From f3d1707f47df6ba26d5901f1bf9d38d6a537f759 Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Wed, 29 Oct 2025 09:35:33 +1300 Subject: [PATCH 1/4] [PETOSS-829] Use var for app_id as per docs --- .github/workflows/pr-validation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml index 9f27aebc3..9e2164fd4 100644 --- a/.github/workflows/pr-validation.yml +++ b/.github/workflows/pr-validation.yml @@ -36,7 +36,7 @@ jobs: id: get_access_token uses: actions/create-github-app-token@v2 with: - app-id: ${{ secrets.XERO_GITHUB_APP_ID }} + app-id: ${{ vars.XERO_CODEGEN_APP_ID }} private-key: ${{ secrets.XERO_GITHUB_APPLICATION_KEY }} owner: xero-internal repositories: xeroapi-sdk-codegen From b42f6016ef370cdddc3db0fbf100b91307077ba8 Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Wed, 29 Oct 2025 09:56:27 +1300 Subject: [PATCH 2/4] [PETOSS-829] Replace access token action --- .github/workflows/create-github-pr.yml | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/.github/workflows/create-github-pr.yml b/.github/workflows/create-github-pr.yml index 44c8c8f4a..749be16ba 100644 --- a/.github/workflows/create-github-pr.yml +++ b/.github/workflows/create-github-pr.yml @@ -23,16 +23,12 @@ jobs: - name: Get github app access token id: get_access_token - env: - GITHUB_APP_ID: ${{ secrets.XERO_GITHUB_APP_ID }} - GITHUB_APP_PRIVATE_KEY: ${{ secrets.XERO_GITHUB_APPLICATION_KEY }} - uses: actions/github-script@v7 + uses: actions/create-github-app-token@v2 with: - result-encoding: string - script: | - const { getAccessToken } = await import('${{ github.workspace }}/.github/get-access-token/index.js') - const token = await getAccessToken() - return token + app-id: ${{ secrets.XERO_PUBLIC_BOT_APP_ID}} + private-key: ${{ secrets.XERO_PUBLIC_BOT_KEY }} + owner: xero-internal + repositories: xeroapi-sdk-codegen - name: Fetch Latest release number id: get_latest_release_number @@ -41,7 +37,7 @@ jobs: echo "Latest release version is - $latest_version" echo "releaseVersion=$latest_version" >> $GITHUB_OUTPUT env: - GH_TOKEN: ${{steps.get_access_token.outputs.result}} + GH_TOKEN: ${{steps.get_access_token.outputs.token}} - name: Set up branch name id: identify_branch_name @@ -121,4 +117,4 @@ jobs: echo "PR is already up to date" fi env: - GH_TOKEN: ${{steps.get_access_token.outputs.result}} + GH_TOKEN: ${{steps.get_access_token.outputs.token}} From e9bca8268f15c3365350a3f2e47e6d577f161501 Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Wed, 29 Oct 2025 11:57:26 +1300 Subject: [PATCH 3/4] [PETOSS-829] Split workflows and run codegen validation via pull_request_target This is necessary as we can't access secrets from pull_request from forks --- .github/workflows/pr-linting.yml | 16 ++++++++++++++++ .github/workflows/pr-validation.yml | 18 +++--------------- 2 files changed, 19 insertions(+), 15 deletions(-) create mode 100644 .github/workflows/pr-linting.yml diff --git a/.github/workflows/pr-linting.yml b/.github/workflows/pr-linting.yml new file mode 100644 index 000000000..c175b8031 --- /dev/null +++ b/.github/workflows/pr-linting.yml @@ -0,0 +1,16 @@ +name: PR Linting + +on: + pull_request: + types: [opened, reopened, synchronize] + +jobs: + linting: + runs-on: ubuntu-latest + name: MegaLinter Validation + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: MegaLinter + uses: oxsecurity/megalinter/flavors/documentation@v9 \ No newline at end of file diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml index 9e2164fd4..346559abf 100644 --- a/.github/workflows/pr-validation.yml +++ b/.github/workflows/pr-validation.yml @@ -1,23 +1,11 @@ name: PR Validation on: - pull_request: + pull_request_target: types: [opened, reopened, synchronize] - push: - branches: - - master + branches: [master] jobs: - linting: - runs-on: ubuntu-latest - name: MegaLinter Validation - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: MegaLinter - uses: oxsecurity/megalinter/flavors/documentation@v9 - codegen-validation: runs-on: ubuntu-latest name: Codegen Repo Validation @@ -46,7 +34,7 @@ jobs: env: GH_TOKEN: ${{ steps.get_access_token.outputs.token }} run: | - BRANCH_NAME="${{ github.event_name == 'pull_request' && github.head_ref || 'master' }}" + BRANCH_NAME="${{ github.event.pull_request.head.sha }}" # Trigger the workflow and capture the response gh workflow run pr.yml \ From a0e5eb0141f37ddc72ec8c37df782dcd0fb61111 Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Wed, 29 Oct 2025 15:26:16 +1300 Subject: [PATCH 4/4] [PETOSS-829] Add oas repo argument --- .github/workflows/pr-validation.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml index 346559abf..63deb17c2 100644 --- a/.github/workflows/pr-validation.yml +++ b/.github/workflows/pr-validation.yml @@ -35,12 +35,14 @@ jobs: GH_TOKEN: ${{ steps.get_access_token.outputs.token }} run: | BRANCH_NAME="${{ github.event.pull_request.head.sha }}" + OAS_REPO="${{ github.event.pull_request.head.repo.full_name }}" # Trigger the workflow and capture the response gh workflow run pr.yml \ --repo xero-internal/xeroapi-sdk-codegen \ --ref master \ - --field branch_name="$BRANCH_NAME" + --field branch_name="$BRANCH_NAME" \ + --field oas_repo="$OAS_REPO" # Wait a moment for the run to be created sleep 5