From f1f599006859f006812726f3d6e6612f9d9fb084 Mon Sep 17 00:00:00 2001
From: vdovhanych <dovhanych@me.com>
Date: Mon, 28 Apr 2025 14:56:11 +0200
Subject: [PATCH] ci: replace user tokens with github app integration

---
 .github/workflows/bot-common-sync.yml        | 13 ++++++++++---
 .github/workflows/bot-project-automation.yml | 16 ++++++++++++++--
 2 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/bot-common-sync.yml b/.github/workflows/bot-common-sync.yml
index f6686a0e38..9bfa91dce1 100644
--- a/.github/workflows/bot-common-sync.yml
+++ b/.github/workflows/bot-common-sync.yml
@@ -12,14 +12,19 @@ jobs:
   sync-common:
     runs-on: ubuntu-latest
     env:
-      BOT_TOKEN: ${{ secrets.BOT_TOKEN_COMMON_FINE }}
-      BOT_USERNAME: ${{ secrets.TREZOR_BOT_USERNAME }}
-      BOT_EMAIL: ${{ secrets.TREZOR_BOT_EMAIL }}
+      BOT_USERNAME: "trezor-bot[bot]"
+      BOT_EMAIL: "208941332+trezor-bot[bot]@users.noreply.github.com"
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+      - name: Generate GitHub App token
+        id: trezor-bot-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.TREZOR_BOT_APP_ID }}
+          private-key: ${{ secrets.TREZOR_BOT_PRIVATE_KEY }}
 
       - name: Copy git-filter and script to temporary directory
         run: |
@@ -37,6 +42,8 @@ jobs:
           echo '${{runner.temp}}' >> $GITHUB_PATH
 
       - name: Sync trezor-common repository
+        env:
+          GITHUB_TOKEN: ${{ steps.trezor-bot-token.outputs.token }}
         run: |
           echo "Synchronizing common with the trezor-common repository"
           git config --unset-all http.https://github.com/.extraheader
diff --git a/.github/workflows/bot-project-automation.yml b/.github/workflows/bot-project-automation.yml
index e7cd02d71c..8ea7a0bbff 100644
--- a/.github/workflows/bot-project-automation.yml
+++ b/.github/workflows/bot-project-automation.yml
@@ -12,19 +12,31 @@ jobs:
   project-add-pull-request:
     runs-on: ubuntu-latest
     steps:
+      - name: Generate GitHub App token
+        id: trezor-bot-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.TREZOR_BOT_APP_ID }}
+          private-key: ${{ secrets.TREZOR_BOT_PRIVATE_KEY }}
       - name: Add new pull request to the Firmware project
         uses: actions/add-to-project@main
         if: github.event_name == 'pull_request' && github.event.action == 'opened'
         with:
           project-url: https://github.com/orgs/trezor/projects/60
-          github-token: ${{ secrets.GH_BOT_TOKEN }}
+          github-token: ${{ steps.trezor-bot-token.outputs.token }}
 
   project-add-issue:
     name: Add new issue to the Firmware project
     runs-on: ubuntu-latest
     steps:
+      - name: Generate GitHub App token
+        id: trezor-bot-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.TREZOR_BOT_APP_ID }}
+          private-key: ${{ secrets.TREZOR_BOT_PRIVATE_KEY }}
       - uses: actions/add-to-project@main
         if: github.event_name == 'issues' && github.event.action == 'opened'
         with:
           project-url: https://github.com/orgs/trezor/projects/60
-          github-token: ${{ secrets.GH_BOT_TOKEN }}
+          github-token: ${{ steps.trezor-bot-token.outputs.token }}