From f37db65324c07ca147775e60ec74a179c47e013f Mon Sep 17 00:00:00 2001
From: Jeff Wolski <jeff.wolski@gmail.com>
Date: Fri, 15 Nov 2024 08:31:50 +0100
Subject: [PATCH] chore: Use GitHub App authentication to generate "checkout
 tokens"

This commit switches the `build.yml` workflow over to use GitHub App
tokens to checkout the nillion repo (private) instead of relying on
PATs, which expire and have to be manually rotated.

Instead, I created a GitHub App named "Nillion Repo" at the org-level. I
gave the app read-only access to the nillion repo. And I added the app's
ID and private key to the nada-dsl repo:

* As a variable: `NILLION_REPO_APP_ID`
* And as a secret: `NILLION_REPO_APP_PRIVATE_KEY`
---
 .github/workflows/build.yml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index bb21e5b..f95b420 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -44,12 +44,21 @@ jobs:
         uses: actions/setup-python@v3
         with:
           python-version: "3.10"
+      - name: Generate Nillion Repo app token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.NILLION_REPO_APP_ID }}
+          owner: NillionNetwork
+          private-key: ${{ secrets.NILLION_REPO_APP_PRIVATE_KEY }}
+          repositories: nillion
       - name: Checkout tools repo
         uses: actions/checkout@v4
         with:
           repository: NillionNetwork/nillion
           path: nillion
-          token: ${{ secrets.NILLION_TOKEN }}
+          token: ${{ steps.generate-token.outputs.token }}
+          ref: main
       - name: Replace nillion's nada_dsl with this version
         uses: actions/checkout@v4
         with: