Skip to content

chore: Use GH app instead of PAT #1140

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
CharlesDuboisSAP merged 5 commits into from
Apr 17, 2026
Merged

chore: Use GH app instead of PAT #1140

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ff8d48c
use gh token where possible
marikaner Apr 7, 2026
de35537
use gh app
marikaner Apr 7, 2026
ba2ef1a
Apply suggestion from @marikaner
marikaner Apr 7, 2026
a2de41a
rename
marikaner Apr 7, 2026
2df2c2e
Apply suggestions from code review
marikaner Apr 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .github/workflows/cache-maven-dependencies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ env:
jobs:
update-cache:
runs-on: ubuntu-latest
permissions:
actions: write # needed to delete existing caches
Comment thread
marikaner marked this conversation as resolved.
Outdated
steps:
- name: "Checkout"
uses: actions/checkout@v6
Expand All @@ -36,7 +38,7 @@ jobs:
gh cache delete "${CACHE_ID}"
done
env:
GH_TOKEN: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: "Cache Dependencies"
uses: actions/cache/save@v5
Expand Down
16 changes: 12 additions & 4 deletions .github/workflows/dependabot-automerge.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,21 @@ env:
jobs:
review-prs:
runs-on: ubuntu-latest
permissions:
pull-requests: write
contents: write
steps:
- name: Checkout
uses: actions/checkout@v6

- name: "Create GitHub App Token"
id: create-app-token
uses: actions/create-github-app-token@v3
with:
app-id: ${{ secrets.SAP_CLOUD_SDK_BOT_CLIENT_ID }}
Comment thread
marikaner marked this conversation as resolved.
Outdated
private-key: ${{ secrets.SAP_CLOUD_SDK_BOT_PRIVATE_KEY }}
owner: SAP
repositories: cloud-sdk-java
permission-contents: write
permission-pull-requests: write

@CharlesDuboisSAP CharlesDuboisSAP Apr 15, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't run

The permissions requested are not granted to this installation.

- name: Approve and Merge PRs
run: |
PRS=$(gh pr list --app "dependabot" --state "open" --json number,title)
Expand All @@ -47,4 +55,4 @@ jobs:
gh pr review "$PR_NUMBER" --approve
done <<< "$PR_NUMBERS"
env:
GH_TOKEN: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
GH_TOKEN: ${{ steps.create-app-token.outputs.token }}
15 changes: 13 additions & 2 deletions .github/workflows/javadoc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,12 +57,23 @@ jobs:
- name: "Generate aggregated Javadoc"
run: mvn clean javadoc:aggregate -Drelease -Djava.failOnWarning=false --projects "${PROJECTS}" --quiet

- name: "Create GitHub App Token"
id: create-app-token
uses: actions/create-github-app-token@v3
with:
app-id: ${{ secrets.SAP_CLOUD_SDK_BOT_CLIENT_ID }}
Comment thread
marikaner marked this conversation as resolved.
Outdated
private-key: ${{ secrets.SAP_CLOUD_SDK_BOT_PRIVATE_KEY }}
owner: SAP
repositories: cloud-sdk
permission-contents: write
permission-pull-requests: write

- name: "Checkout Docs Repository"
uses: actions/checkout@v6
with:
repository: ${{ env.DOCS_REPO }}
path: .cloud-sdk-docs
token: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
token: ${{ steps.create-app-token.outputs.token }}

- name: "Replace JavaDoc"
id: replace-javadoc
Expand Down Expand Up @@ -107,4 +118,4 @@ jobs:
echo "PR_URL=$PR_URL" >> $GITHUB_OUTPUT
echo "PR: $PR_URL" >> $GITHUB_STEP_SUMMARY
env:
GH_TOKEN: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
GH_TOKEN: ${{ steps.create-app-token.outputs.token }}
85 changes: 52 additions & 33 deletions .github/workflows/perform-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
name: "Perform Release"
name: 'Perform Release'

on:
workflow_dispatch:
inputs:
release_pr_number:
description: "The PR number of the release PR"
description: 'The PR number of the release PR'
required: true
skip-pr-merge:
description: "Whether to skip merging the PRs"
description: 'Whether to skip merging the PRs'
required: false
default: false
type: boolean
Expand All @@ -19,7 +19,7 @@ env:

jobs:
prerequisites:
name: "Prerequisites"
name: 'Prerequisites'
outputs:
code-branch: ${{ steps.determine-branch-names.outputs.CODE_BRANCH_NAME }}
docs-branch: ${{ steps.determine-branch-names.outputs.DOCS_BRANCH_NAME }}
Expand All @@ -30,7 +30,7 @@ jobs:
permissions: write-all # contents and push are needed to see the draft release
runs-on: ubuntu-latest
steps:
- name: "Determine Branch Names"
- name: 'Determine Branch Names'
id: determine-branch-names
run: |
CODE_BRANCH_NAME=$(gh pr view ${{github.event.inputs.release_pr_number}} --repo ${{github.repository}} --json headRefName --jq '.headRefName')
Expand All @@ -39,22 +39,22 @@ jobs:
RELEASE_COMMIT=$(gh release view $RELEASE_TAG --repo ${{github.repository}} --json targetCommitish --jq '.targetCommitish')
RELEASE_NOTES_BRANCH_NAME=java/release-notes-$RELEASE_VERSION
RELEASE_JAVADOC_BRANCH_NAME=java/release-docs-$RELEASE_VERSION

echo "CODE_BRANCH_NAME=$CODE_BRANCH_NAME" >> $GITHUB_OUTPUT
echo "RELEASE_VERSION=$RELEASE_VERSION" >> $GITHUB_OUTPUT
echo "RELEASE_TAG=$RELEASE_TAG" >> $GITHUB_OUTPUT
echo "RELEASE_COMMIT=$RELEASE_COMMIT" >> $GITHUB_OUTPUT
echo "RELEASE_NOTES_BRANCH_NAME=$RELEASE_NOTES_BRANCH_NAME" >> $GITHUB_OUTPUT
echo "RELEASE_JAVADOC_BRANCH_NAME=$RELEASE_JAVADOC_BRANCH_NAME" >> $GITHUB_OUTPUT

echo -e "[DEBUG] Current GITHUB_OUTPUT:\n$(cat $GITHUB_OUTPUT)"
env:
GH_TOKEN: ${{ github.token }}

- name: "Checkout Repository"
- name: 'Checkout Repository'
uses: actions/checkout@v6

- name: "Check Whether Code PR Can Be Merged"
- name: 'Check Whether Code PR Can Be Merged'
if: ${{ inputs.skip-pr-merge != 'true' }}
uses: ./.github/actions/pr-is-mergeable
with:
Expand All @@ -65,53 +65,72 @@ jobs:
\"dependabot merger\": []
}

- name: "Check Code Release Commit Continuous Integration"
- name: 'Check Code Release Commit Continuous Integration'
if: ${{ inputs.skip-pr-merge != 'true' }}
uses: ./.github/actions/workflow-succeeded
with:
workflow: "Continuous Integration"
workflow: 'Continuous Integration'
sha: ${{ steps.determine-branch-names.outputs.RELEASE_COMMIT }}
excluded-jobs: "[\"Run BlackDuck Scan\"]"
excluded-jobs: '["Run BlackDuck Scan"]'

- name: 'Create GitHub App Token'
id: create-app-token
uses: actions/create-github-app-token@v3
with:
app-id: ${{ secrets.SAP_CLOUD_SDK_BOT_CLIENT_ID }}
Comment thread
marikaner marked this conversation as resolved.
Outdated
private-key: ${{ secrets.SAP_CLOUD_SDK_BOT_PRIVATE_KEY }}
owner: SAP
repositories: cloud-sdk

- name: "Check Whether Release Notes PR Can Be Merged"
- name: 'Check Whether Release Notes PR Can Be Merged'
if: ${{ inputs.skip-pr-merge != 'true' }}
uses: ./.github/actions/pr-is-mergeable
with:
pr-ref: ${{ steps.determine-branch-names.outputs.RELEASE_NOTES_BRANCH_NAME }}
repo: ${{ env.DOCS_REPO }}
token: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
token: ${{ steps.create-app-token.outputs.token }}
excluded-check-runs: |
{
\"Build Cloud SDK Documentation\": [\"dependabot\"]
}

- name: "Check Whether JavaDoc PR Can Be Merged"
- name: 'Check Whether JavaDoc PR Can Be Merged'
if: ${{ inputs.skip-pr-merge != 'true' }}
uses: ./.github/actions/pr-is-mergeable
with:
pr-ref: ${{ steps.determine-branch-names.outputs.RELEASE_JAVADOC_BRANCH_NAME }}
repo: ${{ env.DOCS_REPO }}
token: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
token: ${{ steps.create-app-token.outputs.token }}
excluded-check-runs: |
{
\"Build Cloud SDK Documentation\": [\"dependabot\"]
}

release:
name: "Release"
needs: [ prerequisites ]
name: 'Release'
needs: [prerequisites]
runs-on: ubuntu-latest
permissions:
contents: write # needed to modify the release draft
pull-requests: write # needed to merge the release PR
steps:
- name: "Setup java"
- name: 'Create GitHub App Token'
id: create-app-token
uses: actions/create-github-app-token@v3
with:
app-id: ${{ secrets.SAP_CLOUD_SDK_BOT_CLIENT_ID }}
Comment thread
marikaner marked this conversation as resolved.
Outdated
private-key: ${{ secrets.SAP_CLOUD_SDK_BOT_PRIVATE_KEY }}
owner: SAP
repositories: cloud-sdk-java,cloud-sdk
permission-contents: write
permission-pull-requests: write # needed to merge the release PR

- name: 'Setup java'
uses: actions/setup-java@v5
with:
distribution: "sapmachine"
distribution: 'sapmachine'
java-version: ${{ env.JAVA_VERSION }}

- name: "Download Release Asset"
- name: 'Download Release Asset'
id: download-asset
run: |
gh release download ${{ needs.prerequisites.outputs.release-tag }} --dir ./ --repo "${{ github.repository }}"
Expand All @@ -120,42 +139,42 @@ jobs:
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: "Import GPG Key"
- name: 'Import GPG Key'
run: |
echo "${{ secrets.PGP_PRIVATE_KEY }}" | gpg --batch --passphrase "$MAVEN_GPG_PASSPHRASE" --import
env:
MAVEN_GPG_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }}

- name: "Create settings.xml"
- name: 'Create settings.xml'
run: |
echo '${{ secrets.CENTRAL_SONATYPE_SETTINGS_XML }}' > settings.xml

- name: "Deploy"
- name: 'Deploy'
run: |
MVN_ARGS="${{ env.MVN_CLI_ARGS }} -Drelease -s settings.xml"
mvn deploy $MVN_ARGS
env:
MAVEN_GPG_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }}

- name: "Merge Code PR"
- name: 'Merge Code PR'
if: ${{ inputs.skip-pr-merge != 'true' }}
run: gh pr merge --squash "${{ needs.prerequisites.outputs.code-branch }}" --delete-branch --repo "${{ github.repository }}"
env:
GH_TOKEN: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
GH_TOKEN: ${{ steps.create-app-token.outputs.token }}

- name: "Publish the Draft Release"
- name: 'Publish the Draft Release'
run: gh release edit ${{ needs.prerequisites.outputs.release-tag }} --draft=false --repo "${{ github.repository }}"
env:
GH_TOKEN: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: "Merge Release Notes PR"
- name: 'Merge Release Notes PR'
if: ${{ inputs.skip-pr-merge != 'true' }}
run: gh pr merge --squash "${{ needs.prerequisites.outputs.release-notes-branch }}" --delete-branch --repo "${{ env.DOCS_REPO }}"
env:
GH_TOKEN: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
GH_TOKEN: ${{ steps.create-app-token.outputs.token }}

- name: "Merge JavaDoc PR"
- name: 'Merge JavaDoc PR'
if: ${{ inputs.skip-pr-merge != 'true' }}
run: gh pr merge --squash "${{ needs.prerequisites.outputs.release-javadoc-branch }}" --delete-branch --repo "${{ env.DOCS_REPO }}"
env:
GH_TOKEN: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
GH_TOKEN: ${{ steps.create-app-token.outputs.token }}
50 changes: 41 additions & 9 deletions .github/workflows/prepare-release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -181,17 +181,28 @@ jobs:
pr-url: ${{ steps.create-release-notes-pr.outputs.PR_URL }}
runs-on: ubuntu-latest
steps:
- name: "Create GitHub App Token"
id: create-app-token
uses: actions/create-github-app-token@v3
with:
app-id: ${{ secrets.SAP_CLOUD_SDK_BOT_CLIENT_ID }}
Comment thread
marikaner marked this conversation as resolved.
Outdated
private-key: ${{ secrets.SAP_CLOUD_SDK_BOT_PRIVATE_KEY }}
owner: SAP
repositories: cloud-sdk-java,cloud-sdk
permission-contents: write
permission-pull-requests: write

- name: "Checkout Code Repository"
uses: actions/checkout@v6
with:
ref: ${{ needs.bump-version.outputs.release-branch }}
token: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
token: ${{ steps.create-app-token.outputs.token }}
- name: "Checkout Docs Repository"
uses: actions/checkout@v6
with:
repository: ${{ env.DOCS_REPO }}
path: .cloud-sdk-docs
token: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
token: ${{ steps.create-app-token.outputs.token }}
- name: "Prepare Git"
working-directory: ./.cloud-sdk-docs
run: |
Expand Down Expand Up @@ -234,7 +245,7 @@ jobs:
PR_URL=$(gh pr create --title "$PR_TITLE" --body "$PR_BODY" --repo "${{ env.DOCS_REPO }}")
echo "PR_URL=$PR_URL" >> $GITHUB_OUTPUT
env:
GH_TOKEN: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
GH_TOKEN: ${{ steps.create-app-token.outputs.token }}

- name: "Reset Release Notes for Next Version"
run: |
Expand All @@ -259,11 +270,22 @@ jobs:
pr-url: ${{ steps.create-code-pr.outputs.PR_URL }}
runs-on: ubuntu-latest
steps:
- name: "Create GitHub App Token"
id: create-app-token
uses: actions/create-github-app-token@v3
with:
app-id: ${{ secrets.SAP_CLOUD_SDK_BOT_CLIENT_ID }}
Comment thread
marikaner marked this conversation as resolved.
Outdated
private-key: ${{ secrets.SAP_CLOUD_SDK_BOT_PRIVATE_KEY }}
owner: SAP
repositories: cloud-sdk-java
permission-contents: write
permission-pull-requests: write

- name: "Checkout Repository"
uses: actions/checkout@v6
with:
ref: ${{ needs.bump-version.outputs.release-branch }}
token: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }} # this is needed so that the same token is used when pushing our changes later. Otherwise, our on: push workflows (i.e. our continuous integration) won't be triggered.
token: ${{ steps.create-app-token.outputs.token }} # this is needed so that the same token is used when pushing our changes later. Otherwise, our on: push workflows (i.e. our continuous integration) won't be triggered.
- name: "Prepare Git"
run: |
git config --global user.email "cloudsdk@sap.com"
Expand All @@ -290,7 +312,7 @@ jobs:
- [ ] Once the `Perform Release` workflow is through, head over to [Central Sonatype](https://central.sonatype.com/publishing/deployments) and log in with the credentials in the Team Password Safe. There should be a published release.")
echo "PR_URL=$PR_URL" >> $GITHUB_OUTPUT
env:
GH_TOKEN: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
GH_TOKEN: ${{ steps.create-app-token.outputs.token }}

handle-failure:
runs-on: ubuntu-latest
Expand All @@ -308,26 +330,36 @@ jobs:
if: ${{ needs.create-release.outputs.release-url != '' }}
run: gh release delete --repo "${{ github.repository }}" ${{ needs.create-release.outputs.release-name }} --yes
env:
GH_TOKEN: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
continue-on-error: true

- name: "Delete Release Branch"
if: ${{ needs.bump-version.outputs.release-branch != '' }}
run: git push --delete origin ${{ needs.bump-version.outputs.release-branch }}
env:
GITHUB_TOKEN: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
continue-on-error: true

- name: "Delete Release Tag"
if: ${{ needs.bump-version.outputs.release-tag != '' }}
run: git push --delete origin ${{ needs.bump-version.outputs.release-tag }}
env:
GITHUB_TOKEN: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
continue-on-error: true

- name: "Create GitHub App Token"
id: create-app-token
uses: actions/create-github-app-token@v3
with:
app-id: ${{ secrets.SAP_CLOUD_SDK_BOT_CLIENT_ID }}
Comment thread
marikaner marked this conversation as resolved.
Outdated
private-key: ${{ secrets.SAP_CLOUD_SDK_BOT_PRIVATE_KEY }}
owner: SAP
repositories: cloud-sdk
permission-pull-requests: write

- name: "Delete Release Notes PR"
if: ${{ needs.create-release-notes-pr.outputs.pr-url != '' }}
run: gh pr close --repo "${{ env.DOCS_REPO }}" ${{ needs.create-release-notes-pr.outputs.pr-url }} --delete-branch
env:
GH_TOKEN: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
GH_TOKEN: ${{ steps.create-app-token.outputs.token }}
continue-on-error: true
Loading