From 187728c1f238d55d613796ae6139ffd122c5b80f Mon Sep 17 00:00:00 2001
From: Rachel Powers <508861+Ryex@users.noreply.github.com>
Date: Wed, 19 Mar 2025 15:19:13 -0700
Subject: [PATCH] ci(blocked-pr): use app token

Signed-off-by: Rachel Powers <508861+Ryex@users.noreply.github.com>
---
 .github/workflows/blocked-prs.yml       | 25 +++++++++++++------------
 .github/workflows/merge-blocking-pr.yml | 16 +++++++++-------
 2 files changed, 22 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/blocked-prs.yml b/.github/workflows/blocked-prs.yml
index 96a8cfc03..4c1840b01 100644
--- a/.github/workflows/blocked-prs.yml
+++ b/.github/workflows/blocked-prs.yml
@@ -19,13 +19,14 @@ jobs:
     name: Check Blocked Status
     runs-on: ubuntu-latest
 
-    permissions:
-      issues: write
-      pull-requests: write
-      statuses: write
-      checks: write
-
     steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.PULL_REQUEST_APP_ID }}
+          private-key: ${{ secrets.PULL_REQUEST_APP_PRIVATE_KEY }}
+
       - name: Checkout Default Branch
         uses: actions/checkout@v4
         with:
@@ -35,7 +36,7 @@ jobs:
         if: github.event_name == 'workflow_dispatch'
         id: dispatch_event_setup
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
           PR_NUMBER: ${{ inputs.pr_id }}
         run: |
           # setup env for the rest of the workflow
@@ -112,7 +113,7 @@ jobs:
         id: blocking_data
         if: fromJSON(steps.pr_ids.outputs.prs).numBlocking > 0
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
           BLOCKING_PRS: ${{ steps.pr_ids.outputs.prs }}
         run: |
           blocked_pr_data=$(
@@ -147,7 +148,7 @@ jobs:
         if: (fromJSON(steps.pr_ids.outputs.prs).numBlocking > 0) && !contains(fromJSON(env.JOB_DATA).prLabels, 'blocked') && !fromJSON(steps.blocking_data.outputs.all_merged)
         continue-on-error: true
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
           gh -R ${{ github.repository }} issue edit --add-label 'blocked' $PR_NUMBER
 
@@ -156,7 +157,7 @@ jobs:
         if: fromJSON(steps.pr_ids.outputs.prs).numBlocking > 0 && fromJSON(steps.blocking_data.outputs.all_merged)
         continue-on-error: true
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
           gh -R ${{ github.repository }} issue edit --remove-label 'blocked' $PR_NUMBER
 
@@ -176,7 +177,7 @@ jobs:
         if: fromJSON(steps.pr_ids.outputs.prs).numBlocking > 0
         continue-on-error: true
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
           BLOCKING_DATA: ${{ steps.blocking_data.outputs.data }}
         run: |
           pr_head_sha=$(jq -r '.prHeadSha' <<< "$JOB_DATA")
@@ -229,5 +230,5 @@ jobs:
           comment_id: "block_pr_dependencies"
           issue_number: ${{ env.PR_NUMBER }}
           repository: ${{ github.repository }}
-          gh_token: ${{ secrets.GITHUB_TOKEN }}
+          gh_token: ${{ steps.generate-token.outputs.token }}
 
diff --git a/.github/workflows/merge-blocking-pr.yml b/.github/workflows/merge-blocking-pr.yml
index 4ac85fa5f..755cdcde9 100644
--- a/.github/workflows/merge-blocking-pr.yml
+++ b/.github/workflows/merge-blocking-pr.yml
@@ -14,16 +14,18 @@ jobs:
     # find the open pr's it was blocked by and trigger a refresh of their state
     if: github.event.pull_request.merged == true && contains( join( github.event.pull_request.labels.*.name, ',' ), 'blocking' )
 
-    permissions:
-      issues: write
-      pull-requests: write
-      actions: write
-
     steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.PULL_REQUEST_APP_ID }}
+          private-key: ${{ secrets.PULL_REQUEST_APP_PRIVATE_KEY }}
+
       - name: Gather Dependent PRs
         id: gather_deps
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
         run: |
           blocked_prs=$(
@@ -43,7 +45,7 @@ jobs:
       - name: Trigger Blocked PR Workflows for Dependants
         if: fromJSON(steps.gather_deps.outputs.numdeps) > 0
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
           DEPS: ${{ steps.gather_deps.outputs.deps }}
         run: |
           while read -r pr ; do