build: add support for fetching github token from sudowoodo (#43886)

* build: add support for fetching github token from sudowoodo

Co-authored-by: Samuel Attard <[email protected]>

* chore: update release notes cache for tests

Co-authored-by: Samuel Attard <[email protected]>

* build: support nightlies repo correctly

Co-authored-by: Samuel Attard <[email protected]>

* build: post token

Co-authored-by: Samuel Attard <[email protected]>

---------

Co-authored-by: trop[bot] <37223003+trop[bot]@users.noreply.github.com>
Co-authored-by: Samuel Attard <[email protected]>

.github/workflows/pipeline-segment-electron-build.yml

@@ -67,7 +67,8 @@ concurrency:
 env:
   ELECTRON_ARTIFACTS_BLOB_STORAGE: ${{ secrets.ELECTRON_ARTIFACTS_BLOB_STORAGE }}
   ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }}
-  ELECTRON_GITHUB_TOKEN: ${{ secrets.ELECTRON_GITHUB_TOKEN }}
+  SUDOWOODO_EXCHANGE_URL: ${{ secrets.SUDOWOODO_EXCHANGE_URL }}
+  SUDOWOODO_EXCHANGE_TOKEN: ${{ secrets.SUDOWOODO_EXCHANGE_TOKEN }}
   GCLIENT_EXTRA_ARGS: ${{ inputs.target-platform == 'macos' && '--custom-var=checkout_mac=True --custom-var=host_os=mac' || '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True' }}
   ELECTRON_OUT_DIR: Default
 

.github/workflows/pipeline-segment-electron-test.yml

@@ -38,7 +38,6 @@ permissions:
 env:
   ELECTRON_OUT_DIR: Default
   ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }}
-  ELECTRON_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
 jobs:
   test:

script/release/ci-release-build.js

@@ -4,8 +4,9 @@ const assert = require('node:assert');
 const got = require('got');
 
 const { Octokit } = require('@octokit/rest');
+const { createGitHubTokenStrategy } = require('./github-token');
 const octokit = new Octokit({
-  auth: process.env.ELECTRON_GITHUB_TOKEN
+  authStrategy: createGitHubTokenStrategy('electron')
 });
 
 const BUILD_APPVEYOR_URL = 'https://ci.appveyor.com/api/builds';

script/release/find-github-release.js

@@ -1,9 +1,7 @@
 if (!process.env.CI) require('dotenv-safe').load();
 
 const { Octokit } = require('@octokit/rest');
-const octokit = new Octokit({
-  auth: process.env.ELECTRON_GITHUB_TOKEN
-});
+const { createGitHubTokenStrategy } = require('./github-token');
 
 if (process.argv.length < 3) {
   console.log('Usage: find-release version');
@@ -13,6 +11,10 @@ if (process.argv.length < 3) {
 const version = process.argv[2];
 const targetRepo = findRepo();
 
+const octokit = new Octokit({
+  authStrategy: createGitHubTokenStrategy(targetRepo)
+});
+
 function findRepo () {
   return version.indexOf('nightly') > 0 ? 'nightlies' : 'electron';
 }

script/release/get-asset.js

@@ -1,12 +1,13 @@
 const { Octokit } = require('@octokit/rest');
 const got = require('got');
-
-const octokit = new Octokit({
-  userAgent: 'electron-asset-fetcher',
-  auth: process.env.ELECTRON_GITHUB_TOKEN
-});
+const { createGitHubTokenStrategy } = require('./github-token');
 
 async function getAssetContents (repo, assetId) {
+  const octokit = new Octokit({
+    userAgent: 'electron-asset-fetcher',
+    authStrategy: createGitHubTokenStrategy(repo)
+  });
+
   const requestOptions = octokit.repos.getReleaseAsset.endpoint({
     owner: 'electron',
     repo,
@@ -17,7 +18,7 @@ async function getAssetContents (repo, assetId) {
   });
 
   const { url, headers } = requestOptions;
-  headers.authorization = `token ${process.env.ELECTRON_GITHUB_TOKEN}`;
+  headers.authorization = `token ${(await octokit.auth()).token}`;
 
   const response = await got(url, {
     followRedirect: false,

script/release/github-token.js

@@ -0,0 +1,57 @@
+const { createTokenAuth } = require('@octokit/auth-token');
+const got = require('got').default;
+
+const cachedTokens = Object.create(null);
+
+async function ensureToken (repo) {
+  if (!cachedTokens[repo]) {
+    cachedTokens[repo] = await (async () => {
+      const { ELECTRON_GITHUB_TOKEN, SUDOWOODO_EXCHANGE_URL, SUDOWOODO_EXCHANGE_TOKEN } = process.env;
+      if (ELECTRON_GITHUB_TOKEN) {
+        return ELECTRON_GITHUB_TOKEN;
+      }
+
+      if (SUDOWOODO_EXCHANGE_URL && SUDOWOODO_EXCHANGE_TOKEN) {
+        const resp = await got.post(SUDOWOODO_EXCHANGE_URL + '?repo=' + repo, {
+          headers: {
+            Authorization: SUDOWOODO_EXCHANGE_TOKEN
+          },
+          throwHttpErrors: false
+        });
+        if (resp.statusCode !== 200) {
+          console.error('bad sudowoodo exchange response code:', resp.statusCode);
+          throw new Error('non-200 status code received from sudowoodo exchange function');
+        }
+        try {
+          return JSON.parse(resp.body).token;
+        } catch {
+          // Swallow as the error could include the token
+          throw new Error('Unexpected error parsing sudowoodo exchange response');
+        }
+      }
+
+      throw new Error('Could not find or fetch a valid GitHub Auth Token');
+    })();
+  }
+}
+
+module.exports.createGitHubTokenStrategy = (repo) => () => {
+  let tokenAuth = null;
+
+  async function ensureTokenAuth () {
+    if (!tokenAuth) {
+      await ensureToken(repo);
+      tokenAuth = createTokenAuth(cachedTokens[repo]);
+    }
+  }
+
+  async function auth () {
+    await ensureTokenAuth();
+    return await tokenAuth();
+  }
+  auth.hook = async (...args) => {
+    await ensureTokenAuth();
+    return await tokenAuth.hook(...args);
+  };
+  return auth;
+};

script/release/notes/index.js

@@ -9,8 +9,9 @@ const { ELECTRON_DIR } = require('../../lib/utils');
 const notesGenerator = require('./notes.js');
 
 const { Octokit } = require('@octokit/rest');
+const { createGitHubTokenStrategy } = require('../github-token');
 const octokit = new Octokit({
-  auth: process.env.ELECTRON_GITHUB_TOKEN
+  authStrategy: createGitHubTokenStrategy('electron')
 });
 
 const semverify = version => version.replace(/^origin\//, '').replace(/[xy]/g, '0').replace(/-/g, '.');

script/release/notes/notes.js

@@ -8,11 +8,13 @@ const path = require('node:path');
 const { GitProcess } = require('dugite');
 
 const { Octokit } = require('@octokit/rest');
-const octokit = new Octokit({
-  auth: process.env.ELECTRON_GITHUB_TOKEN
-});
 
 const { ELECTRON_DIR } = require('../../lib/utils');
+const { createGitHubTokenStrategy } = require('../github-token');
+
+const octokit = new Octokit({
+  authStrategy: createGitHubTokenStrategy('electron')
+});
 
 const MAX_FAIL_COUNT = 3;
 const CHECK_INTERVAL = 5000;

script/release/prepare-release.js

@@ -13,6 +13,7 @@ const path = require('node:path');
 const readline = require('node:readline');
 const releaseNotesGenerator = require('./notes/index.js');
 const { getCurrentBranch, ELECTRON_DIR } = require('../lib/utils.js');
+const { createGitHubTokenStrategy } = require('./github-token');
 const bumpType = args._[0];
 const targetRepo = getRepo();
 
@@ -21,7 +22,7 @@ function getRepo () {
 }
 
 const octokit = new Octokit({
-  auth: process.env.ELECTRON_GITHUB_TOKEN
+  authStrategy: createGitHubTokenStrategy(getRepo())
 });
 
 require('colors');

script/release/publish-to-npm.js

@@ -10,10 +10,7 @@ const rootPackageJson = require('../../package.json');
 
 const { Octokit } = require('@octokit/rest');
 const { getAssetContents } = require('./get-asset');
-const octokit = new Octokit({
-  userAgent: 'electron-npm-publisher',
-  auth: process.env.ELECTRON_GITHUB_TOKEN
-});
+const { createGitHubTokenStrategy } = require('./github-token');
 
 if (!process.env.ELECTRON_NPM_OTP) {
   console.error('Please set ELECTRON_NPM_OTP');
@@ -47,6 +44,11 @@ const currentElectronVersion = getElectronVersion();
 const isNightlyElectronVersion = currentElectronVersion.includes('nightly');
 const targetRepo = getRepo();
 
+const octokit = new Octokit({
+  userAgent: 'electron-npm-publisher',
+  authStrategy: createGitHubTokenStrategy(targetRepo)
+});
+
 function getRepo () {
   return isNightlyElectronVersion ? 'nightlies' : 'electron';
 }

script/release/release-artifact-cleanup.js

@@ -6,16 +6,17 @@ const args = require('minimist')(process.argv.slice(2), {
   default: { releaseID: '' }
 });
 const { Octokit } = require('@octokit/rest');
-
-const octokit = new Octokit({
-  auth: process.env.ELECTRON_GITHUB_TOKEN
-});
+const { createGitHubTokenStrategy } = require('./github-token');
 
 require('colors');
 const pass = '✓'.green;
 const fail = '✗'.red;
 
 async function deleteDraft (releaseId, targetRepo) {
+  const octokit = new Octokit({
+    authStrategy: createGitHubTokenStrategy(targetRepo)
+  });
+
   try {
     const result = await octokit.repos.getRelease({
       owner: 'electron',
@@ -41,6 +42,10 @@ async function deleteDraft (releaseId, targetRepo) {
 }
 
 async function deleteTag (tag, targetRepo) {
+  const octokit = new Octokit({
+    authStrategy: createGitHubTokenStrategy(targetRepo)
+  });
+
   try {
     await octokit.git.deleteRef({
       owner: 'electron',

script/release/release.js

@@ -25,13 +25,10 @@ const fail = '✗'.red;
 const { ELECTRON_DIR } = require('../lib/utils');
 const { getElectronVersion } = require('../lib/get-version');
 const getUrlHash = require('./get-url-hash');
+const { createGitHubTokenStrategy } = require('./github-token');
 
 const pkgVersion = `v${getElectronVersion()}`;
 
-const octokit = new Octokit({
-  auth: process.env.ELECTRON_GITHUB_TOKEN
-});
-
 function getRepo () {
   return pkgVersion.indexOf('nightly') > 0 ? 'nightlies' : 'electron';
 }
@@ -39,6 +36,10 @@ function getRepo () {
 const targetRepo = getRepo();
 let failureCount = 0;
 
+const octokit = new Octokit({
+  authStrategy: createGitHubTokenStrategy(targetRepo)
+});
+
 async function getDraftRelease (version, skipValidation) {
   const releaseInfo = await octokit.repos.listReleases({
     owner: 'electron',
@@ -392,7 +393,7 @@ async function verifyDraftGitHubReleaseAssets (release) {
     });
 
     const { url, headers } = requestOptions;
-    headers.authorization = `token ${process.env.ELECTRON_GITHUB_TOKEN}`;
+    headers.authorization = `token ${(await octokit.auth()).token}`;
 
     const response = await got(url, {
       followRedirect: false,

script/release/uploaders/upload-to-github.ts

@@ -1,10 +1,6 @@
 import { Octokit } from '@octokit/rest';
 import * as fs from 'node:fs';
-
-const octokit = new Octokit({
-  auth: process.env.ELECTRON_GITHUB_TOKEN,
-  log: console
-});
+import { createGitHubTokenStrategy } from '../github-token';
 
 if (!process.env.CI) require('dotenv-safe').load();
 
@@ -51,6 +47,11 @@ const targetRepo = getRepo();
 const uploadUrl = `https://uploads.github.com/repos/electron/${targetRepo}/releases/${releaseId}/assets{?name,label}`;
 let retry = 0;
 
+const octokit = new Octokit({
+  authStrategy: createGitHubTokenStrategy(targetRepo),
+  log: console
+});
+
 function uploadToGitHub () {
   console.log(`in uploadToGitHub for ${filePath}, ${fileName}`);
   const fileData = fs.createReadStream(filePath);