goreleaser/goreleaser-action
1
0
Fork 0
mirror of https://github.com/goreleaser/goreleaser-action synced 2026-06-29 21:29:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci: use a GitHub App token to rebuild dist on dependabot PRs (#569)

Browse Source 
* ci: use a GitHub App token to rebuild dist on dependabot PRs

Replaces GH_PAT (a broad org PAT) with a GitHub App token for pushing the
rebuilt dist/ back to Dependabot PR branches. An App token is scoped to
this repo with minimal permissions and is short-lived, so it is much safer
to expose on the (semi-trusted) Dependabot PR build than a wide PAT.

The job stays a no-op until the DIST_REBUILD_APP_ID and
DIST_REBUILD_APP_PRIVATE_KEY Dependabot secrets are configured.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* ci: use GORELEASER_APP_ID/GORELEASER_APP_KEY for dist rebuild

Use the existing GoReleaser GitHub App secrets instead of dedicated
DIST_REBUILD_* ones.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

---------

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Carlos Alexandro Becker
2026-06-27 10:26:46 -03:00
committed by GitHub
parent d2d17a6c5d
commit a4f614e65e
1 changed files with 25 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/rebuild-dist.yml
+25 -15
View File
@@ -17,45 +17,55 @@ jobs:
# the validate workflow stays green. # the validate workflow stays green.
# #
# Dependabot runs get a read-only GITHUB_TOKEN, and commits pushed with it do # Dependabot runs get a read-only GITHUB_TOKEN, and commits pushed with it do
# not re-trigger checks. Pushing the dist commit therefore uses GH_PAT, which # not re-trigger checks. Pushing the dist commit therefore uses a GitHub App
# can re-run workflows. Note: Dependabot runs only expose Dependabot secrets, # token, which is repo-scoped and short-lived, and can re-run workflows.
# so GH_PAT must exist as a Dependabot secret (org or repo) with contents:write # Configure a GitHub App with contents:write on this repo and set its
# on this repo. Until it does this job is a no-op. # credentials as Dependabot secrets named GORELEASER_APP_ID and
# GORELEASER_APP_KEY (Dependabot runs only expose Dependabot secrets).
# Until both exist this job is a no-op.
rebuild-dist: rebuild-dist:
if: github.actor == 'dependabot[bot]' if: github.actor == 'dependabot[bot]'
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Check token - name: Check app credentials
id: token id: app
env: env:
GH_PAT: ${{ secrets.GH_PAT }} GORELEASER_APP_ID: ${{ secrets.GORELEASER_APP_ID }}
GORELEASER_APP_KEY: ${{ secrets.GORELEASER_APP_KEY }}
run: | run: |
if [ -n "$GH_PAT" ]; then if [ -n "$GORELEASER_APP_ID" ] && [ -n "$GORELEASER_APP_KEY" ]; then
echo "available=true" >> "$GITHUB_OUTPUT" echo "available=true" >> "$GITHUB_OUTPUT"
else else
echo "available=false" >> "$GITHUB_OUTPUT" echo "available=false" >> "$GITHUB_OUTPUT"
echo "::notice::GH_PAT Dependabot secret is not set; skipping automatic dist rebuild." echo "::notice::GORELEASER_APP_ID/GORELEASER_APP_KEY Dependabot secrets are not set; skipping automatic dist rebuild."
fi fi
- name: Generate token
if: steps.app.outputs.available == 'true'
id: token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ secrets.GORELEASER_APP_ID }}
private-key: ${{ secrets.GORELEASER_APP_KEY }}
- name: Checkout - name: Checkout
if: steps.token.outputs.available == 'true' if: steps.app.outputs.available == 'true'
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with: with:
ref: ${{ github.head_ref }} ref: ${{ github.head_ref }}
token: ${{ secrets.GH_PAT }} token: ${{ steps.token.outputs.token }}
- name: Setup Node.js - name: Setup Node.js
if: steps.token.outputs.available == 'true' if: steps.app.outputs.available == 'true'
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with: with:
node-version-file: '.node-version' node-version-file: '.node-version'
cache: npm cache: npm
- name: Install dependencies - name: Install dependencies
if: steps.token.outputs.available == 'true' if: steps.app.outputs.available == 'true'
run: npm ci --ignore-scripts run: npm ci --ignore-scripts
- name: Rebuild dist - name: Rebuild dist
if: steps.token.outputs.available == 'true' if: steps.app.outputs.available == 'true'
run: npm run build run: npm run build
- name: Commit and push dist if changed - name: Commit and push dist if changed
if: steps.token.outputs.available == 'true' if: steps.app.outputs.available == 'true'
env: env:
HEAD_REF: ${{ github.head_ref }} HEAD_REF: ${{ github.head_ref }}
run: | run: |