Use GitHub App token (#43)

bitwarden · Jan 6, 2025 · 178622a · 178622a
1 parent 01ccad4
commit 178622a
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 4 deletions.
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -18,11 +18,18 @@ jobs:
   version-bump:
     name: Version bump
     if: github.actor != 'bitwarden-devops-bot'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: version-type
     outputs:
       version: ${{ steps.get-version.outputs.version }}
     steps:
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        id: app-token
+        with:
+          app-id: ${{ secrets.BW_GHAPP_ID }}
+          private-key: ${{ secrets.BW_GHAPP_KEY }}
+
       - name: Login to Azure - CI Subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
         with:
@@ -34,14 +41,13 @@ jobs:
         with:
           keyvault: "bitwarden-ci"
           secrets: "github-gpg-private-key,
-            github-gpg-private-key-passphrase,
-            github-pat-bitwarden-devops-bot-repo-scope"
+            github-gpg-private-key-passphrase"
 
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-          token: ${{ steps.retrieve-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Set up Python
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0

diff --git a/.github/workflows/enforce-labels.yml b/.github/workflows/enforce-labels.yml
@@ -5,6 +5,7 @@ on:
     types: [labeled, unlabeled, opened, reopened, synchronize]
 jobs:
   enforce-labels:
+    name: Enforce Labels
     uses: bitwarden/gh-actions/.github/workflows/_enforce-labels.yml@main
 
   enforce-version-label: