Support GitHub apps to create pull requests

[markdumay]

Problem or enhancement idea

Hinode requires a personal access token (PAT) to automatically create pull requests that trigger a release. This is used by the action that updates Hugo dependencies (e.g. .github/workflows/mod-update.yml). The default GITHUB_TOKEN does not suffice, at it cannot trigger other workflows. Although the PAT approach works, it is quite tedious to maintain for a growing number of repositories. When expired, each token has to be manually recreated and stored as secret. In addition, having these tokens is a potential security risk, as abuse is difficult to detect.

Proposed solution

Following the advise from Peter Evans, a GitHub App can be created for the sole purpose of generating tokens for use with GitHub actions. These tokens can be used in place of GITHUB_TOKEN or a Personal Access Token (PAT). GitHub App generated tokens are more secure than using a PAT because GitHub App access permissions can be set with finer granularity and are scoped to only repositories where the App is installed.

Alternatives

The current approach uses personal access token (PAT) - which works - but requires more maintenance and is less secure.

[vinser]

To publish my Hinode docs site on GitHub Pages I use slightly modified standard GitHub Action workflow https://github.com/vinser/flibgolite-docs/blob/master/.github/workflows/hugo.yaml

May be it will help

[d-oit]

Found this issue by excited 😆

Do you know this?

https://docs.renovatebot.com/modules/platform/github/#running-as-a-github-app