From 07bbe834980a4bc384831b697361df5061c86fec Mon Sep 17 00:00:00 2001
From: nh758 <7259@pm.me>
Date: Tue, 3 Jun 2025 09:59:19 +0700
Subject: [PATCH 1/3] switch to use GH App auth instead of using a PAT

---
 .github/workflows/dispatch-web-update.yml | 28 ------------------
 .github/workflows/e2e-test.yml            | 36 +++++++++++++++--------
 .github/workflows/merging-rules.yml       |  4 ++-
 .github/workflows/pr-merge-release.yml    | 15 ++++++----
 4 files changed, 36 insertions(+), 47 deletions(-)
 delete mode 100644 .github/workflows/dispatch-web-update.yml

diff --git a/.github/workflows/dispatch-web-update.yml b/.github/workflows/dispatch-web-update.yml
deleted file mode 100644
index 97367e49..00000000
--- a/.github/workflows/dispatch-web-update.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-name: Dipsatch Web Service Update
-on:
-   workflow_call:
-    inputs:
-      type:
-        type: string
-        required: true
-      version:
-        type: string
-        required: true
-      repo:
-        type: string
-        required: true
-    secrets:
-      TOKEN: 
-        required: true
-jobs:
-  dispatch-web-update:
-    name: Dipsatch Web Service Update
-    runs-on: ubuntu-latest
-    steps:
-      - name: Repository Dispatch
-        uses: peter-evans/repository-dispatch@v2
-        with:
-          token: ${{ secrets.TOKEN }}
-          repository: digi-serve/ab_service_web
-          event-type: web_new_version
-          client-payload: '{"type": "${{ inputs.type }}", "version": "${{ inputs.version }}", "repo": "${{ inputs.repo }}"}'
diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml
index 33cc1261..56d5d970 100644
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -5,8 +5,13 @@ on:
          ref:
             type: string
             default: ${{ github.ref }}
+         app_id:
+            description: GitHub App ID for Auth (or client ID)
+            type: string
+            required: true
       secrets:
-         TOKEN:
+         app_secret:
+            description: GitHub App client secret for Auth
             required: true
    
 jobs:
@@ -25,16 +30,23 @@ jobs:
                - branch: master
                  webpack: update
       steps:
-         - uses: actions/checkout@v3
+         - uses: actions/checkout@v4
            with:
               path: plugins/plugin_ABDesigner
               ref: ${{ inputs.ref }}
+         - name: Generate a token
+           id: generate-token
+           uses: actions/create-github-app-token@v2
+           with:
+              app-id: ${{ inputs.app_id }}
+              private-key: ${{ secrets.app_secret }}
+              repositories: ab_service_web
 
-         - uses: actions/checkout@v3
+         - uses: actions/checkout@v4
            with:
               path: web
               repository: digi-serve/ab_service_web
-              token: ${{ secrets.TOKEN }}
+              token: ${{ steps.generate-token.outputs.token }}
               ref: ${{ matrix.branch }}
 
          - run: npm i
@@ -52,7 +64,7 @@ jobs:
               repository: digi-serve/ab_service_web
               
          - name: Check out kitchen-sink tests
-           uses: actions/checkout@v2
+           uses: actions/checkout@v4
            with:
               repository: digi-serve/kitchensink_app
               path: ab/test/e2e/cypress/e2e/kitchensink_app
@@ -63,13 +75,13 @@ jobs:
            run: pm2 start ./logs.js -- --toFile logs/ABServices.log
            working-directory: ./ab
 
-         - name: Wait for AB
-           # Skipping the wait step. Cypress has a bit of wait time built in.
-           if: false
-           uses: ifaxity/wait-on-action@v1.1.0
-           with:
-              resource: http://localhost:8080
-              timeout: 300000
+         # Skipping the wait step. Cypress has a bit of wait time built in.
+         # - name: Wait for AB
+           # if: false
+           # uses: ifaxity/wait-on-action@v1.1.0
+           # with:
+              # resource: http://localhost:8080
+              # timeout: 300000
 
          - name: Run Cypress Tests
            run: npm run test:e2e:ab-designer -- --browser chrome
diff --git a/.github/workflows/merging-rules.yml b/.github/workflows/merging-rules.yml
index 1559c10a..cd129446 100644
--- a/.github/workflows/merging-rules.yml
+++ b/.github/workflows/merging-rules.yml
@@ -7,5 +7,7 @@ on:
 jobs:
    e2e-tests:
       uses: ./.github/workflows/e2e-test.yml
+      with:
+         app_id: ${{ vars.GS_DEV_APP_ID }}
       secrets:
-         TOKEN: ${{ secrets.PAT }}
+         TOKEN: ${{ secrets.GD_DEV_APP_PK }}
diff --git a/.github/workflows/pr-merge-release.yml b/.github/workflows/pr-merge-release.yml
index b8fa7b56..c4db5593 100644
--- a/.github/workflows/pr-merge-release.yml
+++ b/.github/workflows/pr-merge-release.yml
@@ -17,8 +17,10 @@ jobs:
     # Only run if the PR closed by merging and we have a label
     if: ${{ needs.call-get-label.outputs.valid == 'true' }}
     uses: ./.github/workflows/e2e-test.yml
+    with:
+      app_id: ${{ vars.GS_DEV_APP_ID }}
     secrets:
-      TOKEN: ${{ secrets.PAT }}
+      TOKEN: ${{ secrets.GD_DEV_APP_PK }}
   call-bump-version:
     name: Version
     # Only run if tests pass 
@@ -33,13 +35,14 @@ jobs:
     needs: [call-bump-version]
     with:
       tag: v${{ needs.call-bump-version.outputs.new_version }}
-  dispatch-web-update:
-    name: Dipsatch Web Service Update
+  call-dispatch-web-update:
     needs: [ call-bump-version, call-get-label ]
-    uses: ./.github/workflows/dispatch-web-update.yml
+    uses: digi-serve/.github/.github/workflows/dispatch-web-update.yml@master
     with:
+      dispatch_repos: '["ab_service_web"]'
+      dispatch_type: web_new_version
       type: ${{ needs.call-get-label.outputs.label }}
       version: ${{ needs.call-bump-version.outputs.new_version }}
-      repo: plugin_ABDesigner
+      app_id: ${{ vars.GS_DEV_APP_ID }}
     secrets:
-      TOKEN: ${{ secrets.PAT }}
+      app_secret: ${{ secrets.GS_DEV_APP_PK }}

From e2d74bb7f7d7dcdc746354b3a447282ab1113436 Mon Sep 17 00:00:00 2001
From: nh758 <7259@pm.me>
Date: Tue, 3 Jun 2025 10:06:15 +0700
Subject: [PATCH 2/3] fix secret name

---
 .github/workflows/merging-rules.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/merging-rules.yml b/.github/workflows/merging-rules.yml
index cd129446..027917bb 100644
--- a/.github/workflows/merging-rules.yml
+++ b/.github/workflows/merging-rules.yml
@@ -10,4 +10,4 @@ jobs:
       with:
          app_id: ${{ vars.GS_DEV_APP_ID }}
       secrets:
-         TOKEN: ${{ secrets.GD_DEV_APP_PK }}
+         app_secret: ${{ secrets.GS_DEV_APP_PK }}

From 09f4a60b4b95c6bc78dbdab23c26f9a980413402 Mon Sep 17 00:00:00 2001
From: Nate <10155226+nh758@users.noreply.github.com>
Date: Tue, 3 Jun 2025 16:32:49 +0700
Subject: [PATCH 3/3] fix name of called workflow

---
 .github/workflows/pr-merge-release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pr-merge-release.yml b/.github/workflows/pr-merge-release.yml
index c4db5593..b5a5ec9d 100644
--- a/.github/workflows/pr-merge-release.yml
+++ b/.github/workflows/pr-merge-release.yml
@@ -37,7 +37,7 @@ jobs:
       tag: v${{ needs.call-bump-version.outputs.new_version }}
   call-dispatch-web-update:
     needs: [ call-bump-version, call-get-label ]
-    uses: digi-serve/.github/.github/workflows/dispatch-web-update.yml@master
+    uses: digi-serve/.github/.github/workflows/dispatch-update.yml@master
     with:
       dispatch_repos: '["ab_service_web"]'
       dispatch_type: web_new_version