Switch from bot PAT to GitHub App token via Azure Key Vault (#63538)

Author: jakebailey

.github/workflows/accept-baselines-fix-lints.yaml

@@ -5,6 +5,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 # Ensure scripts are run with pipefail. See:
 # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -15,11 +16,14 @@ defaults:
 jobs:
   build:
     runs-on: ubuntu-latest
+    environment:
+      name: azure
+      deployment: false
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
+          persist-credentials: false
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 'lts/*'
@@ -37,4 +41,27 @@ jobs:
           git add ./tests/baselines/reference
           git diff --cached
           git commit -m "Update Baselines, Applied Lint Fixes, and/or Formatted"
-          git push
+      - uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
+        with:
+          client-id: ${{ vars.AZURE_CLIENT_ID }}
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+      - name: Create GitHub App token
+        id: app-token
+        uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
+        with:
+          client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
+          key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
+          owner: microsoft
+          repositories: TypeScript
+          permission-contents: write
+      - name: Configure git for GitHub App token
+        shell: bash
+        env:
+          GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          set -euo pipefail
+          basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')"
+          echo "::add-mask::$basic_auth"
+          git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}"
+      - run: git push

.github/workflows/close-issues.yml

@@ -7,6 +7,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 # Ensure scripts are run with pipefail. See:
 # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -17,15 +18,36 @@ defaults:
 jobs:
   close-issues:
     runs-on: ubuntu-latest
+    environment:
+      name: azure
+      deployment: false
     if: github.repository == 'microsoft/TypeScript'
     permissions:
       contents: read # Apparently required to create issues
+      id-token: write
       issues: write
 
     steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
+        with:
+          client-id: ${{ vars.AZURE_CLIENT_ID }}
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+      - name: Create GitHub App token
+        id: app-token
+        uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
+        with:
+          client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
+          key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
+          owner: microsoft
+          repositories: TypeScript
+          permission-issues: write
       - name: Close issues
         env:
-          GH_TOKEN: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
           REPO: ${{ github.repository }}
         run: |
           DATE=$(date --date='2 days ago' --iso-8601)

.github/workflows/create-cherry-pick-pr.yml

@@ -34,6 +34,7 @@ run-name: ${{ github.workflow }}${{ inputs.distinct_id && format(' (bot run {0})
 
 permissions:
   contents: read
+  id-token: write
 
 # Ensure scripts are run with pipefail. See:
 # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -44,15 +45,42 @@ defaults:
 jobs:
   open-pr:
     runs-on: ubuntu-latest
+    environment:
+      name: azure
+      deployment: false
     if: github.repository == 'microsoft/TypeScript'
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           filter: blob:none # https://github.blog/2020-12-21-get-up-to-speed-with-partial-clone-and-shallow-clone/
           fetch-depth: 0 # Default is 1; need to set to 0 to get the benefits of blob:none.
-          token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
-
+          persist-credentials: false
+      - uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
+        with:
+          client-id: ${{ vars.AZURE_CLIENT_ID }}
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+      - name: Create GitHub App token
+        id: app-token
+        uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
+        with:
+          client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
+          key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
+          owner: microsoft
+          repositories: TypeScript
+          permission-contents: write
+          permission-issues: write
+          permission-pull-requests: write
+      - name: Configure git for GitHub App token
+        shell: bash
+        env:
+          GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          set -euo pipefail
+          basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')"
+          echo "::add-mask::$basic_auth"
+          git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}"
       - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         id: open-pr
         env:
@@ -64,7 +92,7 @@ jobs:
           STATUS_COMMENT: ${{ inputs.status_comment }}
         with:
           retries: 3
-          github-token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
+          github-token: ${{ steps.app-token.outputs.token }}
           result-encoding: string
           script: |
             const {
@@ -182,7 +210,7 @@ jobs:
         with:
           success_comment: ${{ steps.open-pr.outputs.result }}
           failure_comment: 'I was unable to cherry-pick this PR.'
-          github_token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
+          github_token: ${{ steps.app-token.outputs.token }}
           distinct_id: ${{ inputs.distinct_id }}
           source_issue: ${{ inputs.source_issue }}
           requesting_user: ${{ inputs.requesting_user }}

.github/workflows/lkg.yml

@@ -10,6 +10,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 # Ensure scripts are run with pipefail. See:
 # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -20,6 +21,9 @@ defaults:
 jobs:
   build:
     runs-on: ubuntu-latest
+    environment:
+      name: azure
+      deployment: false
     steps:
       - env:
           BRANCH_NAME: ${{ inputs.branch_name }}
@@ -32,7 +36,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ inputs.branch_name }}
-          token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
+          persist-credentials: false
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 'lts/*'
@@ -48,4 +52,27 @@ jobs:
           git config user.email "typescriptbot@microsoft.com"
           git config user.name "TypeScript Bot"
           git commit -m 'Update LKG'
-          git push
+      - uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
+        with:
+          client-id: ${{ vars.AZURE_CLIENT_ID }}
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+      - name: Create GitHub App token
+        id: app-token
+        uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
+        with:
+          client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
+          key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
+          owner: microsoft
+          repositories: TypeScript
+          permission-contents: write
+      - name: Configure git for GitHub App token
+        shell: bash
+        env:
+          GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          set -euo pipefail
+          basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')"
+          echo "::add-mask::$basic_auth"
+          git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}"
+      - run: git push

.github/workflows/new-release-branch.yaml

@@ -38,6 +38,7 @@ run-name: ${{ github.workflow }}${{ inputs.distinct_id && format(' (bot run {0})
 
 permissions:
   contents: read
+  id-token: write
 
 # Ensure scripts are run with pipefail. See:
 # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -48,13 +49,16 @@ defaults:
 jobs:
   build:
     runs-on: ubuntu-latest
+    environment:
+      name: azure
+      deployment: false
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           filter: blob:none # https://github.blog/2020-12-21-get-up-to-speed-with-partial-clone-and-shallow-clone/
           fetch-depth: 0 # Default is 1; need to set to 0 to get the benefits of blob:none.
-          token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
+          persist-credentials: false
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 'lts/*'
@@ -85,14 +89,39 @@ jobs:
           git config user.email "typescriptbot@microsoft.com"
           git config user.name "TypeScript Bot"
           git commit -m "Bump version to $PACKAGE_VERSION and LKG"
-          git push --set-upstream origin "$BRANCH_NAME"
+      - uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
+        with:
+          client-id: ${{ vars.AZURE_CLIENT_ID }}
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+      - name: Create GitHub App token
+        id: app-token
+        uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
+        with:
+          client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
+          key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
+          owner: microsoft
+          repositories: TypeScript
+          permission-contents: write
+      - name: Configure git for GitHub App token
+        shell: bash
+        env:
+          GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          set -euo pipefail
+          basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')"
+          echo "::add-mask::$basic_auth"
+          git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}"
+      - env:
+          BRANCH_NAME: ${{ inputs.branch_name }}
+        run: git push --set-upstream origin "$BRANCH_NAME"
 
       - uses: microsoft/typescript-bot-test-triggerer/.github/actions/post-workflow-result@master
         if: ${{ !cancelled() && inputs.distinct_id }}
         with:
           success_comment: "I've created ${{ inputs.branch_name }} with version ${{ inputs.package_version }} for you."
           failure_comment: 'I was unable to create the new release branch.'
-          github_token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
+          github_token: ${{ steps.app-token.outputs.token }}
           distinct_id: ${{ inputs.distinct_id }}
           source_issue: ${{ inputs.source_issue }}
           requesting_user: ${{ inputs.requesting_user }}

.github/workflows/pr-modified-files.yml

@@ -17,6 +17,7 @@ concurrency:
 
 permissions:
   contents: read
+  id-token: write
 
 # Ensure scripts are run with pipefail. See:
 # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -27,17 +28,37 @@ defaults:
 jobs:
   manage-prs:
     runs-on: ubuntu-latest
+    environment:
+      name: azure
+      deployment: false
     if: github.repository == 'microsoft/TypeScript'
 
-    # No need to set explicit permissions; we are using typescript-bot's token, not github-actions' token.
+    # No need to set explicit permissions; we are using the GitHub App token, not github-actions' token.
 
     env:
-      GH_TOKEN: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
       PR_NUMBER: ${{ github.event.pull_request.number }}
       PR_AUTHOR: ${{ github.event.pull_request.user.login }}
       REPO: ${{ github.repository }}
 
     steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
+        with:
+          client-id: ${{ vars.AZURE_CLIENT_ID }}
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+      - name: Create GitHub App token
+        id: app-token
+        uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
+        with:
+          client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
+          key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
+          owner: microsoft
+          repositories: TypeScript
+          permission-issues: write
+          permission-pull-requests: write
       - name: Check if PR author is in pr_owners.txt
         id: pr_owner
         run: |
@@ -91,6 +112,8 @@ jobs:
 
       - name: Generated DOM files
         if: steps.pr_owner.outputs.pr_owner == 'false'
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           if ./is_changed.sh "src/lib/dom.generated.d.ts" \
               "src/lib/dom.iterable.generated.d.ts" \
@@ -107,6 +130,8 @@ jobs:
           fi
 
       - name: Check if PR modifies protocol.ts
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           if ./is_changed.sh "src/server/protocol.ts"; then
             MESSAGE="Thanks for the PR! It looks like you've changed the TSServer protocol in some way."
@@ -122,6 +147,8 @@ jobs:
           fi
 
       - name: Check for breaking changes
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           if ./is_changed.sh "tests/baselines/reference/api/typescript.d.ts"; then
             MESSAGE="Looks like you're introducing a change to the public API surface area."