Use workflow-pr-fixer app for Token Auth on fixup commits

steve-the-edwards · steve-the-edwards · commit 27aaf1414d54 · 2025-06-18T09:53:43.000-04:00
diff --git a/.github/actions/gradle-task-with-commit/action.yml b/.github/actions/gradle-task-with-commit/action.yml
@@ -39,13 +39,24 @@ runs:
           echo "can_push=true" >> $GITHUB_OUTPUT
         fi
 
+    # We use the workflow-pr-fixer app to authenticate and get a token that will cause the workflow
+    # to be triggered again.
+    - name: Generate App Token
+      uses: actions/create-github-app-token@v2
+      id: app-token
+      with:
+        app-id: ${{ vars.APP_ID }}
+        private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
     # ensure that we have the actual branch checked out.  By default, actions/checkout is headless.
-    - name: check out with PAT
+    - name: check out with the generated app token
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       if: steps.can-push.outputs.can_push == 'true'
       with:
         ref: ${{ github.head_ref }}
         fetch-depth: 0
+        token: ${{ steps.app-token.outputs.token }}
+        persist-credentials: false
 
     - name: Run ${{ inputs.fix-task }}
       if: steps.can-push.outputs.can_push == 'true'
@@ -70,7 +81,7 @@ runs:
 
     - name: commit ${{ inputs.fix-task }} changes
       if: steps.can-push.outputs.can_push == 'true'
-      uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v5
+      uses: stefanzweifel/git-auto-commit-action@v6
       with:
         commit_message: ${{ steps.set-commit-message.outputs.commit-message }}
         commit_options: '--no-verify --signoff'
