From 86cf290c3152300e6955f16b56322607627da6e8 Mon Sep 17 00:00:00 2001
From: Meier Lukas <meierschlumpf@gmail.com>
Date: Sat, 13 Sep 2025 17:15:33 +0200
Subject: [PATCH] refactor(ci): migrate tibdex/github-app-token to
 actions/create-github-app-token (#4072)

---
 .github/workflows/automatic-approval.yml      | 10 +++++++---
 .../workflows/crowdin-schedule-download.yml   | 11 +++++++---
 .github/workflows/deployment-docker-image.yml |  8 +++++---
 .../workflows/deployment-weekly-release.yml   | 15 ++++++++------
 .github/workflows/on-release.yml              | 20 +++++++++++--------
 .github/workflows/update-contributors.yml     | 11 +++++-----
 .github/workflows/update-integration-list.yml | 12 ++++++-----
 7 files changed, 53 insertions(+), 34 deletions(-)

diff --git a/.github/workflows/automatic-approval.yml b/.github/workflows/automatic-approval.yml
index 72e6aaea2..7a38b6e02 100644
--- a/.github/workflows/automatic-approval.yml
+++ b/.github/workflows/automatic-approval.yml
@@ -3,6 +3,8 @@ on:
   pull_request:
     types: [opened, synchronize]
 
+permissions: {}
+
 jobs:
   approve-automatic-prs:
     runs-on: ubuntu-latest
@@ -12,10 +14,12 @@ jobs:
         uses: actions/checkout@v5
       - name: Obtain token
         id: obtainToken
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@v2
         with:
-          private_key: ${{ secrets.RENOVATE_APPROVE_PRIVATE_KEY }}
-          app_id: ${{ secrets.RENOVATE_APPROVE_APP_ID }}
+          private-key: ${{ secrets.RENOVATE_APPROVE_PRIVATE_KEY }}
+          app-id: ${{ secrets.RENOVATE_APPROVE_APP_ID }}
+          permission-pull-requests: write # required to approve pull request
+
       - name: Install GitHub CLI
         run: sudo apt-get install -y gh
       - name: Approve automatic PRs
diff --git a/.github/workflows/crowdin-schedule-download.yml b/.github/workflows/crowdin-schedule-download.yml
index f5814f120..c2f12042a 100644
--- a/.github/workflows/crowdin-schedule-download.yml
+++ b/.github/workflows/crowdin-schedule-download.yml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: "0 0 * * *" # every day at midnight
 
+permissions:
+  contents: read # required for code checkout
+
 jobs:
   download-crowdin-translations:
     runs-on: ubuntu-latest
@@ -15,10 +18,12 @@ jobs:
 
       - name: Obtain token
         id: obtainToken
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@v2
         with:
-          private_key: ${{ secrets.CROWDIN_APP_PRIVATE_KEY }}
-          app_id: ${{ secrets.CROWDIN_APP_ID }}
+          private-key: ${{ secrets.CROWDIN_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.CROWDIN_APP_ID }}
+          permission-contents: write # required to commit to crowdin branch
+          permission-pull-requests: write # required to create pull request
 
       - name: Download Crowdin translations
         id: crowdin-download
diff --git a/.github/workflows/deployment-docker-image.yml b/.github/workflows/deployment-docker-image.yml
index c9f9bf33f..1223b4db1 100644
--- a/.github/workflows/deployment-docker-image.yml
+++ b/.github/workflows/deployment-docker-image.yml
@@ -49,10 +49,12 @@ jobs:
       - name: Obtain token
         if: env.SKIP_RELEASE == 'false'
         id: obtainToken
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@v2
         with:
-          private_key: ${{ secrets.RENOVATE_MERGE_PRIVATE_KEY }}
-          app_id: ${{ secrets.RENOVATE_MERGE_APP_ID }}
+          private-key: ${{ secrets.RENOVATE_MERGE_PRIVATE_KEY }}
+          app-id: ${{ secrets.RENOVATE_MERGE_APP_ID }}
+          permission-contents: write # required to commit package.json & changelog changes, merge them to dev and publish the release
+
       - uses: actions/checkout@v5
         if: env.SKIP_RELEASE == 'false'
         with:
diff --git a/.github/workflows/deployment-weekly-release.yml b/.github/workflows/deployment-weekly-release.yml
index a0fdcc723..e96cf4eec 100644
--- a/.github/workflows/deployment-weekly-release.yml
+++ b/.github/workflows/deployment-weekly-release.yml
@@ -49,10 +49,11 @@ jobs:
           args: "Created a release PR ${{ steps.create-pull-request.outputs.url }} for version ${{ steps.semver.outputs.next }} (new behaviour: ${{ steps.semver.outputs.bump }})"
       - name: Obtain token
         id: obtainApprovalToken
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@v2
         with:
-          private_key: ${{ secrets.RENOVATE_APPROVE_PRIVATE_KEY }}
-          app_id: ${{ secrets.RENOVATE_APPROVE_APP_ID }}
+          private-key: ${{ secrets.RENOVATE_APPROVE_PRIVATE_KEY }}
+          app-id: ${{ secrets.RENOVATE_APPROVE_APP_ID }}
+          permission-pull-requests: write
       - name: Approve PR
         env:
           GITHUB_TOKEN: ${{ steps.obtainApprovalToken.outputs.token }}
@@ -60,10 +61,12 @@ jobs:
           gh pr review --approve --body "Automatically approved by GitHub Action"
       - name: Obtain token
         id: obtainMergeToken
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@v2
         with:
-          private_key: ${{ secrets.RENOVATE_MERGE_PRIVATE_KEY }}
-          app_id: ${{ secrets.RENOVATE_MERGE_APP_ID }}
+          private-key: ${{ secrets.RENOVATE_MERGE_PRIVATE_KEY }}
+          app-id: ${{ secrets.RENOVATE_MERGE_APP_ID }}
+          permission-contents: write # write to main branch (due to merge)
+          permission-pull-requests: write # merge pull request
       - id: automerge
         if: ${{ steps.semver.outputs.bump != 'major' }}
         name: automerge
diff --git a/.github/workflows/on-release.yml b/.github/workflows/on-release.yml
index 83357cafe..9b95aae28 100644
--- a/.github/workflows/on-release.yml
+++ b/.github/workflows/on-release.yml
@@ -11,12 +11,14 @@ jobs:
     steps:
       - name: Obtain token
         id: obtainToken
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@v2
         with:
-          private_key: ${{ secrets.HOMARR_DOCS_RELEASE_APP_PRIVATE_KEY }}
-          app_id: ${{ vars.HOMARR_DOCS_RELEASE_APP_ID }}
-          installation_retrieval_mode: repository
-          installation_retrieval_payload: homarr-labs/documentation
+          private-key: ${{ secrets.HOMARR_DOCS_RELEASE_APP_PRIVATE_KEY }}
+          app-id: ${{ vars.HOMARR_DOCS_RELEASE_APP_ID }}
+          owner: homarr-labs
+          repositories: |
+            documentation
+          permission-contents: write # required to dispatch repository workflow
       - name: Trigger documentation release
         env:
           GITHUB_TOKEN: ${{ steps.obtainToken.outputs.token }}
@@ -40,10 +42,12 @@ jobs:
     steps:
       - name: Obtain token
         id: obtainToken
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@v2
         with:
-          private_key: ${{ secrets.RENOVATE_MERGE_PRIVATE_KEY }}
-          app_id: ${{ secrets.RENOVATE_MERGE_APP_ID }}
+          private-key: ${{ secrets.RENOVATE_MERGE_PRIVATE_KEY }}
+          app-id: ${{ secrets.RENOVATE_MERGE_APP_ID }}
+          permission-contents: write # required to commit to branch
+          permission-pull-requests: write # required to create pr & enable automerge
       - name: Checkout code
         uses: actions/checkout@v5
         with:
diff --git a/.github/workflows/update-contributors.yml b/.github/workflows/update-contributors.yml
index 36c3e0de1..c8cb1efde 100644
--- a/.github/workflows/update-contributors.yml
+++ b/.github/workflows/update-contributors.yml
@@ -9,9 +9,6 @@ env:
   GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
   CROWDIN_TOKEN: "${{ secrets.CROWDIN_UPDATE_CONTRIBUTORS_TOKEN }}"
 
-permissions:
-  contents: write
-
 jobs:
   update-contributors:
     runs-on: ubuntu-latest
@@ -21,10 +18,12 @@ jobs:
     steps:
       - name: Obtain token
         id: obtainToken
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@v2
         with:
-          private_key: ${{ secrets.HOMARR_UPDATE_CONTRIBUTORS_PRIVATE_KEY }}
-          app_id: ${{ vars.HOMARR_UPDATE_CONTRIBUTORS_APP_ID }}
+          private-key: ${{ secrets.HOMARR_UPDATE_CONTRIBUTORS_PRIVATE_KEY }}
+          app-id: ${{ vars.HOMARR_UPDATE_CONTRIBUTORS_APP_ID }}
+          permission-contents: write # required to commit to branch
+          permission-pull-requests: write # required to create pr & enable automerge
 
       - name: Checkout repository
         uses: actions/checkout@v5
diff --git a/.github/workflows/update-integration-list.yml b/.github/workflows/update-integration-list.yml
index dc90ce5c3..ff7ad9ae8 100644
--- a/.github/workflows/update-integration-list.yml
+++ b/.github/workflows/update-integration-list.yml
@@ -1,7 +1,7 @@
 name: Update integration list
 
 on:
-  workflow_dispatch: { }
+  workflow_dispatch: {}
   push:
     paths:
       - packages/definitions/src/integration.ts
@@ -20,10 +20,12 @@ jobs:
     steps:
       - name: Obtain token
         id: obtainToken
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@v2
         with:
-          private_key: ${{ secrets.HOMARR_UPDATE_CONTRIBUTORS_PRIVATE_KEY }}
-          app_id: ${{ vars.HOMARR_UPDATE_CONTRIBUTORS_APP_ID }}
+          private-key: ${{ secrets.HOMARR_UPDATE_CONTRIBUTORS_PRIVATE_KEY }}
+          app-id: ${{ vars.HOMARR_UPDATE_CONTRIBUTORS_APP_ID }}
+          permission-contents: write # required to commit to branch
+          permission-pull-requests: write # required to create pr & enable automerge
       - name: Checkout code
         uses: actions/checkout@v5
         env:
@@ -59,4 +61,4 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ steps.obtainToken.outputs.token }}
         run: |
-          gh pr merge ${{steps.create-pull-request.outputs.pull-request-number}} --auto --squash
\ No newline at end of file
+          gh pr merge ${{steps.create-pull-request.outputs.pull-request-number}} --auto --squash