self-hosted-runners: use the App's repository access token

dscho · dscho · commit b09684a16cf7 · 2022-12-22T19:01:07.000+01:00
In git-for-windows-automation, we want to act as the GitForWindowsHelper
GitHub App as much as possible.

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
diff --git a/.github/workflows/create-azure-self-hosted-runners.yml b/.github/workflows/create-azure-self-hosted-runners.yml
@@ -33,7 +33,6 @@ env:
   POST_DEPLOYMENT_SCRIPT_URL: https://raw.githubusercontent.com/${{ github.repository }}/${{ github.ref_name }}/azure-self-hosted-runners/post-deployment-script.ps1
 
 # The following secrets are required for this workflow to run:
-# GH_API_PAT - PAT to create a runner registration token using GitHub's API
 # AZURE_CREDENTIALS - Credentials for the Azure CLI. It's recommended to set up a resource
 #                     group specifically for self-hosted Actions Runners.
 #   az ad sp create-for-rbac --name "{YOUR_DESCRIPTIVE_NAME_HERE}" --role contributor \
@@ -70,7 +69,34 @@ jobs:
         VM_NAME="actions-runner-$(date +%Y%m%d%H%M%S%N)"
         echo "Will be using $VM_NAME as the VM name"
         echo "vm_name=$VM_NAME" >> $GITHUB_OUTPUT
+    - uses: actions/checkout@v3
+    - name: Obtain installation token
+      id: setup
+      uses: actions/github-script@v6
+      with:
+        script: |
+          const appId = ${{ secrets.GH_APP_ID }}
+          const privateKey = `${{ secrets.GH_APP_PRIVATE_KEY }}`
+
+          const getAppInstallationId = require('./get-app-installation-id')
+          const installationId = await getAppInstallationId(
+            console,
+            appId,
+            privateKey,
+            process.env.ACTIONS_RUNNER_ORG,
+            process.env.ACTIONS_RUNNER_REPO
+          )
 
+          const getInstallationAccessToken = require('./get-installation-access-token')
+          const accessToken = await getInstallationAccessToken(
+            console,
+            appId,
+            privateKey,
+            installationId
+          )
+
+          core.setSecret(accessToken)
+          core.setOutput('token', accessToken)
     # We can't use the octokit/request-action as we can't properly mask the runner token with it
     # https://github.com/actions/runner/issues/475
     - name: Generate Actions Runner token and registration URL
@@ -93,7 +119,7 @@ jobs:
         ACTIONS_RUNNER_TOKEN=$(curl \
           -X POST \
           -H "Accept: application/vnd.github+json" \
-          -H "Authorization: Bearer ${{ secrets.GH_API_PAT }}"\
+          -H "Authorization: Bearer ${{ steps.setup.outputs.token }}"\
           -H "X-GitHub-Api-Version: 2022-11-28" \
           $ACTIONS_API_URL \
           | jq --raw-output .token)
@@ -105,9 +131,6 @@ jobs:
       with:
         creds: ${{ secrets.AZURE_CREDENTIALS }}
     
-    # Checkout the repo so that we can access the template files
-    - uses: actions/checkout@v3
-
     - uses: azure/arm-deploy@v1
       with:
         resourceGroupName: ${{ secrets.AZURE_RESOURCE_GROUP }}
