From 2be933ae8bd130651ba3e5c6d5ea9783c9d4dd7c Mon Sep 17 00:00:00 2001
From: Harry Callahan <hcallahan@lowrisc.org>
Date: Tue, 14 Apr 2026 08:29:32 +0100
Subject: [PATCH] ci: Use lowrisc/ci-actions for token acquisition

Replace the local copy of lowrisc_ci_app_get_token with a reference to
the canonical upstream action at lowrisc/ci-actions/get-token@v1.
Also removes the preparatory checkout step that was only needed to make
the local action available on disk.

Signed-off-by: Harry Callahan <hcallahan@lowrisc.org>
---
 .../lowrisc_ci_app_get_token/action.yml       | 41 -------------------
 .github/workflows/release.yml                 |  7 +---
 2 files changed, 2 insertions(+), 46 deletions(-)
 delete mode 100644 .github/actions/lowrisc_ci_app_get_token/action.yml

diff --git a/.github/actions/lowrisc_ci_app_get_token/action.yml b/.github/actions/lowrisc_ci_app_get_token/action.yml
deleted file mode 100644
index 2472d3f0..00000000
--- a/.github/actions/lowrisc_ci_app_get_token/action.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-# Copyright lowRISC contributors (OpenTitan project).
-# Licensed under the Apache License, Version 2.0, see LICENSE for details.
-# SPDX-License-Identifier: Apache-2.0
-
-# NOTE.
-# Requires id-token: write in the workflow to get the JWT
-
-name: Get lowrisc-ci app access token
-description: Obtain a lowrisc-ci GitHub App installation access token from the lowRISC CA
-
-inputs:
-  audience:
-    description: intended audience for the requested JWT
-    type: string
-    default: "https://ca.lowrisc.org"
-  ca_api_endpoint:
-    description: lowRISC CA endpoint from which to try and obtain a token.
-    type: string
-    default: "https://ca.lowrisc.org/api/github/repos/${{ github.repository }}/token"
-
-runs:
-  using: "composite"
-  steps:
-    - name: Get and exchange tokens
-      id: get_token
-      shell: bash
-      run: |
-        # First, manually request a JSON Web Token (JWT) from GitHub's OIDC provider for the workflow
-        # - Set our CA as the intended audience
-        ID_TOKEN=$(curl -sSf -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=${{ inputs.audience }}" | jq -r .value)
-        echo "::add-mask::$ID_TOKEN"
-        # Now use the JWT token to request the lowRISC CA to provide an lowrisc-ci app installation access token suitable for our action
-        ACCESS_TOKEN=$(curl -sSf -X POST -H "Authorization: Bearer $ID_TOKEN" ${{ inputs.ca_api_endpoint }})
-        echo "::add-mask::$ACCESS_TOKEN"
-        echo "token=$ACCESS_TOKEN" >> "$GITHUB_OUTPUT"
-
-outputs:
-  token:
-    description: "Token"
-    value: ${{ steps.get_token.outputs.token }}
-
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d3ca1a56..be4c6633 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -27,12 +27,9 @@ jobs:
 
     steps:
 
-      - name: Setup | Checkout Repository for local action
-        uses: actions/checkout@v4
-
-      - name: Get an installation access token for the lowrisc-ci app with appropriate permissions
+      - name: Get a lowRISC CA token for creating the release
         id: get-token
-        uses: ./.github/actions/lowrisc_ci_app_get_token
+        uses: lowrisc/ci-actions/ca-token@v1
 
       - name: Setup | Checkout Repository at PR branch
         uses: actions/checkout@v4