This gist offers a pattern to create a GitHub application (aka: bot) that serves as a bot to edit files and succesfully merge them into your repo, using GitHub actions & workflow files.
The end result is that you can have workflows that look like this:
Instead of this:
This pattern is pretty easy if you are willing to use your own Personal Access Token (PAT) to do the commits. But that means your personal user account will show up as the actor for the commits and the pull request merge, which isn't ideal. Also, other workflows on your repo can access your PAT. If you're working on an open-source project, that could pose a security risk to your account.
A better solution is to use an Installation Access Token generated by a GitHub Application. The Application then becomes a "bot" that shows up as the user for all the actions.
If your repository has mandatory checks built-in, the built-in GITHUB_TOKEN
that most actions use is configured by default to not initiate any further checks (workflows), so as to not create a recursive loop. Which is why we need an alternate approach (see a list of workarounds here).
For some reason, just running gh pr merge --auto --delete-branch --squash
gives an error. (See my bug report here). If that gets fixes, this pattern will be much simpler (it can just be one workflow file).
If you'd like to see how I used this pattern in my actual situation, you can see the relevant files here:
- Cron job workflow that initiates the daily file edits
- Script that gets called from the cron job that actually does the file edits
- Merge workflow that merges the pull request.
(These are permalinks to the files as they were at the time of this writing because I imagine we'll update them moving forward. Feel free to browse our repo to see how we're solving this problem now.)
- Trigger the workflow from a scheduled cron job (though you can have it run on other events if you wish, just modify the trigger event)
- Checks out your GitHub repo
- Makes edits to your files
- Create a new branch
- Commits the changes (as the bot)
- Create a pull request (as the bot)
- Merges the pull request (as the bot) after all checks are complete
- Create a GitHub application
- You can give it a name. (In this example, it will be named "Repo Automation", but change it to what works for you.)
- Uncheck Active under Webhook. You do not need to enter a Webhook URL.
- Under Repository permissions: Contents select Access: Read & write.
- Under Repository permissions: Pull request select Access: Read & write.
- (optional) Upload a logo
- Create a Private key from the App settings page and store it securely.
- Install your application on the organization/user where your repo lives.
- Go to your repository > Secrets > New repository secret and create
BOT_APP_ID
(with the GitHub Application ID) andBOT_SECRET_KEY
(with the contents of the secret key you generated) - If you have branch protection rules on, go to your repo settings, add the application itself as an authorized committer.
- Use the two template files below as a basis for what your workflows need to do.
- You can optionally change the pull request tag from
auto-update
to something else. If you do want to modify it, you need to change all instances of that label throughout both files for the script to function.
- You can optionally change the pull request tag from
- Merge the files into your default branch for them to become available as options in the Actions tab of your repo.
- After you merge the files in the first, they will become available in the Actions tab for you to run manually. Even if you only want to run them on a branch (where you're doing your development), you need to first commit them to your default branch.
Installation notes:
- After you get this script working, you'll be able to look in the git log and discover the
12345678+repo-automation[bot]@users.noreply.github.com
email that GitHub assigned your application. You can then go back and replace the 12345678 with the actual number that should be there. The commits will then show up with the logo that you set.
- Option A: Let the cron job run at the specified time
- Option B: Manually run it by going to Repo > Actions > Auto update > Run Workflow
Here are some of the references I found helpful in my quest to get this working.