permissiong for nightly job (#8652)

2026-03-10 22:21:22 -07:00 · 2025-09-17 17:16:38 -07:00
parent 407373dcd6
commit 72114464b8
4 changed files with 87 additions and 16 deletions
--- a/.github/actions/create-pull-request/action.yml
+++ b/.github/actions/create-pull-request/action.yml
@@ -0,0 +1,54 @@
+name: 'Create and Merge Pull Request'
+description: 'Creates a pull request and merges it automatically.'
+
+inputs:
+  branch-name:
+    description: 'The name of the branch to create the PR from.'
+    required: true
+  pr-title:
+    description: 'The title of the pull request.'
+    required: true
+  pr-body:
+    description: 'The body of the pull request.'
+    required: true
+  base-branch:
+    description: 'The branch to merge into.'
+    required: true
+    default: 'main'
+  app-id:
+    description: 'The ID of the GitHub App.'
+    required: true
+  private-key:
+    description: 'The private key of the GitHub App.'
+    required: true
+  dry-run:
+    description: 'Whether to run in dry-run mode.'
+    required: false
+    default: 'false'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: 'Generate GitHub App Token'
+      id: 'generate_token'
+      if: "inputs.dry-run == 'false'"
+      uses: 'actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b'
+      with:
+        app-id: '${{ inputs.app-id }}'
+        private-key: '${{ inputs.private-key }}'
+        permission-pull-requests: 'write'
+        permission-contents: 'write'
+
+    - name: 'Create and Approve Pull Request'
+      if: "inputs.dry-run == 'false'"
+      env:
+        GH_TOKEN: '${{ steps.generate_token.outputs.token }}'
+      shell: 'bash'
+      run: |
+        gh pr create \
+          --title "${{ inputs.pr-title }}" \
+          --body "${{ inputs.pr-body }}" \
+          --base "${{ inputs.base-branch }}" \
+          --head "${{ inputs.branch-name }}" \
+          --fill
+        gh pr merge --auto --squash
--- a/.github/workflows/create-patch-pr.yml
+++ b/.github/workflows/create-patch-pr.yml
@@ -46,13 +46,22 @@ jobs:
          git config user.name "gemini-cli-robot"
          git config user.email "gemini-cli-robot@google.com"

+      - name: 'Generate GitHub App Token'
+        id: 'generate_token'
+        uses: 'actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b'
+        with:
+          app-id: '${{ secrets.APP_ID }}'
+          private-key: '${{ secrets.PRIVATE_KEY }}'
+          permission-pull-requests: 'write'
+          permission-contents: 'write'
+
      - name: 'Create Patch for Stable'
        if: "github.event.inputs.channel == 'stable'"
        env:
-          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+          GH_TOKEN: '${{ steps.generate_token.outputs.token }}'
        run: 'node scripts/create-patch-pr.js --commit=${{ github.event.inputs.commit }} --channel=stable --dry-run=${{ github.event.inputs.dry_run }}'

      - name: 'Create Patch for Preview'
        env:
-          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+          GH_TOKEN: '${{ steps.generate_token.outputs.token }}'
        run: 'node scripts/create-patch-pr.js --commit=${{ github.event.inputs.commit }} --channel=${{ github.event.inputs.channel }} --dry-run=${{ github.event.inputs.dry_run }}'
--- a/.github/workflows/nightly-release.yml
+++ b/.github/workflows/nightly-release.yml
@@ -25,7 +25,10 @@ jobs:
  release:
    runs-on: 'ubuntu-latest'
    permissions:
+      contents: 'write'
+      packages: 'write'
      issues: 'write'
+      pull-requests: 'write'
    steps:
      - name: 'Checkout'
        uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8'
@@ -71,6 +74,16 @@ jobs:
          dry-run: '${{ github.event.inputs.dry_run }}'
          previous-tag: '${{ steps.nightly_version.outputs.PREVIOUS_TAG }}'

+      - name: 'Create and Merge Pull Request'
+        uses: './.github/actions/create-pull-request'
+        with:
+          branch-name: 'release/${{ steps.nightly_version.outputs.RELEASE_TAG }}'
+          pr-title: 'chore(release): bump version to ${{ steps.nightly_version.outputs.RELEASE_VERSION }}'
+          pr-body: 'Automated version bump for nightly release.'
+          app-id: '${{ secrets.APP_ID }}'
+          private-key: '${{ secrets.PRIVATE_KEY }}'
+          dry-run: '${{ github.event.inputs.dry_run }}'
+
      - name: 'Create Issue on Failure'
        if: '${{ failure() && github.event.inputs.dry_run == false }}'
        env:
--- a/.github/workflows/promote-release.yml
+++ b/.github/workflows/promote-release.yml
@@ -317,20 +317,15 @@ jobs:
            echo "Dry run enabled. Skipping push."
          fi

-      - name: 'Create and Approve Pull Request'
-        if: |-
-          ${{ github.event.inputs.dry_run == 'false' }}
-        env:
-          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
-          BRANCH_NAME: '${{ steps.release_branch.outputs.BRANCH_NAME }}'
-        run: |
-          gh pr create \
-            --title "chore(release): bump version to ${{ needs.calculate-versions.outputs.NEXT_NIGHTLY_VERSION }}" \
-            --body "Automated version bump to prepare for the next nightly release." \
-            --base "main" \
-            --head "${BRANCH_NAME}" \
-            --fill
-          gh pr merge --auto --squash
+      - name: 'Create and Merge Pull Request'
+        uses: './.github/actions/create-pull-request'
+        with:
+          branch-name: '${{ steps.release_branch.outputs.BRANCH_NAME }}'
+          pr-title: 'chore(release): bump version to ${{ needs.calculate-versions.outputs.NEXT_NIGHTLY_VERSION }}'
+          pr-body: 'Automated version bump to prepare for the next nightly release.'
+          app-id: '${{ secrets.APP_ID }}'
+          private-key: '${{ secrets.PRIVATE_KEY }}'
+          dry-run: '${{ github.event.inputs.dry_run }}'

      - name: 'Create Issue on Failure'
        if: '${{ failure() && github.event.inputs.dry_run == false }}'