From 23c4c256b03733d2afc149e22ee9c85a76bc96a6 Mon Sep 17 00:00:00 2001
From: Max Schmitt <max@schmitt.mx>
Date: Wed, 19 Mar 2025 14:39:39 +0100
Subject: [PATCH] devops: migrate automations to GitHub App (#35273)

---
 .../workflows/cherry_pick_into_release_branch.yml  |  7 ++++++-
 .github/workflows/pr_check_client_side_changes.yml | 14 ++++++++++++--
 .github/workflows/publish_canary.yml               | 10 ++++++++--
 .github/workflows/publish_release_traceviewer.yml  |  8 +++++++-
 .github/workflows/roll_browser_into_playwright.yml |  7 ++++++-
 .github/workflows/roll_driver_nodejs.yml           |  7 ++++++-
 .github/workflows/trigger_tests.yml                |  8 +++++++-
 7 files changed, 52 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/cherry_pick_into_release_branch.yml b/.github/workflows/cherry_pick_into_release_branch.yml
index 08c5562f35..777a12683e 100644
--- a/.github/workflows/cherry_pick_into_release_branch.yml
+++ b/.github/workflows/cherry_pick_into_release_branch.yml
@@ -59,10 +59,15 @@ jobs:
         echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_OUTPUT
         git checkout -b "$BRANCH_NAME"
         git push origin $BRANCH_NAME
+    - uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        app-id: ${{ vars.PLAYWRIGHT_APP_ID }}
+        private-key: ${{ secrets.PLAYWRIGHT_PRIVATE_KEY }}
     - name: Create Pull Request
       uses: actions/github-script@v7
       with:
-        github-token: ${{ secrets.REPOSITORY_DISPATCH_PERSONAL_ACCESS_TOKEN }}
+        github-token: ${{ steps.app-token.outputs.token }}
         script: |
           const readableCommitHashesList = '${{ github.event.inputs.commit_hashes }}'.split(',').map(hash => `- ${hash}`).join('\n');
           const response = await github.rest.pulls.create({
diff --git a/.github/workflows/pr_check_client_side_changes.yml b/.github/workflows/pr_check_client_side_changes.yml
index 003831dffc..449c2a5d20 100644
--- a/.github/workflows/pr_check_client_side_changes.yml
+++ b/.github/workflows/pr_check_client_side_changes.yml
@@ -16,10 +16,20 @@ jobs:
     if: github.repository == 'microsoft/playwright'
     steps:
       - uses: actions/checkout@v4
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.PLAYWRIGHT_APP_ID }}
+          private-key: ${{ secrets.PLAYWRIGHT_PRIVATE_KEY }}
+          repositories: |
+            playwright
+            playwright-python
+            playwright-java
+            playwright-dotnet
       - name: Create GitHub issue
         uses: actions/github-script@v7
         with:
-          github-token: ${{ secrets.REPOSITORY_DISPATCH_PERSONAL_ACCESS_TOKEN }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             const currentPlaywrightVersion = require('./package.json').version.match(/\d+\.\d+/)[0];
             const { data } = await github.rest.git.getCommit({
@@ -61,4 +71,4 @@ jobs:
                 issue_number: issueNumber,
                 body: newBody
               })
-            }
\ No newline at end of file
+            }
diff --git a/.github/workflows/publish_canary.yml b/.github/workflows/publish_canary.yml
index 78fb0ba5a9..5d0d1bd139 100644
--- a/.github/workflows/publish_canary.yml
+++ b/.github/workflows/publish_canary.yml
@@ -72,13 +72,19 @@ jobs:
     - uses: actions/setup-node@v4
       with:
         node-version: 18
+    - uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        app-id: ${{ vars.PLAYWRIGHT_APP_ID }}
+        private-key: ${{ secrets.PLAYWRIGHT_PRIVATE_KEY }}
+        repositories: playwright.dev
     - name: Deploy Canary
       run: bash utils/build/deploy-trace-viewer.sh --canary
       if: contains(github.ref, 'main')
       env:
-        GH_SERVICE_ACCOUNT_TOKEN: ${{ secrets.REPOSITORY_DISPATCH_PERSONAL_ACCESS_TOKEN }}
+        GH_SERVICE_ACCOUNT_TOKEN: ${{ steps.app-token.outputs.token }}
     - name: Deploy BETA
       run: bash utils/build/deploy-trace-viewer.sh --beta
       if: contains(github.ref, 'release')
       env:
-        GH_SERVICE_ACCOUNT_TOKEN: ${{ secrets.REPOSITORY_DISPATCH_PERSONAL_ACCESS_TOKEN }}
+        GH_SERVICE_ACCOUNT_TOKEN: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/publish_release_traceviewer.yml b/.github/workflows/publish_release_traceviewer.yml
index e61ac76ccd..9c7ab06aa2 100644
--- a/.github/workflows/publish_release_traceviewer.yml
+++ b/.github/workflows/publish_release_traceviewer.yml
@@ -14,7 +14,13 @@ jobs:
     - uses: actions/setup-node@v4
       with:
         node-version: 18
+    - uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        app-id: ${{ vars.PLAYWRIGHT_APP_ID }}
+        private-key: ${{ secrets.PLAYWRIGHT_PRIVATE_KEY }}
+        repositories: playwright.dev
     - name: Deploy Stable
       run: bash utils/build/deploy-trace-viewer.sh --stable
       env:
-        GH_SERVICE_ACCOUNT_TOKEN: ${{ secrets.REPOSITORY_DISPATCH_PERSONAL_ACCESS_TOKEN }}
+        GH_SERVICE_ACCOUNT_TOKEN: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/roll_browser_into_playwright.yml b/.github/workflows/roll_browser_into_playwright.yml
index 88fae9c031..b0a6461e73 100644
--- a/.github/workflows/roll_browser_into_playwright.yml
+++ b/.github/workflows/roll_browser_into_playwright.yml
@@ -49,10 +49,15 @@ jobs:
         git add .
         git commit -m "feat(${BROWSER}): roll to r${REVISION}"
         git push origin $BRANCH_NAME --force
+    - uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        app-id: ${{ vars.PLAYWRIGHT_APP_ID }}
+        private-key: ${{ secrets.PLAYWRIGHT_PRIVATE_KEY }}
     - name: Create Pull Request
       uses: actions/github-script@v7
       with:
-        github-token: ${{ secrets.REPOSITORY_DISPATCH_PERSONAL_ACCESS_TOKEN }}
+        github-token: ${{ steps.app-token.outputs.token }}
         script: |
           const response = await github.rest.pulls.create({
             owner: 'microsoft',
diff --git a/.github/workflows/roll_driver_nodejs.yml b/.github/workflows/roll_driver_nodejs.yml
index ee0d3d262c..e9b7cec904 100644
--- a/.github/workflows/roll_driver_nodejs.yml
+++ b/.github/workflows/roll_driver_nodejs.yml
@@ -33,11 +33,16 @@ jobs:
           git add .
           git commit -m "chore(driver): roll driver to recent Node.js LTS version"
           git push origin $BRANCH_NAME
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.PLAYWRIGHT_APP_ID }}
+          private-key: ${{ secrets.PLAYWRIGHT_PRIVATE_KEY }}
       - name: Create Pull Request
         if: ${{ steps.prepare-branch.outputs.HAS_CHANGES == '1' }}
         uses: actions/github-script@v7
         with:
-          github-token: ${{ secrets.REPOSITORY_DISPATCH_PERSONAL_ACCESS_TOKEN }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             await github.rest.pulls.create({
               owner: 'microsoft',
diff --git a/.github/workflows/trigger_tests.yml b/.github/workflows/trigger_tests.yml
index 1ea2ec424d..033c254ef3 100644
--- a/.github/workflows/trigger_tests.yml
+++ b/.github/workflows/trigger_tests.yml
@@ -11,6 +11,12 @@ jobs:
     name: "trigger"
     runs-on: ubuntu-24.04
     steps:
+    - uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        app-id: ${{ vars.PLAYWRIGHT_APP_ID }}
+        private-key: ${{ secrets.PLAYWRIGHT_PRIVATE_KEY }}
+        repositories: playwright-browsers
     - run: |
         curl -X POST \
           -H "Accept: application/vnd.github.v3+json" \
@@ -18,4 +24,4 @@ jobs:
           --data "{\"event_type\": \"playwright_tests\", \"client_payload\": {\"ref\": \"${GITHUB_SHA}\"}}" \
           https://api.github.com/repos/microsoft/playwright-browsers/dispatches
       env:
-        GH_TOKEN: ${{ secrets.REPOSITORY_DISPATCH_PERSONAL_ACCESS_TOKEN }}
+        GH_TOKEN: ${{ steps.app-token.outputs.token }}