Skip to content

Commit dce1301

Browse files
gundermancgundermanc
authored
ci(github-actions): switch to github app token and fix bot self-trigger (#26223)
1 parent 88626f3 commit dce1301

1 file changed

Lines changed: 24 additions & 12 deletions

File tree

.github/workflows/gemini-cli-bot-brain.yml

Lines changed: 24 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,7 @@ jobs:
4141
github.event_name == 'schedule' ||
4242
(github.event_name == 'workflow_dispatch' && github.event.inputs.run_interactive != 'true') ||
4343
(github.event_name == 'workflow_dispatch' && github.event.inputs.run_interactive == 'true') ||
44-
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@gemini-cli-robot') && contains(fromJSON('["COLLABORATOR", "MEMBER", "OWNER"]'), github.event.comment.author_association))
44+
(github.event_name == 'issue_comment' && github.event.comment.user.login != 'gemini-cli[bot]' && contains(github.event.comment.body, '@gemini-cli') && contains(fromJSON('["COLLABORATOR", "MEMBER", "OWNER"]'), github.event.comment.author_association))
4545
)
4646
# The reasoning phase is strictly readonly.
4747
permissions:
@@ -190,6 +190,17 @@ jobs:
190190
pull-requests: 'write'
191191
actions: 'write'
192192
steps:
193+
- name: 'Generate GitHub App Token 🔑'
194+
id: 'generate_token'
195+
if: "${{ github.event.inputs.enable_prs == 'true' || github.event_name == 'issue_comment' || github.event.inputs.run_interactive == 'true' }}"
196+
uses: 'actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b' # ratchet:actions/create-github-app-token@v2
197+
with:
198+
app-id: '${{ secrets.APP_ID }}'
199+
private-key: '${{ secrets.PRIVATE_KEY }}'
200+
owner: '${{ github.repository_owner }}'
201+
repositories: '${{ github.event.repository.name }}'
202+
permissions: '{"contents": "write", "pull_requests": "write", "issues": "write", "workflows": "write"}'
203+
193204
- name: 'Checkout'
194205
uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
195206
with:
@@ -206,11 +217,11 @@ jobs:
206217
- name: 'Create or Update PR'
207218
if: "${{ github.event.inputs.enable_prs == 'true' || github.event_name == 'issue_comment' || github.event.inputs.run_interactive == 'true' }}"
208219
env:
209-
GH_TOKEN: '${{ secrets.GEMINI_CLI_ROBOT_GITHUB_PAT }}'
220+
GH_TOKEN: '${{ steps.generate_token.outputs.token }}'
210221
run: |
211222
if [ -s "${{ runner.temp }}/brain-data/bot-changes.patch" ]; then
212-
git config user.name "gemini-cli-robot"
213-
git config user.email "gemini-cli-robot@google.com"
223+
git config user.name "gemini-cli[bot]"
224+
git config user.email "gemini-cli[bot]@users.noreply.github.com"
214225
git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git"
215226
216227
BRANCH_NAME="bot/productivity-updates-$(date +'%Y%m%d%H%M%S')-${{ github.run_id }}"
@@ -248,21 +259,22 @@ jobs:
248259
249260
- name: 'Post PR/Issue Comment'
250261
env:
251-
GH_TOKEN: '${{ secrets.GEMINI_CLI_ROBOT_GITHUB_PAT }}'
262+
GH_TOKEN: '${{ steps.generate_token.outputs.token }}'
252263
TRIGGER_ISSUE_NUMBER: '${{ github.event.issue.number || github.event.inputs.issue_number }}'
253264
run: |
254265
if [ -s "${{ runner.temp }}/brain-data/issue-comment.md" ] && [ -n "$TRIGGER_ISSUE_NUMBER" ]; then
255266
echo "Posting comment to triggering issue #$TRIGGER_ISSUE_NUMBER"
256-
gh issue comment "$TRIGGER_ISSUE_NUMBER" -F "${{ runner.temp }}/brain-data/issue-comment.md"
267+
# Use REST API (gh api) instead of GraphQL (gh issue comment) to ensure robot identity
268+
# while avoiding potential GraphQL-specific authorization hurdles with PATs.
269+
gh api "repos/${{ github.repository }}/issues/$TRIGGER_ISSUE_NUMBER/comments" -F body=@"${{ runner.temp }}/brain-data/issue-comment.md"
257270
fi
258271
259272
if [ -s "${{ runner.temp }}/brain-data/pr-comment.md" ] && [ -f "${{ runner.temp }}/brain-data/pr-number.txt" ]; then
260273
PR_NUM=$(cat "${{ runner.temp }}/brain-data/pr-number.txt")
261-
PR_AUTHOR=$(gh pr view "$PR_NUM" --json author --jq '.author.login')
262-
if [ "$PR_AUTHOR" != "gemini-cli-robot" ]; then
263-
echo "Error: PR #$PR_NUM is authored by '$PR_AUTHOR', not 'gemini-cli-robot'. Safety abort."
264-
exit 1
265-
fi
266274
267-
gh pr comment "$PR_NUM" -F "${{ runner.temp }}/brain-data/pr-comment.md"
275+
# Using GitHub App, so author check is no longer valid against gemini-cli-robot
276+
# Skipping author validation here to let the app post.
277+
278+
# Use REST API (gh api) for consistency and robot identity
279+
gh api "repos/${{ github.repository }}/issues/$PR_NUM/comments" -F body=@"${{ runner.temp }}/brain-data/pr-comment.md"
268280
fi

0 commit comments

Comments
 (0)