Merge pull request #9 from gitgitgadget/vet-github-actions

dscho · web-flow · commit 571871d1629e · 2025-03-27T13:14:35.000+01:00
Use the official GitHub Action to obtain installation access tokens
diff --git a/.github/workflows/sync-git-gui.yml b/.github/workflows/sync-git-gui.yml
@@ -25,6 +25,10 @@ jobs:
         id: check
         with:
           script: |
+            const [targetRepoOwner, targetRepoName] = process.env.TARGET_REPOSITORY.split('/')
+            core.setOutput('target-repo-owner', targetRepoOwner)
+            core.setOutput('target-repo-name', targetRepoName)
+
             const sleep = async (milliseconds) => {
               return new Promise(resolve => setTimeout(resolve, milliseconds))
             }
@@ -109,12 +113,13 @@ jobs:
             core.setOutput('to-fetch', [...toFetch].join(' '))
       - name: obtain installation token
         if: steps.check.outputs.refspec != ''
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        uses: actions/create-github-app-token@v1
         id: token
         with:
-          app_id: ${{ secrets.GITGITGADGET_GITHUB_APP_ID }}
-          private_key: ${{ secrets.GITGITGADGET_GITHUB_APP_PRIVATE_KEY }}
-          repository: ${{ env.TARGET_REPOSITORY }}
+          app-id: ${{ secrets.GITGITGADGET_GITHUB_APP_ID }}
+          private-key: ${{ secrets.GITGITGADGET_GITHUB_APP_PRIVATE_KEY }}
+          owner: ${{ steps.check.outputs.target-repo-owner }}
+          repositories: ${{ steps.check.outputs.target-repo-name }}
       - name: set authorization header
         if: steps.check.outputs.refspec != ''
         uses: actions/github-script@v7
diff --git a/.github/workflows/sync-gitster-git.yml b/.github/workflows/sync-gitster-git.yml
@@ -24,6 +24,10 @@ jobs:
         id: check
         with:
           script: |
+            const [targetRepoOwner, targetRepoName] = process.env.TARGET_REPOSITORY.split('/')
+            core.setOutput('target-repo-owner', targetRepoOwner)
+            core.setOutput('target-repo-name', targetRepoName)
+
             const sleep = async (milliseconds) => {
               return new Promise(resolve => setTimeout(resolve, milliseconds))
             }
@@ -95,12 +99,13 @@ jobs:
             core.setOutput('to-fetch', [...toFetch].join(' '))
       - name: obtain installation token
         if: steps.check.outputs.refspec != ''
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        uses: actions/create-github-app-token@v1
         id: token
         with:
-          app_id: ${{ secrets.GITGITGADGET_GITHUB_APP_ID }}
-          private_key: ${{ secrets.GITGITGADGET_GITHUB_APP_PRIVATE_KEY }}
-          repository: ${{ env.TARGET_REPOSITORY }}
+          app-id: ${{ secrets.GITGITGADGET_GITHUB_APP_ID }}
+          private-key: ${{ secrets.GITGITGADGET_GITHUB_APP_PRIVATE_KEY }}
+          owner: ${{ steps.check.outputs.target-repo-owner }}
+          repositories: ${{ steps.check.outputs.target-repo-name }}
       - name: set authorization header
         if: steps.check.outputs.refspec != ''
         uses: actions/github-script@v7
diff --git a/.github/workflows/sync-ref.yml b/.github/workflows/sync-ref.yml
@@ -30,6 +30,10 @@ jobs:
         id: check
         with:
           script: |
+            const [targetRepoOwner, targetRepoName] = process.env.TARGET_REPOSITORY.split('/')
+            core.setOutput('target-repo-owner', targetRepoOwner)
+            core.setOutput('target-repo-name', targetRepoName)
+
             const getSHA = async (repository, ref) => {
               if (ref.startsWith('refs/heads/') || ref.startsWith('refs/tags/')) ref = ref.substring(4)
               else throw new Error(`Cannot handle ref '${ref}`)
@@ -60,12 +64,13 @@ jobs:
             core.setOutput('target-sha', targetSHA || '')
       - name: obtain installation token
         if: steps.check.outputs.skip == 'false'
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        uses: actions/create-github-app-token@v1
         id: token
         with:
-          app_id: ${{ secrets.GITGITGADGET_GITHUB_APP_ID }}
-          private_key: ${{ secrets.GITGITGADGET_GITHUB_APP_PRIVATE_KEY }}
-          repository: ${{ env.TARGET_REPOSITORY }}
+          app-id: ${{ secrets.GITGITGADGET_GITHUB_APP_ID }}
+          private-key: ${{ secrets.GITGITGADGET_GITHUB_APP_PRIVATE_KEY }}
+          owner: ${{ steps.check.outputs.target-repo-owner }}
+          repositories: ${{ steps.check.outputs.target-repo-name }}
       - name: set authorization header
         if: steps.check.outputs.skip == 'false'
         uses: actions/github-script@v7
