chore: Use GitHub App authentication to generate "checkout tokens"

This commit switches the `build.yml` workflow over to use GitHub App tokens to checkout the nillion repo (private) instead of relying on PATs, which expire and have to be manually rotated. Instead, I created a GitHub App named "Nillion Repo" at the org-level. I gave the app read-only access to the nillion repo. And I added the app's ID and private key to the nada-dsl repo: * As a variable: `NILLION_REPO_APP_ID` * And as a secret: `NILLION_REPO_APP_PRIVATE_KEY`
NillionNetwork · Nov 15, 2024 · 94722f3 · 94722f3
1 parent cfddbb9
commit 94722f3
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -44,12 +44,21 @@ jobs:
         uses: actions/setup-python@v3
         with:
           python-version: "3.10"
+      - name: Generate Nillion Repo app token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.NILLION_REPO_APP_ID }}
+          owner: NillionNetwork
+          private-key: ${{ secrets.NILLION_REPO_APP_PRIVATE_KEY }}
+          repositories: nillion
       - name: Checkout tools repo
         uses: actions/checkout@v4
         with:
           repository: NillionNetwork/nillion
           path: nillion
-          token: ${{ secrets.NILLION_TOKEN }}
+          token: ${{ steps.generate-token.outputs.token }}
+          ref: main
       - name: Replace nillion's nada_dsl with this version
         uses: actions/checkout@v4
         with: