From 3b24b44d647aea267ff77106b9db2ecae1f738a9 Mon Sep 17 00:00:00 2001
From: Eric Cornelissen <ericornelissen@gmail.com>
Date: Sat, 23 Mar 2024 12:46:03 +0100
Subject: [PATCH] Set up auto-update workflow for gha.sum

Create a GitHub Actions workflow that automatically updates the
checksums in gha.sum for Pull Requests by Dependabot that update a
GitHub Action (leveraging `branches: dependabot/github_actions/**`).

This workflow utilizes a bot to be able to push the changes as well as
cause the created commit to trigger CI workflows. The secret it utilizes
must be configured for Dependabot (go to repository Settings > Secrets
and variables > Dependabot). The bot also requires permissions to "Read
and write" for the "Repository permissions" category called "Workflows".

The `if: ${{ github.actor == 'dependabot[bot]' }}` condition ensures the
workflow isn't (re-)run for the commit it creates. Besides avoiding a
potential infinite loop, it also avoids an error due to the (Dependabot
scoped) secrets not being available.

This change introduces two new GitHub Actions dependencies. One is used
to generate an access token from a GitHub app  The other is used to
simplify the creation and pushing of a commit to the Pull Request
branch.
---
 .github/workflows/gha.sum    |  2 ++
 .github/workflows/ghasum.yml | 38 ++++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 .github/workflows/ghasum.yml

diff --git a/.github/workflows/gha.sum b/.github/workflows/gha.sum
index c4cec28..ae8f9b8 100755
--- a/.github/workflows/gha.sum
+++ b/.github/workflows/gha.sum
@@ -4,3 +4,5 @@ actions/checkout@v4.1.2 5uAXl352I8XStCYyGTbGN7KcAaq2TyH8pPYNxivPuJo=
 actions/setup-go@v5.0.0 lSvPPozeojJimtMLZ7cX1J/h8r1i30yGoTYQbst/jA4=
 github/codeql-action@v3.24.7 lzXmzNy+eVIfpHwZCI3wJmpy6U5VGiIPLmDCjet1oVs=
 ncipollo/release-action@v1.14.0 +JAIlT/RB99JgfxlDrAcAdBnaKX4y8hyFWnHc4j7tfM=
+stefanzweifel/git-auto-commit-action@v5.0.0 t2VeG9180CmZ5/cmxvkFkN6iWoWsOjlaJ2V8rp1HDqY=
+tibdex/github-app-token@v2.1.0 ZNSBo6XSE0yxs8IkHEkVtUC9MkEeXTclXpMLl6zAmCs=
diff --git a/.github/workflows/ghasum.yml b/.github/workflows/ghasum.yml
new file mode 100644
index 0000000..67835cf
--- /dev/null
+++ b/.github/workflows/ghasum.yml
@@ -0,0 +1,38 @@
+name: ghasum
+on:
+  push:
+    branches:
+    - dependabot/github_actions/**
+
+permissions: read-all
+
+jobs:
+  update:
+    name: Update gha.sum
+    runs-on: ubuntu-22.04
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    permissions:
+      contents: write # To push a commit
+    steps:
+    - name: Create automation token
+      uses: tibdex/github-app-token@v2.1.0
+      id: automation-token
+      with:
+        app_id: ${{ secrets.AUTOMATION_APP_ID }}
+        private_key: ${{ secrets.AUTOMATION_APP_KEY }}
+    - name: Checkout repository
+      uses: actions/checkout@v4.1.2
+      with:
+        token: ${{ steps.automation-token.outputs.token }}
+    - name: Install Go
+      uses: actions/setup-go@v5.0.0
+      with:
+        go-version-file: go.mod
+    # NOTE: skip "Verify action checksums" because they might not be up-to-date
+    - name: Update gha.sum
+      run: go run ./cmd/ghasum update -force
+    - name: Commit gha.sum
+      uses: stefanzweifel/git-auto-commit-action@v5.0.0
+      with:
+        commit_message: Update ghasum checksums
+        file_pattern: .github/workflows/gha.sum