microsoft/TypeScript
1
0
Fork 0
mirror of https://github.com/microsoft/TypeScript.git synced 2026-06-13 11:46:08 -05:00
Code Issues Packages Projects Releases 212 Wiki Activity

Switch from bot PAT to GitHub App token via Azure Key Vault (#63538)

Browse Source
This commit is contained in:
Jake Bailey
2026-06-08 12:58:53 -07:00
committed by GitHub
parent 7539c04d94
commit 345012d5a9
13 changed files with 1025 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
.github/workflows/accept-baselines-fix-lints.yaml vendored
View File

@@ -5,6 +5,7 @@ on:
permissions:
contents: read
id-token: write
# Ensure scripts are run with pipefail. See:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -15,11 +16,14 @@ defaults:
jobs:
build:
runs-on: ubuntu-latest
environment:
name: azure
deployment: false
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
persist-credentials: false
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: 'lts/*'
@@ -37,4 +41,27 @@ jobs:
git add ./tests/baselines/reference
git diff --cached
git commit -m "Update Baselines, Applied Lint Fixes, and/or Formatted"
git push
- uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Create GitHub App token
id: app-token
uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
with:
client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
owner: microsoft
repositories: TypeScript
permission-contents: write
- name: Configure git for GitHub App token
shell: bash
env:
GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
set -euo pipefail
basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')"
echo "::add-mask::$basic_auth"
git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}"
- run: git push

24
.github/workflows/close-issues.yml vendored
View File

@@ -7,6 +7,7 @@ on:
permissions:
contents: read
id-token: write
# Ensure scripts are run with pipefail. See:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -17,15 +18,36 @@ defaults:
jobs:
close-issues:
runs-on: ubuntu-latest
environment:
name: azure
deployment: false
if: github.repository == 'microsoft/TypeScript'
permissions:
contents: read # Apparently required to create issues
id-token: write
issues: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Create GitHub App token
id: app-token
uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
with:
client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
owner: microsoft
repositories: TypeScript
permission-issues: write
- name: Close issues
env:
GH_TOKEN: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
GH_TOKEN: ${{ steps.app-token.outputs.token }}
REPO: ${{ github.repository }}
run: |
DATE=$(date --date='2 days ago' --iso-8601)

36
.github/workflows/create-cherry-pick-pr.yml vendored
View File

@@ -34,6 +34,7 @@ run-name: ${{ github.workflow }}${{ inputs.distinct_id && format(' (bot run {0})
permissions:
contents: read
id-token: write
# Ensure scripts are run with pipefail. See:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -44,6 +45,9 @@ defaults:
jobs:
open-pr:
runs-on: ubuntu-latest
environment:
name: azure
deployment: false
if: github.repository == 'microsoft/TypeScript'
steps:
@@ -51,8 +55,32 @@ jobs:
with:
filter: blob:none # https://github.blog/2020-12-21-get-up-to-speed-with-partial-clone-and-shallow-clone/
fetch-depth: 0 # Default is 1; need to set to 0 to get the benefits of blob:none.
token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
persist-credentials: false
- uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Create GitHub App token
id: app-token
uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
with:
client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
owner: microsoft
repositories: TypeScript
permission-contents: write
permission-issues: write
permission-pull-requests: write
- name: Configure git for GitHub App token
shell: bash
env:
GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
set -euo pipefail
basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')"
echo "::add-mask::$basic_auth"
git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}"
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
id: open-pr
env:
@@ -64,7 +92,7 @@ jobs:
STATUS_COMMENT: ${{ inputs.status_comment }}
with:
retries: 3
github-token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
github-token: ${{ steps.app-token.outputs.token }}
result-encoding: string
script: |
const {
@@ -182,7 +210,7 @@ jobs:
with:
success_comment: ${{ steps.open-pr.outputs.result }}
failure_comment: 'I was unable to cherry-pick this PR.'
github_token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
github_token: ${{ steps.app-token.outputs.token }}
distinct_id: ${{ inputs.distinct_id }}
source_issue: ${{ inputs.source_issue }}
requesting_user: ${{ inputs.requesting_user }}

31
.github/workflows/lkg.yml vendored
View File

@@ -10,6 +10,7 @@ on:
permissions:
contents: read
id-token: write
# Ensure scripts are run with pipefail. See:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -20,6 +21,9 @@ defaults:
jobs:
build:
runs-on: ubuntu-latest
environment:
name: azure
deployment: false
steps:
- env:
BRANCH_NAME: ${{ inputs.branch_name }}
@@ -32,7 +36,7 @@ jobs:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ inputs.branch_name }}
token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
persist-credentials: false
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: 'lts/*'
@@ -48,4 +52,27 @@ jobs:
git config user.email "typescriptbot@microsoft.com"
git config user.name "TypeScript Bot"
git commit -m 'Update LKG'
git push
- uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Create GitHub App token
id: app-token
uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
with:
client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
owner: microsoft
repositories: TypeScript
permission-contents: write
- name: Configure git for GitHub App token
shell: bash
env:
GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
set -euo pipefail
basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')"
echo "::add-mask::$basic_auth"
git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}"
- run: git push

35
.github/workflows/new-release-branch.yaml vendored
View File

@@ -38,6 +38,7 @@ run-name: ${{ github.workflow }}${{ inputs.distinct_id && format(' (bot run {0})
permissions:
contents: read
id-token: write
# Ensure scripts are run with pipefail. See:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -48,13 +49,16 @@ defaults:
jobs:
build:
runs-on: ubuntu-latest
environment:
name: azure
deployment: false
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
filter: blob:none # https://github.blog/2020-12-21-get-up-to-speed-with-partial-clone-and-shallow-clone/
fetch-depth: 0 # Default is 1; need to set to 0 to get the benefits of blob:none.
token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
persist-credentials: false
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: 'lts/*'
@@ -85,14 +89,39 @@ jobs:
git config user.email "typescriptbot@microsoft.com"
git config user.name "TypeScript Bot"
git commit -m "Bump version to $PACKAGE_VERSION and LKG"
git push --set-upstream origin "$BRANCH_NAME"
- uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Create GitHub App token
id: app-token
uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
with:
client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
owner: microsoft
repositories: TypeScript
permission-contents: write
- name: Configure git for GitHub App token
shell: bash
env:
GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
set -euo pipefail
basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')"
echo "::add-mask::$basic_auth"
git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}"
- env:
BRANCH_NAME: ${{ inputs.branch_name }}
run: git push --set-upstream origin "$BRANCH_NAME"
- uses: microsoft/typescript-bot-test-triggerer/.github/actions/post-workflow-result@master
if: ${{ !cancelled() && inputs.distinct_id }}
with:
success_comment: "I've created ${{ inputs.branch_name }} with version ${{ inputs.package_version }} for you."
failure_comment: 'I was unable to create the new release branch.'
github_token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
github_token: ${{ steps.app-token.outputs.token }}
distinct_id: ${{ inputs.distinct_id }}
source_issue: ${{ inputs.source_issue }}
requesting_user: ${{ inputs.requesting_user }}

31
.github/workflows/pr-modified-files.yml vendored
View File

@@ -17,6 +17,7 @@ concurrency:
permissions:
contents: read
id-token: write
# Ensure scripts are run with pipefail. See:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -27,17 +28,37 @@ defaults:
jobs:
manage-prs:
runs-on: ubuntu-latest
environment:
name: azure
deployment: false
if: github.repository == 'microsoft/TypeScript'
# No need to set explicit permissions; we are using typescript-bot's token, not github-actions' token.
# No need to set explicit permissions; we are using the GitHub App token, not github-actions' token.
env:
GH_TOKEN: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
PR_NUMBER: ${{ github.event.pull_request.number }}
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
REPO: ${{ github.repository }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Create GitHub App token
id: app-token
uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
with:
client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
owner: microsoft
repositories: TypeScript
permission-issues: write
permission-pull-requests: write
- name: Check if PR author is in pr_owners.txt
id: pr_owner
run: |
@@ -91,6 +112,8 @@ jobs:
- name: Generated DOM files
if: steps.pr_owner.outputs.pr_owner == 'false'
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
if ./is_changed.sh "src/lib/dom.generated.d.ts" \
"src/lib/dom.iterable.generated.d.ts" \
@@ -107,6 +130,8 @@ jobs:
fi
- name: Check if PR modifies protocol.ts
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
if ./is_changed.sh "src/server/protocol.ts"; then
MESSAGE="Thanks for the PR! It looks like you've changed the TSServer protocol in some way."
@@ -122,6 +147,8 @@ jobs:
fi
- name: Check for breaking changes
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
if ./is_changed.sh "tests/baselines/reference/api/typescript.d.ts"; then
MESSAGE="Looks like you're introducing a change to the public API surface area."

33
.github/workflows/set-version.yaml vendored
View File

@@ -38,6 +38,7 @@ run-name: ${{ github.workflow }}${{ inputs.distinct_id && format(' (bot run {0})
permissions:
contents: read
id-token: write
# Ensure scripts are run with pipefail. See:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -48,11 +49,14 @@ defaults:
jobs:
build:
runs-on: ubuntu-latest
environment:
name: azure
deployment: false
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ inputs.branch_name }}
token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
persist-credentials: false
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: 'lts/*'
@@ -88,14 +92,37 @@ jobs:
git config user.email "typescriptbot@microsoft.com"
git config user.name "TypeScript Bot"
git commit -m "Bump version to $PACKAGE_VERSION and LKG"
git push
- uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Create GitHub App token
id: app-token
uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
with:
client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
owner: microsoft
repositories: TypeScript
permission-contents: write
- name: Configure git for GitHub App token
shell: bash
env:
GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
set -euo pipefail
basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')"
echo "::add-mask::$basic_auth"
git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}"
- run: git push
- uses: microsoft/typescript-bot-test-triggerer/.github/actions/post-workflow-result@master
if: ${{ !cancelled() && inputs.distinct_id }}
with:
success_comment: "I've set the version of ${{ inputs.branch_name }} to ${{ inputs.package_version }} for you."
failure_comment: 'I was unable set the version.'
github_token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
github_token: ${{ steps.app-token.outputs.token }}
distinct_id: ${{ inputs.distinct_id }}
source_issue: ${{ inputs.source_issue }}
requesting_user: ${{ inputs.requesting_user }}

33
.github/workflows/sync-branch.yaml vendored
View File

@@ -30,6 +30,7 @@ run-name: ${{ github.workflow }}${{ inputs.distinct_id && format(' (bot run {0})
permissions:
contents: read
id-token: write
# Ensure scripts are run with pipefail. See:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -40,6 +41,9 @@ defaults:
jobs:
build:
runs-on: ubuntu-latest
environment:
name: azure
deployment: false
steps:
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
@@ -50,7 +54,7 @@ jobs:
ref: ${{ inputs.branch_name }}
filter: blob:none # https://github.blog/2020-12-21-get-up-to-speed-with-partial-clone-and-shallow-clone/
fetch-depth: 0 # Default is 1; need to set to 0 to get the benefits of blob:none.
token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
persist-credentials: false
# required client_payload members:
# branch_name - the target branch
- run: |
@@ -62,14 +66,37 @@ jobs:
npx hereby LKG
git add --force ./lib
git commit -m 'Update LKG'
git push
- uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Create GitHub App token
id: app-token
uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
with:
client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
owner: microsoft
repositories: TypeScript
permission-contents: write
- name: Configure git for GitHub App token
shell: bash
env:
GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
set -euo pipefail
basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')"
echo "::add-mask::$basic_auth"
git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}"
- run: git push
- uses: microsoft/typescript-bot-test-triggerer/.github/actions/post-workflow-result@master
if: ${{ !cancelled() && inputs.distinct_id }}
with:
success_comment: "I've pulled main into ${{ inputs.branch_name }} for you."
failure_comment: 'I was unable merge main into ${{ inputs.branch_name }}.'
github_token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
github_token: ${{ steps.app-token.outputs.token }}
distinct_id: ${{ inputs.distinct_id }}
source_issue: ${{ inputs.source_issue }}
requesting_user: ${{ inputs.requesting_user }}

35
.github/workflows/sync-wiki.yml vendored
View File

@@ -4,6 +4,7 @@ on: [gollum]
permissions:
contents: read
id-token: write
# Ensure scripts are run with pipefail. See:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -14,17 +15,45 @@ defaults:
jobs:
sync:
runs-on: ubuntu-latest
environment:
name: azure
deployment: false
steps:
- name: Get repo name
run: R=${GITHUB_REPOSITORY%?wiki}; echo "BASENAME=${R##*/}" >> $GITHUB_ENV
- name: Checkout ${{ env.BASENAME }}-wiki
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: '${{ GITHUB.repository_owner }}/${{ env.BASENAME }}-wiki'
token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
repository: '${{ github.repository_owner }}/${{ env.BASENAME }}-wiki'
fetch-depth: 0
persist-credentials: false
- uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Create GitHub App token
id: app-token
uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
with:
client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
owner: microsoft
repositories: |
TypeScript
TypeScript-wiki
permission-contents: write
- name: Configure git for GitHub App token
shell: bash
env:
GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
set -euo pipefail
basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')"
echo "::add-mask::$basic_auth"
git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}"
- name: Run sync
run: ./.github/workflows/sync
env:
PUSHER: typescript-bot <bot@typescriptlang.org>
AUTH: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
AUTH: ${{ steps.app-token.outputs.token }}

24
.github/workflows/twoslash-repros.yaml vendored
View File

@@ -38,6 +38,7 @@ run-name: ${{ github.workflow }}${{ inputs.distinct_id && format(' (bot run {0})
permissions:
contents: read
id-token: write
# Ensure scripts are run with pipefail. See:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -49,19 +50,40 @@ jobs:
run:
if: ${{ github.repository == 'microsoft/TypeScript' }}
runs-on: ubuntu-latest
environment:
name: azure
deployment: false
steps:
- if: ${{ github.event.inputs.bisect }}
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
filter: blob:none # https://github.blog/2020-12-21-get-up-to-speed-with-partial-clone-and-shallow-clone/
fetch-depth: 0 # Default is 1; need to set to 0 to get the benefits of blob:none.
persist-credentials: false
- if: ${{ !github.event.inputs.bisect }}
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Create GitHub App token
id: app-token
uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
with:
client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
owner: microsoft
repositories: TypeScript
permission-contents: write
permission-issues: write
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: 'lts/*'
- uses: microsoft/TypeScript-Twoslash-Repro-Action@master
with:
github-token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
github-token: ${{ steps.app-token.outputs.token }}
issue: ${{ github.event.inputs.issue }}
bisect: ${{ github.event.inputs.bisect }}

37
.github/workflows/update-package-lock.yaml vendored
View File

@@ -9,6 +9,7 @@ on:
permissions:
contents: read
id-token: write
# Ensure scripts are run with pipefail. See:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -19,12 +20,15 @@ defaults:
jobs:
build:
runs-on: ubuntu-latest
environment:
name: azure
deployment: false
if: github.repository == 'microsoft/TypeScript'
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
persist-credentials: false
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: 'lts/*'
@@ -35,12 +39,14 @@ jobs:
npm --version
- name: Update package-lock.json and push
id: update
run: |
rm package-lock.json
npm install
if git diff --exit-code --name-only package-lock.json; then
echo "No change."
echo "changed=false" >> "$GITHUB_OUTPUT"
else
npm test
npx hereby LKG
@@ -48,5 +54,32 @@ jobs:
git config user.name "TypeScript Bot"
git add -f package-lock.json
git commit -m "Update package-lock.json"
git push
echo "changed=true" >> "$GITHUB_OUTPUT"
fi
- uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
if: steps.update.outputs.changed == 'true'
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Create GitHub App token
if: steps.update.outputs.changed == 'true'
id: app-token
uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
with:
client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
owner: microsoft
repositories: TypeScript
permission-contents: write
- name: Push
if: steps.update.outputs.changed == 'true'
shell: bash
env:
GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
set -euo pipefail
basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')"
echo "::add-mask::$basic_auth"
git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}"
git push