refactor: update workflows and scripts to use GitHub App token for authentication

Author: BarkinKctp

.github/workflows/build-citus-community-nightlies.yml

@@ -24,9 +24,6 @@ jobs:
   build_package:
     name: Build package
     runs-on: ubuntu-latest
-    permissions: 
-      id-token: write
-      contents: read
 
     strategy:
       fail-fast: false
@@ -48,12 +45,18 @@ jobs:
           app-id: ${{ vars.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_KEY }}
           owner: ${{ github.repository_owner }}
-        
+
+      - name: Set GH_TOKEN for all steps
+        run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV
+
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
         with:
           token: ${{ steps.app.outputs.token }}
 
+      - name: Configure git with x-access-token
+        run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/"
+
 
       # This step is to fetch the images unanonymously to have higher bandwidth
       - name: Login to Docker Hub
@@ -63,14 +66,10 @@ jobs:
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
       - name: Clone tools repo for test
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
-        run: git clone -b v0.8.35 --depth=1 https://x-access-token:${GH_TOKEN}@github.com/citusdata/tools.git tools
+        run: git clone -b v0.8.35 --depth=1 https://github.com/citusdata/tools.git tools
 
       - name: Clone build branch
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
-        run: git clone -b "${MAIN_BRANCH}" --depth=1  https://x-access-token:${GH_TOKEN}@github.com/citusdata/packaging.git packaging
+        run: git clone -b "${MAIN_BRANCH}" --depth=1  https://github.com/citusdata/packaging.git packaging
 
       - name: Install package dependencies
         run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources
@@ -79,8 +78,6 @@ jobs:
         run: python -m pip install -r tools/packaging_automation/requirements.txt
 
       - name: Build packages
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
         run: |
           python -m  tools.packaging_automation.citus_package \
           --gh_token "${GH_TOKEN}" \
@@ -93,8 +90,6 @@ jobs:
           --is_test
 
       - name: Publish packages
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
         run: |
           python -m  tools.packaging_automation.upload_to_package_cloud \
           --platform "${{ matrix.platform }}" \

.github/workflows/build-package-test.yml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6
       - name: Update and check dockerfiles
         run: |
           ./update_dockerfiles
@@ -65,11 +65,17 @@ jobs:
           private-key: ${{ secrets.GH_APP_KEY }}
           owner: ${{ github.repository_owner }}
 
+      - name: Set GH_TOKEN for all steps
+        run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV
+
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6
         with:
           token: ${{ steps.app.outputs.token }}
 
+      - name: Configure git with x-access-token
+        run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/"
+
       - name: Install package dependencies
         run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources
 
@@ -84,18 +90,10 @@ jobs:
         env:
           TARGET_PLATFORM: ${{ matrix.TARGET_PLATFORM }}
           POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }}
-          GH_TOKEN: ${{ steps.app.outputs.token }}
 
-      - name: Setup git authentication for GitHub App
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
-        run: |
-          git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/"
 
       - name: Clone tools repo for test
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
-        run: git clone -b v0.8.35 --depth=1  https://x-access-token:${GH_TOKEN}@github.com/citusdata/tools.git tools
+        run: git clone -b v0.8.35 --depth=1  https://github.com/citusdata/tools.git tools
 
       - name: Execute packaging tests
         run: |

.github/workflows/build-package.yml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6
       - name: Update and check dockerfiles
         run: |
           ./update_dockerfiles
@@ -64,17 +64,17 @@ jobs:
           private-key: ${{ secrets.GH_APP_KEY }}
           owner: ${{ github.repository_owner }}
 
-      - name: Setup git authentication for GitHub App
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
-        run: |
-          git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/"
+      - name: Set GH_TOKEN for all steps
+        run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV
 
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6
         with:
           token: ${{ steps.app.outputs.token }}
 
+      - name: Configure git with x-access-token
+        run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/"
+
       - name: Install package dependencies
         run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources
 
@@ -89,20 +89,16 @@ jobs:
         env:
           TARGET_PLATFORM: ${{ matrix.TARGET_PLATFORM }}
           POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }}
-          GH_TOKEN: ${{ steps.app.outputs.token }}
 
       - name: Clone tools repo for test
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
-        run: git clone -b v0.8.35 --depth=1  https://x-access-token:${GH_TOKEN}@github.com/citusdata/tools.git tools
+        run: git clone -b v0.8.35 --depth=1  https://github.com/citusdata/tools.git tools
 
       - name: Execute packaging tests
         run: |
           python -m pip install -r tools/packaging_automation/requirements.txt
           python -m pytest -q tools/packaging_automation/tests/test_citus_package.py -k 'test_build_packages'
         env:
           PACKAGING_IMAGE_PLATFORM: "${{matrix.TARGET_PLATFORM}}"
-          GH_TOKEN: ${{ steps.app.outputs.token }}
 
       - name: Push images
         run: |

.github/workflows/build-pgazure-nightlies.yml

@@ -45,16 +45,16 @@ jobs:
           private-key: ${{ secrets.GH_APP_KEY }}
           owner: ${{ github.repository_owner }}
 
+      - name: Set GH_TOKEN for all steps
+        run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV
+
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6
         with:
           token: ${{ steps.app.outputs.token }}
 
-      - name: Setup git authentication for GitHub App
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
-        run: |
-          git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/"
+      - name: Configure git with x-access-token
+        run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/"
 
       # This step is to fetch the images unanonymously to have higher bandwidth
       - name: Login to Docker Hub
@@ -64,14 +64,10 @@ jobs:
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
       - name: Clone tools branch
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
-        run: git clone -b v0.8.35 --depth=1  https://x-access-token:${GH_TOKEN}@github.com/citusdata/tools.git tools
+        run: git clone -b v0.8.35 --depth=1  https://github.com/citusdata/tools.git tools
 
       - name: Clone build branch
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
-        run: git clone -b "${MAIN_BRANCH}" --depth=1  https://x-access-token:${GH_TOKEN}@github.com/citusdata/packaging.git packaging
+        run: git clone -b "${MAIN_BRANCH}" --depth=1  https://github.com/citusdata/packaging.git packaging
 
       - name: Install package dependencies
         run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources
@@ -80,8 +76,6 @@ jobs:
         run: python -m pip install -r tools/packaging_automation/requirements.txt
 
       - name: Build packages
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
         run: |
           python -m  tools.packaging_automation.citus_package \
           --gh_token "${GH_TOKEN}" \
@@ -93,8 +87,6 @@ jobs:
           --input_files_dir "$(pwd)/packaging"
 
       - name: Publish packages
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
         run: |
           python -m  tools.packaging_automation.upload_to_package_cloud \
           --platform "${{ matrix.platform }}" \

.github/workflows/image-health-check.yml

@@ -35,11 +35,17 @@ jobs:
           private-key: ${{ secrets.GH_APP_KEY }}
           owner: ${{ github.repository_owner }}
 
+      - name: Set GH_TOKEN for all steps
+        run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV
+
       - name: Check out repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6
         with:
           token: ${{ steps.app.outputs.token }}
 
+      - name: Configure git with x-access-token
+        run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/"
+
       - name: Update and check dockerfiles
         run: |
           ./update_dockerfiles
@@ -79,11 +85,17 @@ jobs:
           private-key: ${{ secrets.GH_APP_KEY }}
           owner: ${{ github.repository_owner }}
 
+      - name: Set GH_TOKEN for all steps
+        run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV
+
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6
         with:
           token: ${{ steps.app.outputs.token }}
 
+      - name: Configure git with x-access-token
+        run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/"
+
       - name: Install package dependencies
         run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources
 
@@ -101,15 +113,12 @@ jobs:
 
 
       - name: Clone tools repo for test
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}  
-        run: git clone -b v0.8.35 --depth=1  https://x-access-token:${GH_TOKEN}@github.com/citusdata/tools.git tools
+        run: git clone -b v0.8.35 --depth=1  https://github.com/citusdata/tools.git tools
 
       - name: Execute packaging tests
         run: |
           python -m pip install -r tools/packaging_automation/requirements.txt
           python -m pytest -q tools/packaging_automation/tests/test_citus_package.py -k 'test_build_packages'
         env:
           PACKAGING_IMAGE_PLATFORM: "${{matrix.TARGET_PLATFORM}}"
-          GH_TOKEN: ${{ steps.app.outputs.token }}
 

.github/workflows/update-pgxn-version.yml

@@ -24,31 +24,27 @@ jobs:
           private-key: ${{ secrets.GH_APP_KEY }}
           owner: ${{ github.repository_owner }}
 
+      - name: Set GH_TOKEN for all steps
+        run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV
+
       - name: Check out repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6
         with:
           token: ${{ steps.app.outputs.token }}
 
-      - name: Setup git authentication for GitHub App
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
-        run: |
-          git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/"
+      - name: Configure git with x-access-token
+        run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/"
 
       - name: Install dependencies
         run: sudo apt install libcurl4-openssl-dev libssl-dev
 
       - name: Clone Tools branch
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
-        run: git clone --branch v0.8.35 https://x-access-token:${GH_TOKEN}@github.com/citusdata/tools.git
+        run: git clone --branch v0.8.35 https://github.com/citusdata/tools.git
 
       - name: Install Python requirements
         run: python -m pip install -r tools/packaging_automation/requirements.txt
 
       - name: Update pgxn files
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
         run: |
           python -m tools.packaging_automation.update_pgxn \
           --prj_ver ${PROJECT_VERSION} \

.github/workflows/update_package_properties.yml

@@ -18,8 +18,24 @@ jobs:
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - name: Create GitHub App token
+        id: app
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_KEY }}
+          owner: ${{ github.repository_owner }}
+
+      - name: Set GH_TOKEN for all steps
+        run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV
+
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          token: ${{ steps.app.outputs.token }}
+
+      - name: Configure git with x-access-token
+        run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/"
 
       # Runs a single command using the runners shell
       - name: Clone Tools branch

scripts/fetch_and_build_deb

@@ -88,7 +88,15 @@ if [ -z "${pkglatest}" ]; then
     exit $noinput
 fi
 
-echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc
+if [ -z "${GH_TOKEN:-}" ]; then
+    echo "$0: GH_TOKEN (GitHub App token) is required but not set" >&2
+    exit 66
+fi
+
+echo "header=\"Authorization: Bearer ${GH_TOKEN}\"" > ~/.curlrc
+
+# ensuring GH_TOKEN usage for clones/fetches
+git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/"
 
 export NAME
 NAME=$(determine_name)

scripts/fetch_and_build_pgxn

@@ -50,7 +50,15 @@ if [ -z "${pkglatest}" ]; then
     exit $noinput
 fi
 
-echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc
+if [ -z "${GH_TOKEN:-}" ]; then
+    echo "$0: GH_TOKEN (GitHub App token) is required but not set" >&2
+    exit 66
+fi
+
+echo "header=\"Authorization: Bearer ${GH_TOKEN}\"" > ~/.curlrc
+
+# ensuring GH_TOKEN usage for clones/fetches
+git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/"
 
 cp -R /buildfiles/META.json "${builddir}"
 repopath="citusdata/${hubproj}"

scripts/fetch_and_build_rpm

@@ -81,7 +81,15 @@ if [ -z "${pkglatest}" ]; then
     exit $noinput
 fi
 
-echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc
+if [ -z "${GH_TOKEN:-}" ]; then
+    echo "$0: GH_TOKEN (GitHub App token) is required but not set" >&2
+    exit 66
+fi
+
+echo "header=\"Authorization: Bearer ${GH_TOKEN}\"" > ~/.curlrc
+
+# ensuring GH_TOKEN usage for clones/fetches
+git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/"
 
 name=$(determine_name)
 email=$(determine_email)