chore: Use GitHub App authentication to generate "checkout tokens"

This commit switches the `build.yml` workflow over to use GitHub App tokens to checkout the nillion repo (private) instead of relying on PATs, which expire and have to be manually rotated. Instead, I created a GitHub App named "Nillion Repo" at the org-level. I gave the app read-only access to the nillion repo. And I added 1 repo-variable and 1 repo-secret to the nada-dsl repo: * Variable: `NILLION_REPO_APP_ID` * Secret: `NILLION_REPO_APP_PRIVATE_KEY`
NillionNetwork · Nov 15, 2024 · 2cc56bf · 2cc56bf
1 parent cfddbb9
commit 2cc56bf
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -44,12 +44,18 @@ jobs:
         uses: actions/setup-python@v3
         with:
           python-version: "3.10"
+      - name: Generate Nillion Repo app token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.NILLION_REPO_APP_ID }}
+          private-key: ${{ secrets.NILLION_REPO_APP_PRIVATE_KEY }}
       - name: Checkout tools repo
         uses: actions/checkout@v4
         with:
           repository: NillionNetwork/nillion
           path: nillion
-          token: ${{ secrets.NILLION_TOKEN }}
+          token: ${{ steps.generate-token.outputs.token }}
       - name: Replace nillion's nada_dsl with this version
         uses: actions/checkout@v4
         with: