From 788778e12c503463e1d06a042a5d3eccae82cca8 Mon Sep 17 00:00:00 2001
From: Tom Lebreux <tom.lebreux@suse.com>
Date: Tue, 17 Dec 2024 13:41:57 -0500
Subject: [PATCH] [v0.5] Fix syncing dependencies (#569)

* Fix PR not triggering CI

* Fix token permission

* Fix quote
---
 .github/workflows/sync-deps.yaml | 33 +++++++++++++++++++++++++++-----
 1 file changed, 28 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/sync-deps.yaml b/.github/workflows/sync-deps.yaml
index 57b1553f8..8b8072510 100644
--- a/.github/workflows/sync-deps.yaml
+++ b/.github/workflows/sync-deps.yaml
@@ -17,19 +17,38 @@ env:
   WEBHOOK_REF: "${{ github.ref_name }}"
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
+  # Needed to access to vault
+  id-token: write
 
 jobs:
   sync:
     name: Sync dependencies
     runs-on: ubuntu-latest
     steps:
+      - uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/github/app-credentials appId | APP_ID ;
+            secret/data/github/repo/${{ github.repository }}/github/app-credentials privateKey | PRIVATE_KEY
+
+      # Fetch github token just for the webhook repository
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ env.APP_ID }}
+          private-key: ${{ env.PRIVATE_KEY }}
+          repositories: |
+            webhook
+
       - name : Checkout webhook repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           ref: "${{ env.WEBHOOK_REF }}"
           path: webhook
+          token: ${{ steps.app-token.outputs.token }}
+          # Allow making git push request later on
+          persist-credentials: true
 
       - name : Checkout rancher repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
@@ -44,8 +63,12 @@ jobs:
       - name: Configure the committer
         run: |
           cd webhook
-          git config --global user.name "Webhook Sync Bot"
-          git config --global user.email "webhooksyncbot@users.noreply.github.com"
+          user_id=$(gh api "/users/$APP_USER" --jq .id)
+          git config --global user.name "$APP_USER"
+          git config --global user.email "${user_id}+${APP_USER}@users.noreply.github.com"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          APP_USER: "${{ steps.app-token.outputs.app-slug }}[bot]"
 
       - name: Run sync-deps script
         run: |
@@ -82,4 +105,4 @@ jobs:
             --head "${{ github.repository_owner }}:$BRANCH" \
             --base "$WEBHOOK_REF"
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}