ci: get PR approver app token from secret service (#258)

dsanders11 · web-flow · commit e697b4e12553 · 2025-11-20T15:31:20.000-08:00
* ci: get PR approver app token from secret service

* chore: add missing permission
diff --git a/.github/workflows/update-abi.yml b/.github/workflows/update-abi.yml
@@ -17,6 +17,8 @@ jobs:
           - 3-x-y
     runs-on: ubuntu-latest
     environment: auto-updater
+    permissions:
+      id-token: write  # for secret service access
     steps:
     - name: Generate GitHub App token (updater app)
       uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
@@ -54,17 +56,15 @@ jobs:
           --body "Automated PR to update abi_registry.json" \
           --head "feat/update-abi-registry-${{ matrix.branch }}-${{ hashFiles('abi_registry.json') }}" \
           --base ${{ matrix.branch }}
-    - name: Generate GitHub App token (approver app)
-      uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+    - name: Get GitHub App token (approver app)
       if: ${{ steps.commit-changes.outputs.sha }}
-      id: generate-token-approver
-      with:
-        creds: ${{ secrets.APPROVER_GH_APP_CREDS }}
+      id: secret-service
+      uses: electron/secret-service-action@3476425e8b30555aac15b1b7096938e254b0e155 # v1.0.0
     - name: Approve and merge pull request
       if: ${{ steps.commit-changes.outputs.sha }}
       shell: bash
       env:
-        GITHUB_TOKEN: ${{ steps.generate-token-approver.outputs.token }}
+        GITHUB_TOKEN: ${{ fromJSON(steps.secret-service.outputs.secrets).PR_APPROVER_GH_TOKEN }}
       run: |
         set -eo pipefail
         gh pr review "feat/update-abi-registry-${{ matrix.branch }}-${{ hashFiles('abi_registry.json') }}" --approve
