From 20fb439d60e8c48194d82bd0f4af74bff80c5a07 Mon Sep 17 00:00:00 2001 From: Marco Walz Date: Tue, 5 May 2026 18:39:35 +0200 Subject: [PATCH 1/2] infra: switch update-syntax-grammars to pr-automation-bot-public GitHub App Replace GITHUB_TOKEN (with elevated permissions) with the pr-automation-bot-public app token for all authenticated operations: - Remove workflow-level contents: write + pull-requests: write permissions - Add create-github-app-token step (client-id + private-key from org vars/secrets) - Use app token for gh api, gh pr list, and gh pr create - Update git identity to pr-automation-bot-public[bot] Matches the pattern applied to sync-motoko.yml in #197. --- .github/workflows/update-syntax-grammars.yml | 21 +++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/.github/workflows/update-syntax-grammars.yml b/.github/workflows/update-syntax-grammars.yml index bff7f7d8..a4c7e61c 100644 --- a/.github/workflows/update-syntax-grammars.yml +++ b/.github/workflows/update-syntax-grammars.yml @@ -5,20 +5,23 @@ on: - cron: "0 9 * * 1" # every Monday at 09:00 UTC workflow_dispatch: -permissions: - contents: write - pull-requests: write - jobs: update-grammars: runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - name: Create GitHub App Token + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 + id: app-token + with: + client-id: ${{ vars.PR_AUTOMATION_BOT_PUBLIC_CLIENT_ID }} + private-key: ${{ secrets.PR_AUTOMATION_BOT_PUBLIC_PRIVATE_KEY }} + - name: Fetch latest vscode-motoko release id: release env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ steps.app-token.outputs.token }} run: | tag=$(gh api repos/dfinity/vscode-motoko/releases/latest --jq '.tag_name') echo "tag=$tag" >> "$GITHUB_OUTPUT" @@ -27,7 +30,7 @@ jobs: - name: Check if PR already exists for this release id: existing env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ steps.app-token.outputs.token }} run: | tag="${{ steps.release.outputs.tag }}" branch="chore/update-syntax-grammars-${tag}" @@ -80,13 +83,13 @@ jobs: - name: Create pull request if: steps.existing.outputs.skip == 'false' && steps.diff.outputs.changed == 'true' env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ steps.app-token.outputs.token }} run: | tag="${{ steps.release.outputs.tag }}" branch="chore/update-syntax-grammars-${tag}" - git config user.name "github-actions[bot]" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git config user.name "pr-automation-bot-public[bot]" + git config user.email "pr-automation-bot-public[bot]@users.noreply.github.com" git checkout -b "$branch" git add syntaxes/ git commit -m "chore: update Motoko and Candid grammars to vscode-motoko ${tag}" From c0fc775523344ae6f718c9d49505ebf51483dbea Mon Sep 17 00:00:00 2001 From: Marco Walz Date: Tue, 5 May 2026 18:45:30 +0200 Subject: [PATCH 2/2] infra: add BOT_APPROVED_FILES policy for pr-automation-bot-public Covers all files changed by the two automated workflows: - sync-motoko: .sources/motoko, .sources/VERSIONS, docs/languages/motoko/* - update-syntax-grammars: syntaxes/*.tmLanguage.json Required by the External PR Ruleset (dfinity/public-workflows check_bot_approved_files.py) which blocked the v1.7.0 Motoko sync PR (#201) with a 404 on this missing file. --- .github/repo_policies/BOT_APPROVED_FILES | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 .github/repo_policies/BOT_APPROVED_FILES diff --git a/.github/repo_policies/BOT_APPROVED_FILES b/.github/repo_policies/BOT_APPROVED_FILES new file mode 100644 index 00000000..fd0c1c86 --- /dev/null +++ b/.github/repo_policies/BOT_APPROVED_FILES @@ -0,0 +1,10 @@ +# Files the pr-automation-bot-public bot is allowed to change via automated PRs. + +# sync-motoko: bumps the Motoko submodule and syncs generated docs +.sources/motoko +.sources/VERSIONS +docs/languages/motoko/* + +# update-syntax-grammars: updates TextMate grammars from vscode-motoko releases +syntaxes/motoko.tmLanguage.json +syntaxes/candid.tmLanguage.json