feat: move to github app token (#97)

Amzani · web-flow · commit 3d6ad3aecec8 · 2025-11-26T17:34:11.000+01:00
diff --git a/.github/workflows/auto-merge-generated-prs.yml b/.github/workflows/auto-merge-generated-prs.yml
@@ -16,6 +16,14 @@ jobs:
       startsWith(github.event.pull_request.title, 'chore: 🐝 Update SDK - Generate')
     runs-on: ubuntu-latest
     steps:
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.GH_CI_BOT_APP_ID }}
+          private-key: ${{ secrets.GH_CI_BOT_APP_PRIVATE_KEY }}
+          owner: apideck-io
+
       - name: Check labels (needs minor or patch)
         id: labels
         uses: actions/github-script@v7
@@ -31,7 +39,7 @@ jobs:
         if: steps.labels.outputs.match == 'true'
         uses: actions/github-script@v7
         with:
-          github-token: ${{ secrets.GH_PAT || secrets.GITHUB_TOKEN }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             const { owner, repo } = context.repo;
             const prNumber = context.payload.pull_request.number;
@@ -54,6 +62,6 @@ jobs:
         with:
           pull-request-number: ${{ github.event.pull_request.number }}
           merge-method: squash
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
 
diff --git a/.github/workflows/sdk_generation.yaml b/.github/workflows/sdk_generation.yaml
@@ -18,14 +18,28 @@ permissions:
   schedule:
     - cron: 0 0 * * *
 jobs:
+  generate-token:
+    runs-on: ubuntu-latest
+    outputs:
+      token: ${{ steps.app-token.outputs.token }}
+    steps:
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.GH_CI_BOT_APP_ID }}
+          private-key: ${{ secrets.GH_CI_BOT_APP_PRIVATE_KEY }}
+          owner: apideck-io
+
   generate:
+    needs: generate-token
     uses: speakeasy-api/sdk-generation-action/.github/workflows/workflow-executor.yaml@v15
     with:
       force: ${{ github.event.inputs.force }}
       mode: pr
       set_version: ${{ github.event.inputs.set_version }}
       speakeasy_version: latest
     secrets:
-      github_access_token: ${{ secrets.GITHUB_TOKEN }}
+      github_access_token: ${{ needs.generate-token.outputs.token }}
       npm_token: ${{ secrets.NPM_TOKEN }}
       speakeasy_api_key: ${{ secrets.SPEAKEASY_API_KEY }}
diff --git a/.github/workflows/sdk_publish.yaml b/.github/workflows/sdk_publish.yaml
@@ -13,11 +13,25 @@ permissions:
       - .speakeasy/gen.lock
   workflow_dispatch: {}
 jobs:
+  generate-token:
+    runs-on: ubuntu-latest
+    outputs:
+      token: ${{ steps.app-token.outputs.token }}
+    steps:
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.GH_CI_BOT_APP_ID }}
+          private-key: ${{ secrets.GH_CI_BOT_APP_PRIVATE_KEY }}
+          owner: apideck-io
+
   publish:
+    needs: generate-token
     uses: speakeasy-api/sdk-generation-action/.github/workflows/sdk-publish.yaml@v15
     with:
       target: apideck
     secrets:
-      github_access_token: ${{ secrets.GITHUB_TOKEN }}
+      github_access_token: ${{ needs.generate-token.outputs.token }}
       npm_token: ${{ secrets.NPM_TOKEN }}
       speakeasy_api_key: ${{ secrets.SPEAKEASY_API_KEY }}
diff --git a/.github/workflows/sdk_test.yaml b/.github/workflows/sdk_test.yaml
@@ -17,10 +17,24 @@ permissions:
         description: Provided SDK target to run tests for, (all) is valid
         type: string
 jobs:
+  generate-token:
+    runs-on: ubuntu-latest
+    outputs:
+      token: ${{ steps.app-token.outputs.token }}
+    steps:
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.GH_CI_BOT_APP_ID }}
+          private-key: ${{ secrets.GH_CI_BOT_APP_PRIVATE_KEY }}
+          owner: apideck-io
+
   test:
+    needs: generate-token
     uses: speakeasy-api/sdk-generation-action/.github/workflows/sdk-test.yaml@v15
     with:
       target: ${{ github.event.inputs.target || 'apideck' }}
     secrets:
-      github_access_token: ${{ secrets.GITHUB_TOKEN }}
+      github_access_token: ${{ needs.generate-token.outputs.token }}
       speakeasy_api_key: ${{ secrets.SPEAKEASY_API_KEY }}
