diff --git a/.github/workflows/commit-built-file-changes.yml b/.github/workflows/commit-built-file-changes.yml index b6ba9935ba675..8648db58da602 100644 --- a/.github/workflows/commit-built-file-changes.yml +++ b/.github/workflows/commit-built-file-changes.yml @@ -40,7 +40,9 @@ jobs: if: ${{ github.repository == 'wordpress/wordpress-develop' }} timeout-minutes: 10 permissions: - contents: write + # The actual `git push` is authenticated via a dedicated GitHub App installation token + # generated below, so `GITHUB_TOKEN` only needs read access to the triggering workflow's artifacts. + actions: read # Required to list and download the artifact uploaded by the triggering workflow run. steps: - name: Download artifact uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -90,21 +92,18 @@ jobs: id: generate_token if: ${{ steps.artifact-check.outputs.exists == 'true' }} env: - GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }} + GH_APP_ID: ${{ vars.GH_PR_BUILT_FILES_APP_ID }} GH_APP_PRIVATE_KEY: ${{ secrets.GH_PR_BUILT_FILES_PRIVATE_KEY }} run: | - echo "$GH_APP_PRIVATE_KEY" > private-key.pem - # Generate JWT JWT=$(python3 - <> "$GITHUB_ENV" - - rm -f private-key.pem + echo "access-token=$ACCESS_TOKEN" >> "$GITHUB_OUTPUT" - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -130,7 +127,7 @@ jobs: ref: ${{ github.event.workflow_run.head_branch }} path: 'pr-repo' show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} - token: ${{ env.ACCESS_TOKEN }} + token: ${{ steps.generate_token.outputs.access-token }} persist-credentials: true - name: Apply patch @@ -147,7 +144,7 @@ jobs: if: ${{ steps.artifact-check.outputs.exists == 'true' }} working-directory: 'pr-repo' env: - GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }} + GH_APP_ID: ${{ vars.GH_PR_BUILT_FILES_APP_ID }} run: | git config user.name "wordpress-develop-pr-bot[bot]" git config user.email "${GH_APP_ID}+wordpress-develop-pr-bot[bot]@users.noreply.github.com"