diff --git a/.github/workflows/accept-baselines-fix-lints.yaml b/.github/workflows/accept-baselines-fix-lints.yaml index 15280cfa7814c..64c0f49d91f28 100644 --- a/.github/workflows/accept-baselines-fix-lints.yaml +++ b/.github/workflows/accept-baselines-fix-lints.yaml @@ -5,6 +5,7 @@ on: permissions: contents: read + id-token: write # Ensure scripts are run with pipefail. See: # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference @@ -15,11 +16,14 @@ defaults: jobs: build: runs-on: ubuntu-latest + environment: + name: azure + deployment: false steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - token: ${{ secrets.TS_BOT_GITHUB_TOKEN }} + persist-credentials: false - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 'lts/*' @@ -37,4 +41,27 @@ jobs: git add ./tests/baselines/reference git diff --cached git commit -m "Update Baselines, Applied Lint Fixes, and/or Formatted" - git push + - uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0 + with: + client-id: ${{ vars.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} + - name: Create GitHub App token + id: app-token + uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1 + with: + client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }} + key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }} + owner: microsoft + repositories: TypeScript + permission-contents: write + - name: Configure git for GitHub App token + shell: bash + env: + GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }} + run: | + set -euo pipefail + basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')" + echo "::add-mask::$basic_auth" + git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}" + - run: git push diff --git a/.github/workflows/close-issues.yml b/.github/workflows/close-issues.yml index 5c819fc636644..62c777b7d1715 100644 --- a/.github/workflows/close-issues.yml +++ b/.github/workflows/close-issues.yml @@ -7,6 +7,7 @@ on: permissions: contents: read + id-token: write # Ensure scripts are run with pipefail. See: # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference @@ -17,15 +18,36 @@ defaults: jobs: close-issues: runs-on: ubuntu-latest + environment: + name: azure + deployment: false if: github.repository == 'microsoft/TypeScript' permissions: contents: read # Apparently required to create issues + id-token: write issues: write steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0 + with: + client-id: ${{ vars.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} + - name: Create GitHub App token + id: app-token + uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1 + with: + client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }} + key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }} + owner: microsoft + repositories: TypeScript + permission-issues: write - name: Close issues env: - GH_TOKEN: ${{ secrets.TS_BOT_GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.app-token.outputs.token }} REPO: ${{ github.repository }} run: | DATE=$(date --date='2 days ago' --iso-8601) diff --git a/.github/workflows/create-cherry-pick-pr.yml b/.github/workflows/create-cherry-pick-pr.yml index ecdd770e02776..a09226521daf6 100644 --- a/.github/workflows/create-cherry-pick-pr.yml +++ b/.github/workflows/create-cherry-pick-pr.yml @@ -34,6 +34,7 @@ run-name: ${{ github.workflow }}${{ inputs.distinct_id && format(' (bot run {0}) permissions: contents: read + id-token: write # Ensure scripts are run with pipefail. See: # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference @@ -44,6 +45,9 @@ defaults: jobs: open-pr: runs-on: ubuntu-latest + environment: + name: azure + deployment: false if: github.repository == 'microsoft/TypeScript' steps: @@ -51,8 +55,32 @@ jobs: with: filter: blob:none # https://github.blog/2020-12-21-get-up-to-speed-with-partial-clone-and-shallow-clone/ fetch-depth: 0 # Default is 1; need to set to 0 to get the benefits of blob:none. - token: ${{ secrets.TS_BOT_GITHUB_TOKEN }} - + persist-credentials: false + - uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0 + with: + client-id: ${{ vars.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} + - name: Create GitHub App token + id: app-token + uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1 + with: + client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }} + key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }} + owner: microsoft + repositories: TypeScript + permission-contents: write + permission-issues: write + permission-pull-requests: write + - name: Configure git for GitHub App token + shell: bash + env: + GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }} + run: | + set -euo pipefail + basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')" + echo "::add-mask::$basic_auth" + git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}" - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 id: open-pr env: @@ -64,7 +92,7 @@ jobs: STATUS_COMMENT: ${{ inputs.status_comment }} with: retries: 3 - github-token: ${{ secrets.TS_BOT_GITHUB_TOKEN }} + github-token: ${{ steps.app-token.outputs.token }} result-encoding: string script: | const { @@ -182,7 +210,7 @@ jobs: with: success_comment: ${{ steps.open-pr.outputs.result }} failure_comment: 'I was unable to cherry-pick this PR.' - github_token: ${{ secrets.TS_BOT_GITHUB_TOKEN }} + github_token: ${{ steps.app-token.outputs.token }} distinct_id: ${{ inputs.distinct_id }} source_issue: ${{ inputs.source_issue }} requesting_user: ${{ inputs.requesting_user }} diff --git a/.github/workflows/lkg.yml b/.github/workflows/lkg.yml index 69601b61a902a..4ac50669f600b 100644 --- a/.github/workflows/lkg.yml +++ b/.github/workflows/lkg.yml @@ -10,6 +10,7 @@ on: permissions: contents: read + id-token: write # Ensure scripts are run with pipefail. See: # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference @@ -20,6 +21,9 @@ defaults: jobs: build: runs-on: ubuntu-latest + environment: + name: azure + deployment: false steps: - env: BRANCH_NAME: ${{ inputs.branch_name }} @@ -32,7 +36,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ inputs.branch_name }} - token: ${{ secrets.TS_BOT_GITHUB_TOKEN }} + persist-credentials: false - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 'lts/*' @@ -48,4 +52,27 @@ jobs: git config user.email "typescriptbot@microsoft.com" git config user.name "TypeScript Bot" git commit -m 'Update LKG' - git push + - uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0 + with: + client-id: ${{ vars.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} + - name: Create GitHub App token + id: app-token + uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1 + with: + client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }} + key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }} + owner: microsoft + repositories: TypeScript + permission-contents: write + - name: Configure git for GitHub App token + shell: bash + env: + GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }} + run: | + set -euo pipefail + basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')" + echo "::add-mask::$basic_auth" + git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}" + - run: git push diff --git a/.github/workflows/new-release-branch.yaml b/.github/workflows/new-release-branch.yaml index 06a52bd6cc9f5..495389f1e27df 100644 --- a/.github/workflows/new-release-branch.yaml +++ b/.github/workflows/new-release-branch.yaml @@ -38,6 +38,7 @@ run-name: ${{ github.workflow }}${{ inputs.distinct_id && format(' (bot run {0}) permissions: contents: read + id-token: write # Ensure scripts are run with pipefail. See: # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference @@ -48,13 +49,16 @@ defaults: jobs: build: runs-on: ubuntu-latest + environment: + name: azure + deployment: false steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: filter: blob:none # https://github.blog/2020-12-21-get-up-to-speed-with-partial-clone-and-shallow-clone/ fetch-depth: 0 # Default is 1; need to set to 0 to get the benefits of blob:none. - token: ${{ secrets.TS_BOT_GITHUB_TOKEN }} + persist-credentials: false - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 'lts/*' @@ -85,14 +89,39 @@ jobs: git config user.email "typescriptbot@microsoft.com" git config user.name "TypeScript Bot" git commit -m "Bump version to $PACKAGE_VERSION and LKG" - git push --set-upstream origin "$BRANCH_NAME" + - uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0 + with: + client-id: ${{ vars.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} + - name: Create GitHub App token + id: app-token + uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1 + with: + client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }} + key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }} + owner: microsoft + repositories: TypeScript + permission-contents: write + - name: Configure git for GitHub App token + shell: bash + env: + GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }} + run: | + set -euo pipefail + basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')" + echo "::add-mask::$basic_auth" + git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}" + - env: + BRANCH_NAME: ${{ inputs.branch_name }} + run: git push --set-upstream origin "$BRANCH_NAME" - uses: microsoft/typescript-bot-test-triggerer/.github/actions/post-workflow-result@master if: ${{ !cancelled() && inputs.distinct_id }} with: success_comment: "I've created ${{ inputs.branch_name }} with version ${{ inputs.package_version }} for you." failure_comment: 'I was unable to create the new release branch.' - github_token: ${{ secrets.TS_BOT_GITHUB_TOKEN }} + github_token: ${{ steps.app-token.outputs.token }} distinct_id: ${{ inputs.distinct_id }} source_issue: ${{ inputs.source_issue }} requesting_user: ${{ inputs.requesting_user }} diff --git a/.github/workflows/pr-modified-files.yml b/.github/workflows/pr-modified-files.yml index 71f0aa908c85c..bd5101a61d20e 100644 --- a/.github/workflows/pr-modified-files.yml +++ b/.github/workflows/pr-modified-files.yml @@ -17,6 +17,7 @@ concurrency: permissions: contents: read + id-token: write # Ensure scripts are run with pipefail. See: # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference @@ -27,17 +28,39 @@ defaults: jobs: manage-prs: runs-on: ubuntu-latest + environment: + name: azure + deployment: false if: github.repository == 'microsoft/TypeScript' - # No need to set explicit permissions; we are using typescript-bot's token, not github-actions' token. + # No need to set explicit permissions; we are using the GitHub App token, not github-actions' token. env: - GH_TOKEN: ${{ secrets.TS_BOT_GITHUB_TOKEN }} PR_NUMBER: ${{ github.event.pull_request.number }} PR_AUTHOR: ${{ github.event.pull_request.user.login }} REPO: ${{ github.repository }} steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0 + with: + client-id: ${{ vars.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} + - name: Create GitHub App token + id: app-token + uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1 + with: + client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }} + key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }} + owner: microsoft + repositories: TypeScript + permission-issues: write + permission-pull-requests: write + - name: Export GitHub App token + run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" - name: Check if PR author is in pr_owners.txt id: pr_owner run: | diff --git a/.github/workflows/set-version.yaml b/.github/workflows/set-version.yaml index cd32ffd0028d8..0efbc6919b77f 100644 --- a/.github/workflows/set-version.yaml +++ b/.github/workflows/set-version.yaml @@ -38,6 +38,7 @@ run-name: ${{ github.workflow }}${{ inputs.distinct_id && format(' (bot run {0}) permissions: contents: read + id-token: write # Ensure scripts are run with pipefail. See: # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference @@ -48,11 +49,14 @@ defaults: jobs: build: runs-on: ubuntu-latest + environment: + name: azure + deployment: false steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ inputs.branch_name }} - token: ${{ secrets.TS_BOT_GITHUB_TOKEN }} + persist-credentials: false - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 'lts/*' @@ -88,14 +92,37 @@ jobs: git config user.email "typescriptbot@microsoft.com" git config user.name "TypeScript Bot" git commit -m "Bump version to $PACKAGE_VERSION and LKG" - git push + - uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0 + with: + client-id: ${{ vars.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} + - name: Create GitHub App token + id: app-token + uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1 + with: + client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }} + key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }} + owner: microsoft + repositories: TypeScript + permission-contents: write + - name: Configure git for GitHub App token + shell: bash + env: + GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }} + run: | + set -euo pipefail + basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')" + echo "::add-mask::$basic_auth" + git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}" + - run: git push - uses: microsoft/typescript-bot-test-triggerer/.github/actions/post-workflow-result@master if: ${{ !cancelled() && inputs.distinct_id }} with: success_comment: "I've set the version of ${{ inputs.branch_name }} to ${{ inputs.package_version }} for you." failure_comment: 'I was unable set the version.' - github_token: ${{ secrets.TS_BOT_GITHUB_TOKEN }} + github_token: ${{ steps.app-token.outputs.token }} distinct_id: ${{ inputs.distinct_id }} source_issue: ${{ inputs.source_issue }} requesting_user: ${{ inputs.requesting_user }} diff --git a/.github/workflows/sync-branch.yaml b/.github/workflows/sync-branch.yaml index e3bb90894abc3..56e70f9b50b76 100644 --- a/.github/workflows/sync-branch.yaml +++ b/.github/workflows/sync-branch.yaml @@ -30,6 +30,7 @@ run-name: ${{ github.workflow }}${{ inputs.distinct_id && format(' (bot run {0}) permissions: contents: read + id-token: write # Ensure scripts are run with pipefail. See: # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference @@ -40,6 +41,9 @@ defaults: jobs: build: runs-on: ubuntu-latest + environment: + name: azure + deployment: false steps: - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -50,7 +54,7 @@ jobs: ref: ${{ inputs.branch_name }} filter: blob:none # https://github.blog/2020-12-21-get-up-to-speed-with-partial-clone-and-shallow-clone/ fetch-depth: 0 # Default is 1; need to set to 0 to get the benefits of blob:none. - token: ${{ secrets.TS_BOT_GITHUB_TOKEN }} + persist-credentials: false # required client_payload members: # branch_name - the target branch - run: | @@ -62,14 +66,37 @@ jobs: npx hereby LKG git add --force ./lib git commit -m 'Update LKG' - git push + - uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0 + with: + client-id: ${{ vars.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} + - name: Create GitHub App token + id: app-token + uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1 + with: + client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }} + key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }} + owner: microsoft + repositories: TypeScript + permission-contents: write + - name: Configure git for GitHub App token + shell: bash + env: + GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }} + run: | + set -euo pipefail + basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')" + echo "::add-mask::$basic_auth" + git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}" + - run: git push - uses: microsoft/typescript-bot-test-triggerer/.github/actions/post-workflow-result@master if: ${{ !cancelled() && inputs.distinct_id }} with: success_comment: "I've pulled main into ${{ inputs.branch_name }} for you." failure_comment: 'I was unable merge main into ${{ inputs.branch_name }}.' - github_token: ${{ secrets.TS_BOT_GITHUB_TOKEN }} + github_token: ${{ steps.app-token.outputs.token }} distinct_id: ${{ inputs.distinct_id }} source_issue: ${{ inputs.source_issue }} requesting_user: ${{ inputs.requesting_user }} diff --git a/.github/workflows/sync-wiki.yml b/.github/workflows/sync-wiki.yml index ebe024316b7ef..eafc2f3a2df7e 100644 --- a/.github/workflows/sync-wiki.yml +++ b/.github/workflows/sync-wiki.yml @@ -4,6 +4,7 @@ on: [gollum] permissions: contents: read + id-token: write # Ensure scripts are run with pipefail. See: # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference @@ -14,17 +15,45 @@ defaults: jobs: sync: runs-on: ubuntu-latest + environment: + name: azure + deployment: false steps: - name: Get repo name run: R=${GITHUB_REPOSITORY%?wiki}; echo "BASENAME=${R##*/}" >> $GITHUB_ENV - name: Checkout ${{ env.BASENAME }}-wiki uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - repository: '${{ GITHUB.repository_owner }}/${{ env.BASENAME }}-wiki' - token: ${{ secrets.TS_BOT_GITHUB_TOKEN }} + repository: '${{ github.repository_owner }}/${{ env.BASENAME }}-wiki' fetch-depth: 0 + persist-credentials: false + - uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0 + with: + client-id: ${{ vars.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} + - name: Create GitHub App token + id: app-token + uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1 + with: + client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }} + key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }} + owner: microsoft + repositories: | + TypeScript + TypeScript-wiki + permission-contents: write + - name: Configure git for GitHub App token + shell: bash + env: + GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }} + run: | + set -euo pipefail + basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')" + echo "::add-mask::$basic_auth" + git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}" - name: Run sync run: ./.github/workflows/sync env: PUSHER: typescript-bot - AUTH: ${{ secrets.TS_BOT_GITHUB_TOKEN }} + AUTH: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/twoslash-repros.yaml b/.github/workflows/twoslash-repros.yaml index 26de5f9d70d55..db24db7be438f 100644 --- a/.github/workflows/twoslash-repros.yaml +++ b/.github/workflows/twoslash-repros.yaml @@ -38,6 +38,7 @@ run-name: ${{ github.workflow }}${{ inputs.distinct_id && format(' (bot run {0}) permissions: contents: read + id-token: write # Ensure scripts are run with pipefail. See: # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference @@ -49,19 +50,40 @@ jobs: run: if: ${{ github.repository == 'microsoft/TypeScript' }} runs-on: ubuntu-latest + environment: + name: azure + deployment: false steps: - if: ${{ github.event.inputs.bisect }} uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: filter: blob:none # https://github.blog/2020-12-21-get-up-to-speed-with-partial-clone-and-shallow-clone/ fetch-depth: 0 # Default is 1; need to set to 0 to get the benefits of blob:none. + persist-credentials: false - if: ${{ !github.event.inputs.bisect }} uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0 + with: + client-id: ${{ vars.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} + - name: Create GitHub App token + id: app-token + uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1 + with: + client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }} + key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }} + owner: microsoft + repositories: TypeScript + permission-contents: write + permission-issues: write - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 'lts/*' - uses: microsoft/TypeScript-Twoslash-Repro-Action@master with: - github-token: ${{ secrets.TS_BOT_GITHUB_TOKEN }} + github-token: ${{ steps.app-token.outputs.token }} issue: ${{ github.event.inputs.issue }} bisect: ${{ github.event.inputs.bisect }} diff --git a/.github/workflows/update-package-lock.yaml b/.github/workflows/update-package-lock.yaml index 592989ec4864c..e1e7dc6101d36 100644 --- a/.github/workflows/update-package-lock.yaml +++ b/.github/workflows/update-package-lock.yaml @@ -9,6 +9,7 @@ on: permissions: contents: read + id-token: write # Ensure scripts are run with pipefail. See: # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference @@ -19,12 +20,15 @@ defaults: jobs: build: runs-on: ubuntu-latest + environment: + name: azure + deployment: false if: github.repository == 'microsoft/TypeScript' steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - token: ${{ secrets.TS_BOT_GITHUB_TOKEN }} + persist-credentials: false - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 'lts/*' @@ -35,12 +39,14 @@ jobs: npm --version - name: Update package-lock.json and push + id: update run: | rm package-lock.json npm install if git diff --exit-code --name-only package-lock.json; then echo "No change." + echo "changed=false" >> "$GITHUB_OUTPUT" else npm test npx hereby LKG @@ -48,5 +54,32 @@ jobs: git config user.name "TypeScript Bot" git add -f package-lock.json git commit -m "Update package-lock.json" - git push + echo "changed=true" >> "$GITHUB_OUTPUT" fi + - uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0 + if: steps.update.outputs.changed == 'true' + with: + client-id: ${{ vars.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} + - name: Create GitHub App token + if: steps.update.outputs.changed == 'true' + id: app-token + uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1 + with: + client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }} + key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }} + owner: microsoft + repositories: TypeScript + permission-contents: write + - name: Push + if: steps.update.outputs.changed == 'true' + shell: bash + env: + GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }} + run: | + set -euo pipefail + basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')" + echo "::add-mask::$basic_auth" + git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}" + git push