feat: use explicit app token for all workflows (#22949)

2025-12-25 01:11:43 +03:00 · 2025-10-20 14:38:01 +02:00
parent 13d33f834f
commit 08f81eb3c6
19 changed files with 318 additions and 23 deletions
--- a/.github/workflows/docs-deploy.yml
+++ b/.github/workflows/docs-deploy.yml
@@ -16,12 +16,19 @@ jobs:
      parameters: ${{ steps.parameters.outputs.result }}
      artifact: ${{ steps.get-artifact.outputs.result }}
    steps:
+      - id: token
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        with:
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
+
      - if: ${{ github.event.workflow_run.conclusion != 'success' }}
        run: echo 'The triggering workflow did not succeed' && exit 1
      - name: Get artifact
        id: get-artifact
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
+          github-token: ${{ steps.token.outputs.token }}
          script: |
            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
               owner: context.repo.owner,
@@ -42,6 +49,7 @@ jobs:
        env:
          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
        with:
+          github-token: ${{ steps.token.outputs.token }}
          script: |
            const eventType = context.payload.workflow_run.event;
            const isFork = context.payload.workflow_run.repository.fork;
@@ -107,10 +115,17 @@ jobs:
      pull-requests: write
    if: ${{ fromJson(needs.checks.outputs.artifact).found && fromJson(needs.checks.outputs.parameters).shouldDeploy }}
    steps:
+      - id: token
+        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
+        with:
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
+
      - name: Checkout code
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false
+          token: ${{ steps.token.outputs.token }}

      - name: Setup Mise
        uses: immich-app/devtools/actions/use-mise@697a75e2c3186d3c037c2c159855cf2d566542ba # use-mise-action-0.0.1
@@ -121,6 +136,7 @@ jobs:
        env:
          PARAM_JSON: ${{ needs.checks.outputs.parameters }}
        with:
+          github-token: ${{ steps.token.outputs.token }}
          script: |
            const parameters = JSON.parse(process.env.PARAM_JSON);
            core.setOutput("event", parameters.event);
@@ -132,6 +148,7 @@ jobs:
        env:
          ARTIFACT_JSON: ${{ needs.checks.outputs.artifact }}
        with:
+          github-token: ${{ steps.token.outputs.token }}
          script: |
            let artifact = JSON.parse(process.env.ARTIFACT_JSON);
            let download = await github.rest.actions.downloadArtifact({
@@ -201,6 +218,7 @@ jobs:
        uses: actions-cool/maintain-one-comment@4b2dbf086015f892dcb5e8c1106f5fccd6c1476b # v3.2.0
        if: ${{ steps.parameters.outputs.event == 'pr' }}
        with:
+          token: ${{ steps.token.outputs.token }}
          number: ${{ fromJson(needs.checks.outputs.parameters).pr_number }}
          body: |
            📖 Documentation deployed to [${{ fromJson(steps.clean.outputs.output).immich_app_branch_subdomain.value }}](https://${{ fromJson(steps.clean.outputs.output).immich_app_branch_subdomain.value }})