Build/Test Tools: Re-add GitHub App.

Without this, workflow runs are not triggered by commits made by the workflow. Follow up to [59983], [60052], [60059], [60063], [60064]. See #62221. git-svn-id: https://develop.svn.wordpress.org/trunk@60065 602fd350-edb4-49c9-b593-d223f7449a82
2025-03-23 13:29:56 +01:00 · 2025-03-21 18:00:25 +00:00 · 2025-03-21 18:00:25 +00:00 · 48a709e5f1
commit 48a709e5f1
parent fc4b53bd63
1 changed files with 42 additions and 2 deletions
--- a/.github/workflows/commit-built-file-changes.yml
+++ b/.github/workflows/commit-built-file-changes.yml
@ -24,6 +24,7 @@ jobs:
  # - Attempts to download the artifact containing the PR diff.
  # - Checks for the existence of an artifact.
  # - Unzips the artifact.
+  # - Generates a token for authenticating with the GitHub App.
  # - Checks out the repository.
  # - Applies the patch file.
  # - Displays the result of git diff.
@ -83,6 +84,42 @@ jobs:
        if: ${{ steps.artifact-check.outputs.exists == 'true' }}
        run: unzip pr-built-file-changes.zip

+      - name: Generate Installation Token
+        id: generate_token
+        if: ${{ steps.artifact-check.outputs.exists == 'true' }}
+        env:
+          GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }}
+          GH_APP_PRIVATE_KEY: ${{ secrets.GH_PR_BUILT_FILES_PRIVATE_KEY }}
+        run: |
+          echo "$GH_APP_PRIVATE_KEY" > private-key.pem
+
+          # Generate JWT
+          JWT=$(python3 - <<EOF
+          import jwt, time
+          private_key = open("private-key.pem", "r").read()
+          payload = {
+              "iat": int(time.time()),
+              "exp": int(time.time()) + 600,  # 10-minute expiration
+              "iss": $GH_APP_ID
+          }
+          print(jwt.encode(payload, private_key, algorithm="RS256"))
+          EOF
+          )
+
+          # Get Installation ID
+          INSTALLATION_ID=$(curl -s -X GET -H "Authorization: Bearer $JWT" \
+            -H "Accept: application/vnd.github.v3+json" \
+            https://api.github.com/app/installations | jq -r '.[0].id')
+
+          # Request Installation Access Token
+          ACCESS_TOKEN=$(curl -s -X POST -H "Authorization: Bearer $JWT" \
+            -H "Accept: application/vnd.github.v3+json" \
+            "https://api.github.com/app/installations/$INSTALLATION_ID/access_tokens" | jq -r '.token')
+
+          echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV"
+
+          rm -f private-key.pem
+
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        if: ${{ steps.artifact-check.outputs.exists == 'true' }}
@ -91,6 +128,7 @@ jobs:
          ref: ${{ github.event.workflow_run.head_branch }}
          path: 'pr-repo'
          show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
+          token: ${{ env.ACCESS_TOKEN }}

      - name: Apply patch
        if: ${{ steps.artifact-check.outputs.exists == 'true' }}
@ -105,9 +143,11 @@ jobs:
      - name: Configure git user name and email
        if: ${{ steps.artifact-check.outputs.exists == 'true' }}
        working-directory: 'pr-repo'
+        env:
+          GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }}
        run: |
-          git config user.name "WordPress Build Script Bot[bot]"
-          git config user.email wordpress@users.noreply.github.com
+          git config user.name "wordpress-develop-pr-bot[bot]"
+          git config user.email ${{ env.GH_APP_ID }}+wordpress-develop-pr-bot[bot]@users.noreply.github.com

      - name: Stage changes
        if: ${{ steps.artifact-check.outputs.exists == 'true' }}