Restructure GitHub workflows to use GitHub App tokens

.github/workflows/build-citus-community-nightlies.yml

@@ -6,7 +6,6 @@ env:
   PACKAGE_CLOUD_API_TOKEN: ${{ secrets.PACKAGE_CLOUD_API_TOKEN }}
   PACKAGING_PASSPHRASE: ${{ secrets.PACKAGING_PASSPHRASE }}
   PACKAGING_SECRET_KEY: ${{ secrets.PACKAGING_SECRET_KEY }}
-  GH_TOKEN: ${{ secrets.GH_TOKEN }}
   DOCKERHUB_USER_NAME: ${{ secrets.DOCKERHUB_USER_NAME }}
   DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
 on:
@@ -37,8 +36,25 @@ jobs:
           - ubuntu/noble
 
     steps:
+
+      - name: Create GitHub App token
+        id: app
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_KEY }}
+          owner: ${{ github.repository_owner }}
+
+      - name: Set GH_TOKEN for all steps
+        run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV
+
       - name: Checkout repository
         uses: actions/checkout@v6
+        with:
+          token: ${{ steps.app.outputs.token }}
+
+      - name: Configure git with x-access-token
+        run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/"
 
       # This step is to fetch the images unanonymously to have higher bandwidth
       - name: Login to Docker Hub
@@ -48,7 +64,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
       - name: Clone tools branch
-        run: git clone -b v0.8.35 --depth=1  https://github.com/citusdata/tools.git tools
+        run: git clone -b brk-test --depth=1  https://github.com/citusdata/tools.git tools
 
       - name: Clone build branch
         run: git clone -b "${MAIN_BRANCH}" --depth=1  https://github.com/citusdata/packaging.git packaging

scripts/determine_email

@@ -1,29 +1,37 @@
 #!/bin/bash
-
-# make bash behave
 set -uo pipefail
 IFS=$'\n\t'
 
-# constants
-success=0
-failure=1
-
-# fallback to public email
-email=$(curl -sf https://api.github.com/user | jq -r '.email // empty')
+success=0; failure=1
+email=""
 
-# first try to find Microsoft email, if fails, then it must be the
-# case that bots@citusdata.com is building nightly packages for us
-jqfilter='map(select(.verified and (.email | test("@microsoft.com$|^bots@citusdata.com$")))) | first | .email // empty'
-citusemail=$(curl -sf https://api.github.com/user/emails | jq -r "${jqfilter}")
-
-if [ -n "${citusemail}" ]; then
-    email="${citusemail}"
+# Primary: Build noreply address from workflow context (always available, no API call)
+if [ -n "${GITHUB_ACTOR_ID:-}" ] && [ -n "${GITHUB_ACTOR:-}" ]; then
+    email="${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com"
+elif [ -n "${GITHUB_ACTOR:-}" ]; then
+    # Fallback if no ACTOR_ID: use actor login alone
+    email="${GITHUB_ACTOR}@users.noreply.github.com"
 fi
 
-if [ -z "${email}" ]; then
-    echo "$0: could not determine email" >&2
-    exit $failure
+# Last resort: Try API if workflow context missing (shouldn't happen)
+if [ -z "${email}" ] && [ -n "${GITHUB_TOKEN:-}" ] && [ -n "${GITHUB_ACTOR:-}" ]; then
+    user_json=$(curl -sf \
+        -H "Authorization: Bearer ${GITHUB_TOKEN}" \
+        "https://api.github.com/users/${GITHUB_ACTOR}")
+
+    if [ -n "${user_json}" ]; then
+        # Try public profile email first
+        email=$(echo "${user_json}" | jq -r '.email // empty')
+        # If no public email, build noreply from API response
+        if [ -z "${email}" ]; then
+            actor_id=$(echo "${user_json}" | jq -r '.id // empty')
+            if [ -n "${actor_id}" ]; then
+                email="${actor_id}+${GITHUB_ACTOR}@users.noreply.github.com"
+            fi
+        fi
+    fi
 fi
 
+[ -z "${email}" ] && { echo "$0: could not determine email" >&2; exit $failure; }
 echo "${email}"
-exit $success
+exit $success

scripts/determine_name

@@ -1,19 +1,24 @@
 #!/bin/bash
-
-# make bash behave
 set -euo pipefail
 IFS=$'\n\t'
 
-# constants
-success=0
-failure=1
+success=0; failure=1
+fullname=""
 
-fullname=$(curl -sf https://api.github.com/user | jq -r '.name // empty')
+# Primary: Use GITHUB_ACTOR directly (always available in GitHub Actions)
+if [ -n "${GITHUB_ACTOR:-}" ]; then
+    fullname="${GITHUB_ACTOR}"
+fi
 
-if [ -z "${fullname}" ]; then
-    echo "$0: could not determine user name" >&2
-    exit $failure
+# Fallback: Try API if GITHUB_ACTOR somehow unavailable (edge case)
+if [ -z "${fullname}" ] && [ -n "${GITHUB_TOKEN:-}" ]; then
+    # This shouldn't happen in normal Actions, but keep for safety
+    actor="${GITHUB_ACTOR:-unknown}"
+    fullname=$(curl -sf \
+        -H "Authorization: Bearer ${GITHUB_TOKEN}" \
+        "https://api.github.com/users/${actor}" | jq -r '.name // empty') || true
 fi
 
+[ -z "${fullname}" ] && { echo "$0: could not determine user name" >&2; exit $failure; }
 echo "${fullname}"
-exit $success
+exit $success