Skip to content

Commit fcfa981

Browse files
ci: use GitHub App token for cross-repo dispatch instead of expiring PAT
Replace secrets.DISPATCH_WORKFLOWS_TOKEN (an expiring PAT) with a short-lived GitHub App token minted at runtime via actions/create-github-app-token, scoped to oauth-service and dashboard. Reuses the GH_FRONTEGG_BOT_APP_ID / GH_FRONTEGG_BOT_APP_SECRET pattern already used by the e2e trigger action in this repo. App tokens do not expire, so this removes the recurring token-expiry breakage.
1 parent 09d1ef6 commit fcfa981

1 file changed

Lines changed: 11 additions & 1 deletion

File tree

.github/workflows/publish.yml

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -105,12 +105,22 @@ jobs:
105105
const checkingVersion = '${{ steps.set_current_version.outputs.CURRENT_VERSION }}';
106106
const checkNpmVersions = require('./scripts/wait-for-npm-indexing.js');
107107
await checkNpmVersions(github, ['@frontegg/react'], checkingVersion);
108+
- name : "Create bot token for dispatch"
109+
id : dispatch_bot_token
110+
uses : actions/create-github-app-token@v1
111+
with :
112+
app-id : ${{ secrets.GH_FRONTEGG_BOT_APP_ID }}
113+
private-key : ${{ secrets.GH_FRONTEGG_BOT_APP_SECRET }}
114+
owner : frontegg
115+
repositories : |
116+
oauth-service
117+
dashboard
108118
- name : "Trigger Oauth and Dashboard Services Pipeline Workflow"
109119
uses : actions/github-script@v5
110120
env :
111121
PR_VERSION : '${{ steps.set_current_version.outputs.CURRENT_VERSION }}'
112122
with :
113-
github-token : ${{ secrets.DISPATCH_WORKFLOWS_TOKEN }}
123+
github-token : ${{ steps.dispatch_bot_token.outputs.token }}
114124
script : |
115125
const fe_react_version = process.env.PR_VERSION;
116126
const owner = 'frontegg';

0 commit comments

Comments
 (0)