Build/Test Tools: Improve the "Commit Built File Changes" workflow.

johnbillion · johnbillion · commit 49986e493b6e · 2026-05-21T16:23:42.000Z
Developed in WordPress#11808 Props desrosj, johnbillion See #64893 git-svn-id: https://develop.svn.wordpress.org/trunk@62403 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/.github/workflows/commit-built-file-changes.yml b/.github/workflows/commit-built-file-changes.yml
@@ -40,7 +40,9 @@ jobs:
     if: ${{ github.repository == 'wordpress/wordpress-develop' }}
     timeout-minutes: 10
     permissions:
-      contents: write
+      # The actual `git push` is authenticated via a dedicated GitHub App installation token
+      # generated below, so `GITHUB_TOKEN` only needs read access to the triggering workflow's artifacts.
+      actions: read # Required to list and download the artifact uploaded by the triggering workflow run.
     steps:
       - name: Download artifact
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
@@ -90,21 +92,18 @@ jobs:
         id: generate_token
         if: ${{ steps.artifact-check.outputs.exists == 'true' }}
         env:
-          GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }}
+          GH_APP_ID: ${{ vars.GH_PR_BUILT_FILES_APP_ID }}
           GH_APP_PRIVATE_KEY: ${{ secrets.GH_PR_BUILT_FILES_PRIVATE_KEY }}
         run: |
-          echo "$GH_APP_PRIVATE_KEY" > private-key.pem
-
           # Generate JWT
           JWT=$(python3 - <<EOF
-          import jwt, time
-          private_key = open("private-key.pem", "r").read()
+          import jwt, time, os
           payload = {
               "iat": int(time.time()),
               "exp": int(time.time()) + 600,  # 10-minute expiration
-              "iss": $GH_APP_ID
+              "iss": int(os.environ["GH_APP_ID"]),
           }
-          print(jwt.encode(payload, private_key, algorithm="RS256"))
+          print(jwt.encode(payload, os.environ["GH_APP_PRIVATE_KEY"], algorithm="RS256"))
           EOF
           )
 
@@ -118,9 +117,7 @@ jobs:
             -H "Accept: application/vnd.github.v3+json" \
             "https://api.github.com/app/installations/$INSTALLATION_ID/access_tokens" | jq -r '.token')
 
-          echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV"
-
-          rm -f private-key.pem
+          echo "access-token=$ACCESS_TOKEN" >> "$GITHUB_OUTPUT"
 
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -130,7 +127,7 @@ jobs:
           ref: ${{ github.event.workflow_run.head_branch }}
           path: 'pr-repo'
           show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
-          token: ${{ env.ACCESS_TOKEN }}
+          token: ${{ steps.generate_token.outputs.access-token }}
           persist-credentials: true
 
       - name: Apply patch
@@ -147,7 +144,7 @@ jobs:
         if: ${{ steps.artifact-check.outputs.exists == 'true' }}
         working-directory: 'pr-repo'
         env:
-          GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }}
+          GH_APP_ID: ${{ vars.GH_PR_BUILT_FILES_APP_ID }}
         run: |
           git config user.name "wordpress-develop-pr-bot[bot]"
           git config user.email "${GH_APP_ID}+wordpress-develop-pr-bot[bot]@users.noreply.github.com"
