From 72114464b8ea65027ff0538c57b5f2e371ee0ee7 Mon Sep 17 00:00:00 2001 From: matt korwel Date: Wed, 17 Sep 2025 17:16:38 -0700 Subject: [PATCH] permissiong for nightly job (#8652) --- .../actions/create-pull-request/action.yml | 54 +++++++++++++++++++ .github/workflows/create-patch-pr.yml | 13 ++++- .github/workflows/nightly-release.yml | 13 +++++ .github/workflows/promote-release.yml | 23 ++++---- 4 files changed, 87 insertions(+), 16 deletions(-) create mode 100644 .github/actions/create-pull-request/action.yml diff --git a/.github/actions/create-pull-request/action.yml b/.github/actions/create-pull-request/action.yml new file mode 100644 index 0000000000..815d67682a --- /dev/null +++ b/.github/actions/create-pull-request/action.yml @@ -0,0 +1,54 @@ +name: 'Create and Merge Pull Request' +description: 'Creates a pull request and merges it automatically.' + +inputs: + branch-name: + description: 'The name of the branch to create the PR from.' + required: true + pr-title: + description: 'The title of the pull request.' + required: true + pr-body: + description: 'The body of the pull request.' + required: true + base-branch: + description: 'The branch to merge into.' + required: true + default: 'main' + app-id: + description: 'The ID of the GitHub App.' + required: true + private-key: + description: 'The private key of the GitHub App.' + required: true + dry-run: + description: 'Whether to run in dry-run mode.' + required: false + default: 'false' + +runs: + using: 'composite' + steps: + - name: 'Generate GitHub App Token' + id: 'generate_token' + if: "inputs.dry-run == 'false'" + uses: 'actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b' + with: + app-id: '${{ inputs.app-id }}' + private-key: '${{ inputs.private-key }}' + permission-pull-requests: 'write' + permission-contents: 'write' + + - name: 'Create and Approve Pull Request' + if: "inputs.dry-run == 'false'" + env: + GH_TOKEN: '${{ steps.generate_token.outputs.token }}' + shell: 'bash' + run: | + gh pr create \ + --title "${{ inputs.pr-title }}" \ + --body "${{ inputs.pr-body }}" \ + --base "${{ inputs.base-branch }}" \ + --head "${{ inputs.branch-name }}" \ + --fill + gh pr merge --auto --squash diff --git a/.github/workflows/create-patch-pr.yml b/.github/workflows/create-patch-pr.yml index 2ec6aed3eb..d8ba42cec4 100644 --- a/.github/workflows/create-patch-pr.yml +++ b/.github/workflows/create-patch-pr.yml @@ -46,13 +46,22 @@ jobs: git config user.name "gemini-cli-robot" git config user.email "gemini-cli-robot@google.com" + - name: 'Generate GitHub App Token' + id: 'generate_token' + uses: 'actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b' + with: + app-id: '${{ secrets.APP_ID }}' + private-key: '${{ secrets.PRIVATE_KEY }}' + permission-pull-requests: 'write' + permission-contents: 'write' + - name: 'Create Patch for Stable' if: "github.event.inputs.channel == 'stable'" env: - GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' + GH_TOKEN: '${{ steps.generate_token.outputs.token }}' run: 'node scripts/create-patch-pr.js --commit=${{ github.event.inputs.commit }} --channel=stable --dry-run=${{ github.event.inputs.dry_run }}' - name: 'Create Patch for Preview' env: - GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' + GH_TOKEN: '${{ steps.generate_token.outputs.token }}' run: 'node scripts/create-patch-pr.js --commit=${{ github.event.inputs.commit }} --channel=${{ github.event.inputs.channel }} --dry-run=${{ github.event.inputs.dry_run }}' diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index f0ca371671..494a1cc621 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -25,7 +25,10 @@ jobs: release: runs-on: 'ubuntu-latest' permissions: + contents: 'write' + packages: 'write' issues: 'write' + pull-requests: 'write' steps: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' @@ -71,6 +74,16 @@ jobs: dry-run: '${{ github.event.inputs.dry_run }}' previous-tag: '${{ steps.nightly_version.outputs.PREVIOUS_TAG }}' + - name: 'Create and Merge Pull Request' + uses: './.github/actions/create-pull-request' + with: + branch-name: 'release/${{ steps.nightly_version.outputs.RELEASE_TAG }}' + pr-title: 'chore(release): bump version to ${{ steps.nightly_version.outputs.RELEASE_VERSION }}' + pr-body: 'Automated version bump for nightly release.' + app-id: '${{ secrets.APP_ID }}' + private-key: '${{ secrets.PRIVATE_KEY }}' + dry-run: '${{ github.event.inputs.dry_run }}' + - name: 'Create Issue on Failure' if: '${{ failure() && github.event.inputs.dry_run == false }}' env: diff --git a/.github/workflows/promote-release.yml b/.github/workflows/promote-release.yml index e778bc047f..1911d3dc6a 100644 --- a/.github/workflows/promote-release.yml +++ b/.github/workflows/promote-release.yml @@ -317,20 +317,15 @@ jobs: echo "Dry run enabled. Skipping push." fi - - name: 'Create and Approve Pull Request' - if: |- - ${{ github.event.inputs.dry_run == 'false' }} - env: - GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' - BRANCH_NAME: '${{ steps.release_branch.outputs.BRANCH_NAME }}' - run: | - gh pr create \ - --title "chore(release): bump version to ${{ needs.calculate-versions.outputs.NEXT_NIGHTLY_VERSION }}" \ - --body "Automated version bump to prepare for the next nightly release." \ - --base "main" \ - --head "${BRANCH_NAME}" \ - --fill - gh pr merge --auto --squash + - name: 'Create and Merge Pull Request' + uses: './.github/actions/create-pull-request' + with: + branch-name: '${{ steps.release_branch.outputs.BRANCH_NAME }}' + pr-title: 'chore(release): bump version to ${{ needs.calculate-versions.outputs.NEXT_NIGHTLY_VERSION }}' + pr-body: 'Automated version bump to prepare for the next nightly release.' + app-id: '${{ secrets.APP_ID }}' + private-key: '${{ secrets.PRIVATE_KEY }}' + dry-run: '${{ github.event.inputs.dry_run }}' - name: 'Create Issue on Failure' if: '${{ failure() && github.event.inputs.dry_run == false }}'