|
25 | 25 | type: string |
26 | 26 | default: "@oncall-client-primary" |
27 | 27 | secrets: |
28 | | - auth_token: |
29 | | - description: "GitHub App installation token with cross-repo push and PR permissions." |
| 28 | + app_id: |
| 29 | + description: "GitHub App ID." |
30 | 30 | required: true |
31 | | - # workflow_dispatch is used for stuck-stack recovery. GitHub Actions does |
32 | | - # not support secrets under workflow_dispatch, so the dispatched run must |
33 | | - # generate its own token (e.g. via actions/create-github-app-token). The |
34 | | - # consuming repo should store REPO_SYNC_APP_ID and |
35 | | - # REPO_SYNC_APP_PRIVATE_KEY as repo-level secrets. |
| 31 | + app_private_key: |
| 32 | + description: "GitHub App private key." |
| 33 | + required: true |
| 34 | + # workflow_dispatch is used for stuck-stack recovery. |
36 | 35 | workflow_dispatch: |
37 | 36 | inputs: |
38 | 37 | pr_number: |
@@ -75,38 +74,32 @@ jobs: |
75 | 74 | PRIVATE_REPO: ${{ inputs.private_repo }} |
76 | 75 | ESCALATE_TO: ${{ inputs.escalate_to }} |
77 | 76 | steps: |
78 | | - # For workflow_dispatch, generate a token since secrets aren't available. |
79 | | - # For workflow_call, use the passed auth_token. |
80 | | - - name: Generate token (workflow_dispatch) |
81 | | - if: github.event_name == 'workflow_dispatch' |
82 | | - id: gen_token |
| 77 | + # Generate a token for both workflow_call and workflow_dispatch. |
| 78 | + # For workflow_call, secrets are passed from the caller. |
| 79 | + # For workflow_dispatch, secrets come from the repo's own secrets. |
| 80 | + - name: Generate installation token |
| 81 | + id: token |
83 | 82 | uses: actions/create-github-app-token@v1 |
84 | 83 | with: |
85 | | - app-id: ${{ secrets.REPO_SYNC_APP_ID }} |
86 | | - private-key: ${{ secrets.REPO_SYNC_APP_PRIVATE_KEY }} |
| 84 | + app-id: ${{ secrets.app_id || secrets.REPO_SYNC_APP_ID }} |
| 85 | + private-key: ${{ secrets.app_private_key || secrets.REPO_SYNC_APP_PRIVATE_KEY }} |
87 | 86 | owner: ${{ github.repository_owner }} |
88 | | - |
89 | 87 | - name: Set GH_TOKEN |
90 | | - run: | |
91 | | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then |
92 | | - echo "GH_TOKEN=${{ steps.gen_token.outputs.token }}" >> "$GITHUB_ENV" |
93 | | - else |
94 | | - echo "GH_TOKEN=${{ secrets.auth_token }}" >> "$GITHUB_ENV" |
95 | | - fi |
| 88 | + run: echo "GH_TOKEN=${{ steps.token.outputs.token }}" >> "$GITHUB_ENV" |
96 | 89 |
|
97 | 90 | - name: Checkout repo |
98 | 91 | uses: actions/checkout@v4 |
99 | 92 | with: |
100 | 93 | fetch-depth: 0 |
101 | | - token: ${{ env.GH_TOKEN }} |
| 94 | + token: ${{ steps.token.outputs.token }} |
102 | 95 |
|
103 | 96 | - name: Checkout repo-sync tooling |
104 | 97 | uses: actions/checkout@v4 |
105 | 98 | with: |
106 | 99 | repository: warpdotdev/repo-sync |
107 | 100 | ref: v1 |
108 | 101 | path: .repo-sync |
109 | | - token: ${{ env.GH_TOKEN }} |
| 102 | + token: ${{ steps.token.outputs.token }} |
110 | 103 |
|
111 | 104 | - name: Set up Python |
112 | 105 | uses: actions/setup-python@v5 |
|
0 commit comments