From 2cc56bf78bb7fd2ad917e2dc4cc4ef16a022e5ad Mon Sep 17 00:00:00 2001
From: Jeff Wolski <jeff.wolski@gmail.com>
Date: Fri, 15 Nov 2024 08:31:50 +0100
Subject: [PATCH] chore: Use GitHub App authentication to generate "checkout
 tokens"

This commit switches the `build.yml` workflow over to use GitHub App
tokens to checkout the nillion repo (private) instead of relying on
PATs, which expire and have to be manually rotated.

Instead, I created a GitHub App named "Nillion Repo" at the org-level. I
gave the app read-only access to the nillion repo. And I added 1
repo-variable and 1 repo-secret to the nada-dsl repo:

* Variable: `NILLION_REPO_APP_ID`
* Secret: `NILLION_REPO_APP_PRIVATE_KEY`
---
 .github/workflows/build.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index bb21e5b..1ad2a23 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -44,12 +44,18 @@ jobs:
         uses: actions/setup-python@v3
         with:
           python-version: "3.10"
+      - name: Generate Nillion Repo app token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.NILLION_REPO_APP_ID }}
+          private-key: ${{ secrets.NILLION_REPO_APP_PRIVATE_KEY }}
       - name: Checkout tools repo
         uses: actions/checkout@v4
         with:
           repository: NillionNetwork/nillion
           path: nillion
-          token: ${{ secrets.NILLION_TOKEN }}
+          token: ${{ steps.generate-token.outputs.token }}
       - name: Replace nillion's nada_dsl with this version
         uses: actions/checkout@v4
         with: