Skip to content

Commit

Permalink
chore: Use GitHub App authentication to generate "checkout tokens"
Browse files Browse the repository at this point in the history
This commit switches the `build.yml` workflow over to use GitHub App
tokens to checkout the nillion repo (private) instead of relying on
PATs, which expire and have to be manually rotated.

Instead, I created a GitHub App named "Nillion Repo" at the org-level. I
gave the app read-only access to the nillion repo. And I added the app's
ID and private key to the nada-dsl repo:

* As a variable: `NILLION_REPO_APP_ID`
* And as a secret: `NILLION_REPO_APP_PRIVATE_KEY`
  • Loading branch information
jwolski2 committed Nov 15, 2024
1 parent cfddbb9 commit f37db65
Showing 1 changed file with 10 additions and 1 deletion.
11 changes: 10 additions & 1 deletion .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,12 +44,21 @@ jobs:
uses: actions/setup-python@v3
with:
python-version: "3.10"
- name: Generate Nillion Repo app token
id: generate-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ vars.NILLION_REPO_APP_ID }}
owner: NillionNetwork
private-key: ${{ secrets.NILLION_REPO_APP_PRIVATE_KEY }}
repositories: nillion
- name: Checkout tools repo
uses: actions/checkout@v4
with:
repository: NillionNetwork/nillion
path: nillion
token: ${{ secrets.NILLION_TOKEN }}
token: ${{ steps.generate-token.outputs.token }}
ref: main
- name: Replace nillion's nada_dsl with this version
uses: actions/checkout@v4
with:
Expand Down

0 comments on commit f37db65

Please sign in to comment.