chore: onboard shared workflows (#67)

Co-authored-by: Eric Black <eblack@salesforce.com>

Author: michaelmalave

.github/PULL_REQUEST_TEMPLATE.md

@@ -23,16 +23,11 @@ Learn more about [Conventional Commits](https://www.conventionalcommits.org/).
 
 ### Patch Updates (patch semver update)
 - [ ] **fix**: Bug fix
-- [ ] **perf**: Performance improvement
 - [ ] **deps**: Dependency upgrade
 - [ ] **revert**: Revert a previous commit
-- [ ] **docs**: Documentation change
-- [ ] **style**: Styling update
 - [ ] **chore**: Change that does not affect production code
 - [ ] **refactor**: Refactoring existing code without changing behavior
-- [ ] **tests**: Add/update/remove tests
-- [ ] **build**: Change to the build system
-- [ ] **ci**: Continuous integration workflow update
+- [ ] **test**: Add/update/remove tests
 
 ## Testing
 **Notes**: 

.github/dependabot.yml

@@ -9,7 +9,7 @@ updates:
       day: "sunday"
       timezone: "America/Los_Angeles"
   commit-message:
-      prefix: "chore"
+      prefix: "deps"
 - package-ecosystem: "npm"
   directory: "/"
   open-pull-requests-limit: 5
@@ -23,11 +23,11 @@ updates:
       prefix-development: "chore"
       include: "scope"
   groups:
-    dev-deps:
-      dependency-type: "development"
-    patch-dependencies:
-      update-types:
-        - "patch"
+      dev-patch-minor-dependencies:
+        dependency-type: "development"
+        update-types:
+          - "patch"
+          - "minor"
   ignore:
     - dependency-name: "@oclif/core"
       update-types: ["version-update:semver-major"]

.github/release-configs/release-please-config.beta.json

@@ -7,49 +7,6 @@
       "extra-files": ["README.md"],
       "bump-minor-pre-major": true,
       "bump-patch-for-minor-pre-major": true,
-      "changelog-sections": [
-        {
-          "type": "feat",
-          "section": "Features"
-        },
-        {
-          "type": "fix",
-          "section": "Bug Fixes"
-        },
-        {
-          "type": "perf",
-          "section": "Performance Improvements"
-        },
-        {
-          "type": "refactor",
-          "section": "Code Refactoring"
-        },
-        {
-          "type": "docs",
-          "section": "Documentation",
-          "hidden": false
-        },
-        {
-          "type": "test",
-          "section": "Tests",
-          "hidden": false
-        },
-        {
-          "type": "build",
-          "section": "Build System",
-          "hidden": false
-        },
-        {
-          "type": "ci",
-          "section": "Continuous Integration",
-          "hidden": false
-        },
-        {
-          "type": "chore",
-          "section": "Miscellaneous Chores",
-          "hidden": false
-        }
-      ],
       "prerelease": true,
       "prerelease-type": "beta"
     }

.github/release-configs/release-please-config.json

@@ -6,50 +6,7 @@
       "changelog-path": "CHANGELOG.md",
       "extra-files": ["README.md"],
       "bump-minor-pre-major": true,
-      "bump-patch-for-minor-pre-major": true,
-      "changelog-sections": [
-        {
-          "type": "feat",
-          "section": "Features"
-        },
-        {
-          "type": "fix",
-          "section": "Bug Fixes"
-        },
-        {
-          "type": "perf",
-          "section": "Performance Improvements"
-        },
-        {
-          "type": "refactor",
-          "section": "Code Refactoring"
-        },
-        {
-          "type": "docs",
-          "section": "Documentation",
-          "hidden": false
-        },
-        {
-          "type": "test",
-          "section": "Tests",
-          "hidden": false
-        },
-        {
-          "type": "build",
-          "section": "Build System",
-          "hidden": false
-        },
-        {
-          "type": "ci",
-          "section": "Continuous Integration",
-          "hidden": false
-        },
-        {
-          "type": "chore",
-          "section": "Miscellaneous Chores",
-          "hidden": false
-        }
-      ]
+      "bump-patch-for-minor-pre-major": true
     }
   },
   "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",

.github/release-configs/release-please-manifest.beta.json

@@ -1,3 +1,3 @@
 {
-  ".": "2.0.0-beta.0"
+  ".": "2.0.1-beta.0"
 }

.github/workflows/release-on-push.yml

@@ -1,6 +1,7 @@
 name: Release on Push
 
 # Automatically creates GitHub releases after release PRs are merged
+# Uses vars.DEV_TOOLS_RELEASE_WORKFLOW_APP_ID and secrets.DEV_TOOLS_RELEASE_WORKFLOW_APP_PRIVATE_KEY
 
 on:
   push:
@@ -16,13 +17,22 @@ jobs:
       contents: write
       pull-requests: write
     steps:
+      # owner scopes the token to the org installation so it can access other repos (e.g. private npm-release-workflows)
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.DEV_TOOLS_RELEASE_WORKFLOW_APP_ID }}
+          private-key: ${{ secrets.DEV_TOOLS_RELEASE_WORKFLOW_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+
       - uses: actions/checkout@v6
 
       - name: Checkout workflows repository
         uses: actions/checkout@v6
         with:
           repository: heroku/npm-release-workflows
-          token: ${{ secrets.WORKFLOWS_ACCESS_GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
           path: workflows-repo
           ref: main
 
@@ -31,4 +41,4 @@ jobs:
         with:
           package-manager: yarn  # npm | yarn | pnpm
           branch_name: ${{ github.ref_name }}
-          token: ${{ secrets.WORKFLOWS_ACCESS_GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}

.github/workflows/release.yml

@@ -1,6 +1,7 @@
 name: Release
 
-# Public repo workflow using token-based checkout to access private npm-release-workflows
+# Public repo workflow using GitHub App token to access private npm-release-workflows
+# Uses vars.DEV_TOOLS_RELEASE_WORKFLOW_APP_ID and secrets.DEV_TOOLS_RELEASE_WORKFLOW_APP_PRIVATE_KEY
 
 on:
   workflow_dispatch:
@@ -15,13 +16,22 @@ jobs:
   validate:
     runs-on: pub-hk-ubuntu-24.04-ip  # Options: ubuntu-latest | sfdc-hk-ubuntu-latest | pub-hk-ubuntu-24.04-ip
     steps:
+      # owner scopes the token to the org installation so it can access other repos (e.g. private npm-release-workflows)
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.DEV_TOOLS_RELEASE_WORKFLOW_APP_ID }}
+          private-key: ${{ secrets.DEV_TOOLS_RELEASE_WORKFLOW_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+
       - uses: actions/checkout@v6
 
       - name: Checkout workflows repository
         uses: actions/checkout@v6
         with:
           repository: heroku/npm-release-workflows
-          token: ${{ secrets.WORKFLOWS_ACCESS_GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
           path: workflows-repo
           ref: main
 
@@ -49,13 +59,22 @@ jobs:
       no_release_needed: ${{ steps.release-workflow.outputs.no_release_needed }}
       pr_already_exists: ${{ steps.release-workflow.outputs.pr_already_exists }}
     steps:
+      # owner scopes the token to the org installation so it can access other repos (e.g. private npm-release-workflows)
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.DEV_TOOLS_RELEASE_WORKFLOW_APP_ID }}
+          private-key: ${{ secrets.DEV_TOOLS_RELEASE_WORKFLOW_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+
       - uses: actions/checkout@v6
 
       - name: Checkout workflows repository
         uses: actions/checkout@v6
         with:
           repository: heroku/npm-release-workflows
-          token: ${{ secrets.WORKFLOWS_ACCESS_GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
           path: workflows-repo
           ref: main
 
@@ -66,7 +85,7 @@ jobs:
           package-manager: yarn  # npm | yarn | pnpm
           branch_name: ${{ github.ref_name }}
           dry_run: ${{ inputs.dry_run }}
-          token: ${{ secrets.WORKFLOWS_ACCESS_GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
   publish:
     needs: release-please-pr
@@ -77,21 +96,30 @@ jobs:
       pull-requests: write
       id-token: write
     steps:
+      # owner scopes the token to the org installation so it can access other repos (e.g. private npm-release-workflows)
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.DEV_TOOLS_RELEASE_WORKFLOW_APP_ID }}
+          private-key: ${{ secrets.DEV_TOOLS_RELEASE_WORKFLOW_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+
       - uses: actions/checkout@v6
 
       - name: Checkout workflows repository
         uses: actions/checkout@v6
         with:
           repository: heroku/npm-release-workflows
-          token: ${{ secrets.WORKFLOWS_ACCESS_GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
           path: workflows-repo
           ref: main
 
       - name: Publish to npm
         uses: ./workflows-repo/.github/actions/release-publish-public
         with:
           package-manager: yarn  # npm | yarn | pnpm
-          workflows_token: ${{ secrets.WORKFLOWS_ACCESS_GITHUB_TOKEN }}
+          workflows_token: ${{ steps.app-token.outputs.token }}
           build_command: 'run build'
           dry_run: ${{ inputs.dry_run }}
           npm_tag: ${{ needs.release-please-pr.outputs.npm_tag }}

.github/workflows/update-release-configs.yml

@@ -1,6 +1,7 @@
 name: Update Release Configs
 
 # Generates release-please config files from release-channels.yml
+# Uses vars.DEV_TOOLS_RELEASE_WORKFLOW_APP_ID and secrets.DEV_TOOLS_RELEASE_WORKFLOW_APP_PRIVATE_KEY
 
 on:
   workflow_dispatch:
@@ -12,13 +13,20 @@ jobs:
       contents: write
       pull-requests: write
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.DEV_TOOLS_RELEASE_WORKFLOW_APP_ID }}
+          private-key: ${{ secrets.DEV_TOOLS_RELEASE_WORKFLOW_APP_PRIVATE_KEY }}
+
       - uses: actions/checkout@v6
 
       - name: Checkout workflows repository
         uses: actions/checkout@v6
         with:
           repository: heroku/npm-release-workflows
-          token: ${{ secrets.WORKFLOWS_ACCESS_GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
           path: workflows-repo
           ref: main