Dont use github app yet, more updates

github-actions[bot] · github-actions[bot] · commit 7e1411aaa27f · 2026-02-10T17:37:28.000-08:00
diff --git a/.github/workflows/changesets-version.yml b/.github/workflows/changesets-version.yml
@@ -5,48 +5,42 @@ on:
     branches: [main]
   workflow_dispatch:
 
-permissions:
-  contents: write # for Git tags and commits
 
 jobs:
   version:
     name: Create Version Bump PR
     runs-on: ubuntu-latest
-    if: ${{ github.repository == 'microsoft/fluentui-react-native' }}
 
+    # Remove this once we setup react-native-sdk[bot] with this repo
+    permissions:
+      contents: write # for GH releases and Git tags (Changesets)
+      pull-requests: write # version PRs (Changesets)
+
+    if: ${{ github.repository == 'microsoft/fluentui-react-native' }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          filter: blob:none
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '22'
-          cache: 'yarn'
 
-      - name: Enable Corepack
-        run: corepack enable
+      - name: Set up toolchain
+        uses: microsoft/react-native-test-app/.github/actions/setup-toolchain@5.0.14
 
       - name: Install dependencies
         run: |
-          yarn config set nodeLinker node-modules
           yarn install --immutable
 
       - name: Build packages
         run: yarn buildci
 
-      - name: Generate token for version PR
-        uses: actions/create-github-app-token@v2
-        id: app-token
-        with:
-          app-id: ${{ vars.APP_ID }}
-          private-key: ${{ secrets.PRIVATE_KEY }}
-          permissions: |
-            contents: write
-            pull-requests: write
+      # Bring this back once we setup react-native-sdk[bot] with this repo
+      # - name: Generate token for version PR
+      #   uses: actions/create-github-app-token@v2
+      #   id: app-token
+      #   with:
+      #     app-id: ${{ vars.APP_ID }}
+      #     private-key: ${{ secrets.PRIVATE_KEY }}
+      #     permissions: |
+      #       contents: write
+      #       pull-requests: write
 
       - name: Create Version Bump PR
         id: changesets
@@ -55,27 +49,12 @@ jobs:
           version: yarn changeset:version
           commit: 'chore(release): version packages'
           title: 'chore(release): version packages'
-          createGithubReleases: false  # We handle in Azure Pipelines
+          createGithubReleases: false
         env:
-          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          # Switch token once we setup react-native-sdk[bot] with this repo
+          # GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Post-version hook for dependency-profiles
         if: steps.changesets.outputs.hasChangesets == 'true'
-        run: |
-          if [ -d "packages/libraries/dependency-profiles" ]; then
-            echo "📦 Updating dependency-profiles"
-            cd packages/libraries/dependency-profiles
-            yarn update-profile
-            cd ../../..
-
-            yarn install --mode update-lockfile
-
-            if [[ -n $(git status --porcelain) ]]; then
-              git config user.name "github-actions[bot]"
-              git config user.email "github-actions[bot]@users.noreply.github.com"
-              git add .
-              git commit -m "chore: update dependency-profiles and lockfile"
-              git push
-              echo "✅ Committed dependency-profiles updates"
-            fi
-          fi
+        run: node scripts/update-dependency-profiles-postbump.mts
diff --git a/CHANGESETS_SETUP.md b/CHANGESETS_SETUP.md
@@ -4,8 +4,7 @@ This guide explains how to set up the hybrid changesets workflow that uses GitHu
 
 ## Prerequisites
 
-- Organization admin access to configure GitHub App
-- Repository admin access to add secrets and variables
+- Repository admin access to configure GitHub Actions permissions
 - Azure Pipelines already configured with NPM token
 
 ## Architecture Overview
@@ -16,81 +15,36 @@ Developer → Changeset (markdown) → PR merged to main
 GitHub Actions (@changesets/action)
     - changeset version (bump package.json versions)
     - Create "Version Packages" PR
-    - Use GitHub App token (bypasses org PR restrictions)
+    - Use standard GITHUB_TOKEN with write permissions
     - Run dependency-profiles postbump hook
     ↓
 Version PR merged
     ↓
 Azure Pipelines
     - Build & test
     - changeset publish (to npm)
-    - Create GitHub releases
-    - Push git tags
+    - Create git tags (automatic with changeset publish)
 ```
 
-## Phase 1: GitHub App Setup (REQUIRED)
+## Phase 1: GitHub Actions Permissions
 
-### Step 1: Create or Configure GitHub App
+The workflow uses the standard `GITHUB_TOKEN` with elevated permissions to create version bump PRs.
 
-**Option A: Use existing react-native-sdk-bot**
-1. Check if `react-native-sdk-bot` exists in your organization
-2. Verify it has the required permissions (see below)
-3. Install it on `microsoft/fluentui-react-native` repository
+### Workflow Permissions
 
-**Option B: Create new GitHub App**
-1. Go to GitHub organization settings: https://github.com/organizations/microsoft/settings/apps
-2. Click "New GitHub App"
-3. Configure:
-   - **Name**: `fluentui-react-native-release` (or similar unique name)
-   - **Homepage URL**: `https://github.com/microsoft/fluentui-react-native`
-   - **Webhook**: Uncheck "Active"
+The workflow is configured with the following permissions in [`.github/workflows/changesets-version.yml`](.github/workflows/changesets-version.yml):
 
-4. **Permissions** (Repository permissions):
-   - Contents: **Read and write**
-   - Pull requests: **Read and write**
-
-5. **Where can this GitHub App be installed?**: "Only on this account"
-
-6. Click "Create GitHub App"
-
-### Step 2: Install GitHub App on Repository
-
-1. After creating the app, go to "Install App" in the left sidebar
-2. Click "Install" next to your organization
-3. Select "Only select repositories"
-4. Choose `microsoft/fluentui-react-native`
-5. Click "Install"
-
-### Step 3: Generate Private Key
-
-1. Go to your GitHub App settings
-2. Scroll to "Private keys" section
-3. Click "Generate a private key"
-4. A `.pem` file will download - **keep this secure!**
-
-### Step 4: Get App ID
-
-1. In GitHub App settings, find the "App ID" near the top
-2. It's a numeric value (e.g., `123456`)
-3. Copy this number
-
-### Step 5: Add Repository Secrets and Variables
-
-1. Go to repository settings: https://github.com/microsoft/fluentui-react-native/settings/secrets/actions
+```yaml
+permissions:
+  contents: write       # For creating commits and tags
+  pull-requests: write  # For creating version bump PRs
+```
 
-2. Add **Repository Secret** `PRIVATE_KEY`:
-   - Click "New repository secret"
-   - Name: `PRIVATE_KEY`
-   - Value: Paste the entire contents of the `.pem` file (including `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----`)
-   - Click "Add secret"
+**No additional setup required** - GitHub automatically provides the `GITHUB_TOKEN` secret to workflows with these scoped permissions.
 
-3. Go to Variables tab: https://github.com/microsoft/fluentui-react-native/settings/variables/actions
+### Note on GitHub Apps (Alternative Approach)
 
-4. Add **Repository Variable** `APP_ID`:
-   - Click "New repository variable"
-   - Name: `APP_ID`
-   - Value: The numeric App ID from Step 4
-   - Click "Add variable"
+If your organization has restrictions that prevent the standard `GITHUB_TOKEN` from creating PRs, you can optionally use a GitHub App token approach (like [rnx-kit does](https://github.com/microsoft/rnx-kit/commit/28e835365bdeed97e50ff8e7e68ea9ad531d3849)). However, this adds complexity and is not needed for this repository.
 
 ## Phase 2: Verify Azure Pipelines Configuration
 
@@ -170,6 +124,22 @@ yarn changeset:status
 yarn changeset:status --verbose
 ```
 
+### Post-Version Hook (dependency-profiles)
+
+After version bumps, the `dependency-profiles` package needs to be updated with the latest versions. This is handled automatically in GitHub Actions.
+
+**What it does:**
+- Updates `packages/dependency-profiles` with latest package versions
+- Runs `yarn install --mode update-lockfile` to update yarn.lock
+- Commits and pushes changes (in CI only)
+
+**Script location:** [`scripts/update-dependency-profiles-postbump.mts`](scripts/update-dependency-profiles-postbump.mts)
+
+To manually run the script locally (for debugging):
+```bash
+node scripts/update-dependency-profiles-postbump.mts
+```
+
 ## Phase 4: Testing the Workflow
 
 ### Local Testing
@@ -220,28 +190,18 @@ yarn changeset:status --verbose
 4. **Verify Azure Pipelines**:
    - Check Azure Pipelines run
    - Verify packages published to npm
-   - Check GitHub releases created
-   - Verify git tags pushed
+   - Verify git tags created (changesets creates them automatically)
 
 ## Troubleshooting
 
 ### GitHub Actions Fails with "Resource not accessible by integration"
 
-**Problem**: GitHub App doesn't have correct permissions.
-
-**Solution**:
-1. Go to GitHub App settings
-2. Verify permissions: Contents (read & write), Pull requests (read & write)
-3. If permissions were changed, reinstall the app on the repository
-
-### GitHub Actions Fails with "Bad credentials"
-
-**Problem**: PRIVATE_KEY or APP_ID is incorrect.
+**Problem**: The `GITHUB_TOKEN` doesn't have sufficient permissions.
 
 **Solution**:
-1. Verify APP_ID matches the number in GitHub App settings
-2. Regenerate private key if needed
-3. Update repository secret with new key
+1. Verify the workflow has `permissions` section with `contents: write` and `pull-requests: write`
+2. Check repository settings → Actions → General → Workflow permissions
+3. Ensure "Read and write permissions" is selected (not "Read repository contents and packages permissions")
 
 ### Azure Pipelines "changeset publish" Fails
 
@@ -290,8 +250,8 @@ Update any CI/CD rules that reference the old branch name.
 ## References
 
 - **Changesets docs**: https://github.com/changesets/changesets
-- **GitHub App tokens**: https://github.com/actions/create-github-app-token
-- **rnx-kit example**: https://github.com/microsoft/rnx-kit/.github/workflows/build.yml
+- **GitHub Actions permissions**: https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+- **rnx-kit example** (uses GitHub App approach): https://github.com/microsoft/rnx-kit/.github/workflows/build.yml
 
 ## Support
 
diff --git a/scripts/update-dependency-profiles-postbump.mts b/scripts/update-dependency-profiles-postbump.mts
@@ -0,0 +1,76 @@
+#!/usr/bin/env node
+/**
+ * Post-version hook for dependency-profiles package
+ *
+ * This script runs after changesets version bump to update dependency-profiles
+ * with the latest package versions and commit the changes.
+ *
+ * Usage: node scripts/update-dependency-profiles-postbump.mts
+ */
+
+import { execSync } from 'child_process';
+import { existsSync } from 'fs';
+import { resolve } from 'path';
+
+const DEPENDENCY_PROFILES_DIR = 'packages/dependency-profiles';
+
+function execCommand(command: string, cwd?: string): void {
+  console.log(`> ${command}`);
+  execSync(command, {
+    stdio: 'inherit',
+    cwd: cwd ? resolve(cwd) : undefined
+  });
+}
+
+function hasGitChanges(): boolean {
+  try {
+    const output = execSync('git status --porcelain', { encoding: 'utf8' });
+    return output.trim().length > 0;
+  } catch (error) {
+    console.error('Failed to check git status:', error);
+    return false;
+  }
+}
+
+function main(): void {
+  console.log('🔍 Checking for dependency-profiles package...');
+
+  if (!existsSync(DEPENDENCY_PROFILES_DIR)) {
+    console.log('⚠️  dependency-profiles directory not found, skipping');
+    return;
+  }
+
+  console.log('📦 Updating dependency-profiles');
+
+  // Run update-profile script
+  execCommand('yarn update-profile', DEPENDENCY_PROFILES_DIR);
+
+  // Update lockfile at root
+  console.log('🔄 Updating yarn.lock');
+  execCommand('yarn install --mode update-lockfile');
+
+  // Check if there are changes to commit
+  if (!hasGitChanges()) {
+    console.log('✅ No changes to commit');
+    return;
+  }
+
+  console.log('💾 Committing dependency-profiles updates');
+
+  // Configure git
+  execCommand('git config user.name "github-actions[bot]"');
+  execCommand('git config user.email "github-actions[bot]@users.noreply.github.com"');
+
+  // Stage all changes
+  execCommand('git add .');
+
+  // Commit
+  execCommand('git commit -m "chore: update dependency-profiles and lockfile"');
+
+  // Push
+  execCommand('git push');
+
+  console.log('✅ Committed dependency-profiles updates');
+}
+
+main();
