ci: use authenticated git url for pushing updated changelog entries

Use the authenticated git url for pushing updated changelog entries, also sets persist_credentials to false for the action/checkout@2 usage in the workflow. Additionally, because the authentication is being provided via the git url [email protected] can be used as the email once again.
angular · Sep 1, 2021 · fc327f9 · fc327f9
1 parent 9529ae9
commit fc327f9
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 14 deletions.
diff --git a/.github/workflows/update-changelog.yml b/.github/workflows/update-changelog.yml
@@ -11,6 +11,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - uses: ./tools/local-actions/changelog
         with:
           angular-robot-key: ${{ secrets.ANGULAR_ROBOT_PRIVATE_KEY }}
diff --git a/tools/local-actions/changelog/lib/main.ts b/tools/local-actions/changelog/lib/main.ts
@@ -8,6 +8,7 @@ import {AuthenticatedGitClient} from '../../../../ng-dev/utils/git/authenticated
 import {ANGULAR_ROBOT, getAuthTokenFor} from '../../../../github-actions/utils';
 import {GithubConfig, setConfig} from '../../../../ng-dev/utils/config';
 import {ReleaseConfig} from '../../../../ng-dev/release/config/index';
+import {addTokenToGitHttpsUrl} from '../../../../ng-dev/utils/git/github-urls';
 
 /** The tag used for tracking the last time the changlog was generated. */
 const lastChangelogTag = 'most-recent-changelog-generation';
@@ -46,9 +47,11 @@ async function run(): Promise<void> {
   AuthenticatedGitClient.configure(await getAuthTokenFor(ANGULAR_ROBOT));
   /** The authenticed GitClient. */
   const git = AuthenticatedGitClient.get();
-  git.run(['config', 'user.email', '56403804+angular-robot[bot]@users.noreply.github.com']);
+  git.run(['config', 'user.email', 'angular-robot@google.com']);
   git.run(['config', 'user.name', 'Angular Robot']);
 
+  /** The url of the git repository with the authenticated token set. */
+  const authenticatedGitUrl = addTokenToGitHttpsUrl(git.getRepoGitUrl(), git.githubToken);
   /** The full path to the changelog file. */
   const changelogFile = join(git.baseDir, 'CHANGELOG.md');
   /** The full path of the changelog */
@@ -92,10 +95,10 @@ async function run(): Promise<void> {
 
   // Commit the new changelog(s) and push the changes to github.
   git.run(['commit', '--no-verify', '-m', commitMessage]);
-  git.run(['push', git.getRepoGitUrl(), `HEAD:refs/heads/${git.mainBranchName}`]);
+  git.run(['push', authenticatedGitUrl, `HEAD:refs/heads/${git.mainBranchName}`]);
   // A force push is used to update the tag git does not expect it to move and a force is neccessary
   // to update it from its old sha.
-  git.run(['push', '-f', git.getRepoGitUrl(), `HEAD:refs/tags/${lastChangelogTag}`]);
+  git.run(['push', '-f', authenticatedGitUrl, `HEAD:refs/tags/${lastChangelogTag}`]);
 }
 
 /** Write the contents to the provided file and add it to git staging. */

diff --git a/tools/local-actions/changelog/main.js b/tools/local-actions/changelog/main.js