diff --git a/.github/workflows/api-sync.yml b/.github/workflows/api-sync.yml index 8efeabf14..0295e028f 100644 --- a/.github/workflows/api-sync.yml +++ b/.github/workflows/api-sync.yml @@ -36,12 +36,19 @@ jobs: echo "has_changes=true" >> $GITHUB_OUTPUT fi + - name: Generate token + id: app-token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + - name: Create Pull Request if: steps.check.outputs.has_changes == 'true' id: cpr uses: peter-evans/create-pull-request@v7 with: - token: ${{ secrets.GH_PAT }} + token: ${{ steps.app-token.outputs.token }} commit-message: "chore: sync API types from infrastructure" title: "chore: sync API types from infrastructure" body: | @@ -58,4 +65,4 @@ jobs: if: steps.check.outputs.has_changes == 'true' run: gh pr merge --auto --squash "${{ steps.cpr.outputs.pull-request-number }}" env: - GH_TOKEN: ${{ secrets.GH_PAT }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml index 5cf15ef53..e9242b274 100644 --- a/.github/workflows/automerge.yml +++ b/.github/workflows/automerge.yml @@ -22,12 +22,18 @@ jobs: with: github-token: "${{ secrets.GITHUB_TOKEN }}" + - name: Generate token + id: app-token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} # Here the PR gets approved. - name: Approve a PR if: ${{ steps.meta.outputs.update-type == 'version-update:semver-patch' || (!startsWith(steps.meta.outputs.previous-version, '0.') && steps.meta.outputs.update-type == 'version-update:semver-minor') }} run: gh pr review --approve "${{ github.event.pull_request.html_url }}" env: - GITHUB_TOKEN: ${{ secrets.GH_PAT }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} # Finally, this sets the PR to allow auto-merging for patch and minor # updates if all checks pass @@ -35,4 +41,4 @@ jobs: if: ${{ steps.meta.outputs.update-type == 'version-update:semver-patch' || (!startsWith(steps.meta.outputs.previous-version, '0.') && steps.meta.outputs.update-type == 'version-update:semver-minor') }} run: gh pr merge --auto --squash "${{ github.event.pull_request.html_url }}" env: - GITHUB_TOKEN: ${{ secrets.GH_PAT }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/release-beta.yml b/.github/workflows/release-beta.yml index a74314299..af437211e 100644 --- a/.github/workflows/release-beta.yml +++ b/.github/workflows/release-beta.yml @@ -8,6 +8,7 @@ on: permissions: contents: write + id-token: write jobs: release: @@ -65,6 +66,13 @@ jobs: if: needs.release.outputs.new-release-published == 'true' runs-on: ubuntu-latest steps: + # use GitHub app to create a release token that can publish to homebrew-tap and scoop + - name: Generate token + id: app-token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} - uses: actions/checkout@v6 - uses: actions/setup-go@v6 with: @@ -72,7 +80,7 @@ jobs: cache: true - run: go run tools/publish/main.go --beta "${{ needs.release.outputs.new-release-version }}" env: - GITHUB_TOKEN: ${{ secrets.GH_PAT }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} publish: name: Publish NPM @@ -87,7 +95,10 @@ jobs: with: node-version: "16.x" registry-url: "https://registry.npmjs.org" + + # Ensure npm 11.5.1 or later is installed for trusted publishing support + - name: Update npm + run: npm install -g npm@latest + - run: npm --git-tag-version=false version ${{ needs.release.outputs.new-release-version }} - run: npm publish --tag ${{ needs.release.outputs.new-release-channel }} - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9b85ec4a5..472ecde42 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,6 +9,7 @@ on: permissions: contents: write packages: write + id-token: write jobs: settings: @@ -31,6 +32,13 @@ jobs: - settings runs-on: ubuntu-latest steps: + # use GitHub app to create a release token that can publish to homebrew-tap and scoop + - name: Generate token + id: app-token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} - uses: actions/checkout@v6 - uses: actions/setup-go@v6 with: @@ -38,7 +46,7 @@ jobs: cache: true - run: go run tools/publish/main.go ${{ needs.settings.outputs.release_tag }} env: - GITHUB_TOKEN: ${{ secrets.GH_PAT }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} publish: name: Publish NPM @@ -53,6 +61,12 @@ jobs: name: Bump self-hosted versions runs-on: ubuntu-latest steps: + - name: Generate token + id: app-token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} - uses: actions/checkout@v6 - uses: actions/setup-go@v6 with: @@ -60,7 +74,7 @@ jobs: cache: true - run: go run tools/selfhost/main.go env: - GITHUB_TOKEN: ${{ secrets.GH_PAT }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} changelog: name: Publish changelog @@ -69,6 +83,12 @@ jobs: - publish runs-on: ubuntu-latest steps: + - name: Generate token + id: app-token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} - uses: actions/checkout@v6 - uses: actions/setup-go@v6 with: @@ -76,7 +96,7 @@ jobs: cache: true - run: go run tools/changelog/main.go ${{ secrets.SLACK_CHANNEL }} env: - GITHUB_TOKEN: ${{ secrets.GH_PAT }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} SLACK_TOKEN: ${{ secrets.SLACK_TOKEN }} docs: @@ -85,6 +105,12 @@ jobs: - settings runs-on: ubuntu-latest steps: + - name: Generate token + id: app-token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} - uses: actions/checkout@v6 - uses: actions/setup-go@v6 with: @@ -92,4 +118,4 @@ jobs: cache: true - run: go run docs/main.go ${{ needs.settings.outputs.release_tag }} | go run tools/bumpdoc/main.go apps/docs/spec/cli_v1_commands.yaml env: - GITHUB_TOKEN: ${{ secrets.GH_PAT }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/tag-npm.yml b/.github/workflows/tag-npm.yml index fe239608c..aa268989e 100644 --- a/.github/workflows/tag-npm.yml +++ b/.github/workflows/tag-npm.yml @@ -15,6 +15,7 @@ on: permissions: contents: read + id-token: write jobs: tag: @@ -26,7 +27,11 @@ jobs: with: node-version: "16.x" registry-url: "https://registry.npmjs.org" + + # Ensure npm 11.5.1 or later is installed for trusted publishing support + - name: Update npm + run: npm install -g npm@latest + - run: npm dist-tag add "supabase@${RELEASE_TAG#v}" latest env: RELEASE_TAG: ${{ inputs.release }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}