Update nfl-news-scraper.yml

Author: asylumexp

.github/workflows/nfl-news-scraper.yml

@@ -14,7 +14,8 @@ jobs:
 
     permissions:
       contents: write  # Required to push changes
-      actions: write   # Required to update secrets
+      actions: write   # Required to trigger workflows
+      id-token: write  # Required to mint secrets token
 
     steps:
       - name: Checkout repository
@@ -33,50 +34,29 @@ jobs:
         working-directory: website-ts
         run: npm ci
 
-      - name: Install secret tooling
-        run: npm install --no-save --prefix /tmp/gh-secrets tweetsodium
-      
       - name: Run NFL News Scraper
         id: run-scraper
         working-directory: website-ts
         env:
           OPENAI_REFRESH_TOKEN: ${{ secrets.OPENAI_REFRESH_TOKEN }}
         run: npx tsx scripts/nfl-scraper/runAll.ts
 
-      - name: Update OPENAI_REFRESH_TOKEN secret
+      - uses: qoomon/actions--access-token@v3
         if: ${{ steps.run-scraper.outputs.openai_refresh_token != '' }}
-        uses: actions/github-script@v7
-        env:
-          NODE_PATH: /tmp/gh-secrets/node_modules
+        id: secrets-token
         with:
-          script: |
-            const sodium = require('tweetsodium')
-
-            const newToken = `${{ steps.run-scraper.outputs.openai_refresh_token }}`
-            if (!newToken) {
-              core.info('No refresh token update emitted.')
-              return
-            }
-
-            const { data: publicKey } = await github.rest.actions.getRepoPublicKey({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-            })
-
-            const messageBytes = Buffer.from(newToken)
-            const keyBytes = Buffer.from(publicKey.key, 'base64')
-            const encryptedBytes = sodium.seal(messageBytes, keyBytes)
-            const encryptedValue = Buffer.from(encryptedBytes).toString('base64')
-
-            await github.rest.actions.createOrUpdateRepoSecret({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              secret_name: 'OPENAI_REFRESH_TOKEN',
-              encrypted_value: encryptedValue,
-              key_id: publicKey.key_id,
-            })
+          permissions: |
+            secrets: write
 
-            core.info('OPENAI_REFRESH_TOKEN secret updated.')
+      - name: Update OPENAI_REFRESH_TOKEN secret
+        if: ${{ steps.run-scraper.outputs.openai_refresh_token != '' }}
+        env:
+          GITHUB_TOKEN: ${{ steps.secrets-token.outputs.token }}
+        run: >-
+          gh secret
+          set "OPENAI_REFRESH_TOKEN"
+          --body "${{ steps.run-scraper.outputs.openai_refresh_token }}"
+          --repo "${{ github.repository }}"
       
       - name: Check for changes
         id: git-check
@@ -97,3 +77,15 @@ jobs:
           git config --local user.name "NFL News Bot"
           git commit -m "🏈 Auto-update: NFL news articles $(date +'%Y-%m-%d %H:%M')"
           git push
+
+      - name: Trigger CI build
+        if: steps.git-check.outputs.changes == 'true'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            await github.rest.actions.createWorkflowDispatch({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              workflow_id: 'ci.yml',
+              ref: context.ref,
+            })