fix: use GitHub App token for triggering

[toobuntu]

This note was added to the docs for the softprops/action-gh-release action two weeks ago, apparently after I had already worked on that part three weeks ago:

Note that if you intend to run workflows on the release event (on: { release: { types: [published] } }), you need to use a personal access token for this action, as the actions/create-release#71.

Please delete the release and re-run the release-manual-trigger workflow after merging this to see if this fixes the problem.

[toobuntu]

published is what we want. created includes draft releases; published does not.

[PikachuEXE]

Yes it does auto run now
https://github.com/PikachuEXE/homebrew-FreeTube/actions/workflows/update-tap.yml

But

Unable to resolve action `eugenesvk/[email protected]`, unable to find version `v3.8.4`

Maybe there should be prefix v: https://github.com/eugenesvk/action-homebrew-bump-cask/releases/tag/3.8.4

[PikachuEXE]

No idea why the new trigger run use the older version of the workflow file (-_-)
I manually started a new one
https://github.com/PikachuEXE/homebrew-FreeTube/actions/runs/8413909444/job/23036824328

But token expired/invalid?

GitHub API Error: Resource not accessible by integration (GitHub::API::AuthenticationFailedError)
HOMEBREW_GITHUB_API_TOKEN may be invalid or expired

[toobuntu]

The permissions are wrong. It also needs workflow scope. If I recall correctly, your GitHub App has that already, so just add workflows:write to the list.

[PikachuEXE]

Updated, started, failed with same message, confirmed workflow file used is updated one
https://github.com/PikachuEXE/homebrew-FreeTube/actions/runs/8414001932/workflow

[toobuntu]

Hm. Well here's what the action README says:

token : ${{secrets.TOKEN}} # Required, custom GitHub access token with the 'public_repo' and 'workflow' scopes

So it's a matter of translating classic PAT to the fine-grained permissions of the GitHub App. Could try deleting the permissions line entirely, and letting the token have every permission the App is currently able to give. Apparently, this has frustrated others before: dawidd6/action-homebrew-bump-formula#52. If that doesn't work, then the App needs more permissions.

Strange as it might seem, I have seen examples where using double quotes around a GitHub context reference causes problems. So, try ${{ steps.get_workflow_token.outputs.token }} instead of "${{ steps.get_workflow_token.outputs.token }}".

---

Ah, now I see Homebrew also provides an action for this: Homebrew/actions/bump-packages@master. It also wants a classic PAT with public_repo and workflow scopes, though. I'm not sure if it works with third-party taps, but the command it uses would be akin to:

HOMEBREW_DEVELOPER: "1" HOMEBREW_GITHUB_API_TOKEN: ${{ steps.get_workflow_token.outputs.token }} brew bump --open-pr --tap pikachuexe/freetube --casks pikachuexe-freetube

[PikachuEXE]

https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user

At least for /user it might requires PAT or OAuth App token
Let me study the new action i.e.g brew bump & HOMEBREW_GITHUB_API_TOKEN and see what can be used

Update 1: Found https://github.com/orgs/Homebrew/discussions/5129

[toobuntu]

Great, no answers given though. Something else I noticed is the tap reference is wrong. I think it should be pikachuexe/freetube. I thought I wouldn't be able to get to this for a couple of weeks, but tried to do something at night when tired. Sorry it hasn't gone smoothly.

As far as using Homebrew's action. I would guess it could work using the fully qualified name for the cask: pikachuexe/freetube/pikachuexe-freetube. Could always try it on the CLI to see what happens before adding to GitHub Actions.

[toobuntu]

I mean, the other thing that could be done is "manually" updating the cask definition in the build workflow. We have the DMG and can use CLI to get its sha256. We have the package_version and can leverage that to update its version. Then just use Git to commit those changes to the file directly without using the bump-cask-pr infrastructure to fork and create a PR. Maybe that is a more straightforward approach after all in this case.

[PikachuEXE]

Don't be sorry. There is no way I can make this far so quickly without your help

But I find https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow
I haven't try yet (I will try on a branch tomorrow if you haven't yet

[PikachuEXE]

If you can make it work it's also great
But I will try the token path first coz that's a game for me :P

[toobuntu]

Thanks. We're already doing that in the get-workflow-token step, aren't we?

Somewhere I saw maybe it needs administration:write permission, but I can't understand why that should matter here.

By the way, the permissions are here under "Properties of permissions":
https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app

There's an email_addresses: read, but not everything in https://github.com/eugenesvk/action-homebrew-bump-cask/blob/master/main.rb#L69-L82.

But it seems to only actually use user_name and user_email in https://github.com/eugenesvk/action-homebrew-bump-cask/blob/master/main.rb#L84-L87.

[PikachuEXE]

Trying direct update/PR route
But I keep getting a39137be24cd64908cb0e5c08bcf37359c43ba9571aa7ab2e6b0e3e44dc55ad5 in workflows (even with different actions)
But I got d70dd08e8eedf66073ce81fb4769ff2331f85b9d68b28caead27976d3240f4a9 locally

GitHub Actions tried:

• https://github.com/Solratic/checksum-action
• https://github.com/jmgilman/actions-generate-checksum

Local commands tried:

• shasum -a 256 ~/Downloads/freetube-0.19.2-mac-arm64.dmg
• openssl dgst -sha256 ~/Downloads/freetube-0.19.2-mac-arm64.dmg
  No idea which one is correct a.t.m.

Update 1: My local file is downloaded earlier and got different hash
Redownload and got same hash as the value from workflow