@ defaults:
 
 jobs:
   docs:
-    permissions:
-      contents: write
     name: Update Markdown (embedded snippets)
     runs-on: ubuntu-24.04
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v6
-        if: github.event_name == 'push'
-      -
-        name: Checkout
-        uses: actions/checkout@v6
-        if: github.event_name == 'pull_request'
-      -
-        name: Setup .NET SDK
+      - name: Checkout
+        uses: gittools/cicd/checkout@v1
+        with:
+          op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          fetch-depth: 1
+
+      - name: Setup .NET SDK
         uses: actions/setup-dotnet@v5
         with:
           global-json-file: global.json
-      -
-        name: Run MarkdownSnippets
+
+      - name: Run MarkdownSnippets
         run: |
           dotnet tool install --global MarkdownSnippets.Tool
           mdsnippets --write-header false
         working-directory: ${{ github.workspace }}/docs/input
-      -
-        name: Check for changes
-        id: status
-        run: |
-          if ($null -ne (git status --porcelain)) { echo "has_changes=1"; echo "has_changes=1" >> $env:GITHUB_OUTPUT }
-      -
-        name: Push changes
-        run: |
-          git add --verbose .
-          git config user.name 'gittools-bot'
-          git config user.email 'gittoolsbot@outlook.com'
-          git commit -m 'Docs changes' --allow-empty
-          git push --force
-        if: steps.status.outputs.has_changes == '1' && github.event_name == 'push'
+
+      - name: Commit and push markdown docs changes
+        uses: gittools/cicd/git-commit-push@v1
+        with:
+          message: "include markdown docs changes"
diff --git a/.github/workflows/public-api.yml b/.github/workflows/public-api.yml
@@ -11,29 +11,19 @@ defaults:
 
 jobs:
   public-api:
-    permissions:
-      contents: write
     name: Mark public API as shipped
     runs-on: ubuntu-24.04
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v6
-        if: github.event_name == 'repository_dispatch' || github.event_name == 'workflow_dispatch'
-      -
-        name: Mark public API as shipped
+      - name: Checkout
+        uses: gittools/cicd/checkout@v1
+        with:
+          op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          fetch-depth: 0
+
+      - name: Mark public API as shipped
         run: ./src/mark-shipped.ps1
-      -
-        name: Check for changes
-        id: status
-        run: |
-          if ($null -ne (git status --porcelain)) { echo "has_changes=1"; echo "has_changes=1" >> $env:GITHUB_OUTPUT }
-      -
-        name: Push changes
-        run: |
-          git add --verbose .
-          git config user.name 'gittools-bot'
-          git config user.email 'gittoolsbot@outlook.com'
-          git commit -m 'Mark public API as shipped' --allow-empty
-          git push --force
-        if: steps.status.outputs.has_changes == '1'
+
+      - name: Commit and push changes
+        uses: gittools/cicd/git-commit-push@v1
+        with:
+          message: "include public API changes"
diff --git a/.github/workflows/winget.yml b/.github/workflows/winget.yml
@@ -14,44 +14,34 @@ permissions:
 
 jobs:
   homebrew:
-    permissions:
-      contents: none
     name: Bump winget manifest
     runs-on: ubuntu-24.04
     steps:
-    - name: Load GitHub App credentials
-      id: gh-app-creds
-      uses: gittools/cicd/gh-app-creds@v1
-      with:
-        op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-    - name: Generate GitHub App Token
-      id: app-token
-      uses: actions/create-github-app-token@v3
-      with:
-        app-id: ${{ steps.gh-app-creds.outputs.gh_app_id }}
-        private-key: ${{ steps.gh-app-creds.outputs.gh_app_private_key }}
-        owner: ${{ github.repository_owner }}
-        repositories: winget-pkgs
-        permission-contents: write
-        permission-pull-requests: write
-    - name: Get version
-      id: get-version
-      shell: pwsh
-      run: |
-        $version = "${{ github.event.client_payload.tag }}"
-        if ($version -eq "") {
-          $version = "${{ github.event.inputs.tag-name }}"
-        }
+      - name: Get version
+        id: get-version
+        shell: pwsh
+        run: |
+          $version = "${{ github.event.client_payload.tag }}"
+          if ($version -eq "") {
+            $version = "${{ github.event.inputs.tag-name }}"
+          }
 
-        $url = "https://github.com/GitTools/GitVersion/releases/download/{0}/gitversion-win-{1}-{0}.zip"
-        $urls = @(($url -f $version, "x64"), ($url -f $version, "arm64")) -Join " "
+          $url = "https://github.com/GitTools/GitVersion/releases/download/{0}/gitversion-win-{1}-{0}.zip"
+          $urls = @(($url -f $version, "x64"), ($url -f $version, "arm64")) -Join " "
 
-        $run_args = "update GitTools.GitVersion --version $version --urls $urls --submit"
-        "version=$version" >> $env:GITHUB_OUTPUT
-        "run_args=$run_args" >> $env:GITHUB_OUTPUT
+          $run_args = "update GitTools.GitVersion --version $version --urls $urls --submit"
+          "version=$version" >> $env:GITHUB_OUTPUT
+          "run_args=$run_args" >> $env:GITHUB_OUTPUT
 
-    - uses: michidk/run-komac@v2.1.0
-      env:
-        GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
-      with:
-        args: '${{ steps.get-version.outputs.run_args }}'
+      - name: Load GitHub release token
+        id: github-creds
+        uses: gittools/cicd/github-creds@v1
+        with:
+          op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+
+      - uses: michidk/run-komac@v2.1.0
+        env:
+          GITHUB_TOKEN: ${{ steps.github-creds.outputs.github_release_token }}
+        with:
+          args: '${{ steps.get-version.outputs.run_args }}'
+          custom-fork-owner: gittools-bot
