murn0 · murn0 · Aug 9, 2023 · Aug 7, 2023 · Aug 7, 2023 · Aug 7, 2023
diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
@@ -7,6 +7,11 @@ jobs:
     permissions:
       pull-requests: write
     uses: ./.github/workflows/wc-auto-add-label.yaml
+    with:
+      app_id: "op://Github/uhto3hzapjcxicwm664wvh4zu4/AppID"
+      app_secret: "op://Github/uhto3hzapjcxicwm664wvh4zu4/private_key"
+    secrets:
+      op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
 
   path-filter:
     outputs:
@@ -55,9 +60,13 @@ jobs:
     uses: ./.github/workflows/wc-update-aqua-checksums.yaml
     permissions:
       contents: read
+    with:
+      aqua_version: v2.9.0
+      prune: true
+      app_id: "op://Github/uhto3hzapjcxicwm664wvh4zu4/AppID"
+      app_secret: "op://Github/uhto3hzapjcxicwm664wvh4zu4/private_key"
     secrets:
-      gh_app_id: ${{secrets.gh_app_id}}
-      gh_app_private_key: ${{secrets.gh_app_private_key}}
+      op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
 
   status-check:
     needs:
@@ -78,6 +87,8 @@ jobs:
       ! failure() && ! cancelled() && github.event.pull_request.user.login == 'renovate[bot]' && contains(github.event.pull_request.body, ' **Automerge**: Enabled.')
     uses: ./.github/workflows/wc-enable-auto-merge.yaml
     permissions: {}
+    with:
+      app_id: "op://Github/uhto3hzapjcxicwm664wvh4zu4/AppID"
+      app_secret: "op://Github/uhto3hzapjcxicwm664wvh4zu4/private_key"
     secrets:
-      gh_app_id: ${{secrets.gh_app_id}}
-      gh_app_private_key: ${{secrets.gh_app_private_key}}
+      op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
diff --git a/.github/workflows/release-pr.yaml b/.github/workflows/release-pr.yaml
@@ -46,6 +46,7 @@ jobs:
       major_title: '## ⚠️ Breaking Changes'
       minor_title: '## Features'
       labels: 'release'
+      app_id_url: "op://Github/uhto3hzapjcxicwm664wvh4zu4/AppID"
+      app_secret_url: "op://Github/uhto3hzapjcxicwm664wvh4zu4/private_key"
     secrets:
-      gh_app_id: ${{secrets.GH_APP_ID}}
-      gh_app_private_key: ${{secrets.GH_APP_PRIVATE_KEY}}
+      op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -16,6 +16,7 @@ jobs:
       github.event.pull_request.merged == true && startsWith(github.event.pull_request.head.ref, 'release/v')
     with:
       draft: true
+      app_id_url: "op://Github/uhto3hzapjcxicwm664wvh4zu4/AppID"
+      app_secret_url: "op://Github/uhto3hzapjcxicwm664wvh4zu4/private_key"
     secrets:
-      gh_app_id: ${{secrets.GH_APP_ID}}
-      gh_app_private_key: ${{secrets.GH_APP_PRIVATE_KEY}}
+      op_service_account_token: ${{secrets.OP_SERVICE_ACCOUNT_TOKEN}}
diff --git a/.github/workflows/wc-auto-add-label.yaml b/.github/workflows/wc-auto-add-label.yaml
@@ -1,5 +1,18 @@
 name: Pull request auto add label workflow
-on: workflow_call
+on: 
+  workflow_call:
+    inputs:
+      app_id:
+        required: true
+        type: string
+        description: The Secret Reference URL for the AppID stored in 1Password
+      app_secret:
+        required: true
+        type: string
+        description: The Secret Reference URL for the AppSecret stored in 1Password
+    secrets:
+      op_service_account_token:
+        required: true
 
 permissions: {}
 jobs:
@@ -14,6 +27,22 @@ jobs:
       contains(github.head_ref, 'test') ||
       contains(github.head_ref, 'doc')
     steps:
+      - name: Load secrets
+        uses: 1password/load-secrets-action@d1a4e73495bde3551cf63f6c048588b8f734e21d # v1.3.1
+        id: op-load-secret
+        with:
+          export-env: false
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.op_service_account_token }}
+          APP_ID: ${{ inputs.app_id }}
+          APP_SECRET: ${{ inputs.app_secret }}
+
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
+        with:
+          app_id: ${{steps.op-load-secret.outputs.APP_ID}}
+          private_key: ${{steps.op-load-secret.outputs.APP_SECRET}}
       - run: |
           if [[ "$HEAD_REF" == *"feat"* ]]; then
             echo "HEADブランチに 'feat' が含まれています。"
@@ -29,6 +58,6 @@ jobs:
             gh -R "$GITHUB_REPOSITORY" pr edit "$PR_NUMBER" --add-label "documentation"
           fi
         env:
-          GITHUB_TOKEN: ${{github.token}}
+          GITHUB_TOKEN: ${{steps.generate_token.outputs.token}}
           PR_NUMBER: ${{github.event.pull_request.number}}
           HEAD_REF: ${{github.head_ref}}
diff --git a/.github/workflows/wc-enable-auto-merge.yaml b/.github/workflows/wc-enable-auto-merge.yaml
@@ -2,23 +2,43 @@
 name: enable-auto-merge
 on:
   workflow_call:
-    secrets:
-      gh_app_id:
+    inputs:
+      app_id:
+        required: true
+        type: string
+        description: The Secret Reference URL for the AppID stored in 1Password
+      app_secret:
         required: true
-      gh_app_private_key:
+        type: string
+        description: The Secret Reference URL for the AppSecret stored in 1Password
+    secrets:
+      op_service_account_token:
         required: true
+
+permissions: {}
 jobs:
   enable-auto-merge:
     # Enable automerge to merge pull requests from Renovate automatically.
     runs-on: ubuntu-latest
     permissions: {}
     steps:
+      - name: Load secrets
+        uses: 1password/load-secrets-action@d1a4e73495bde3551cf63f6c048588b8f734e21d # v1.3.1
+        id: op-load-secret
+        with:
+          export-env: false
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          APP_ID: ${{ inputs.app_id }}
+          APP_SECRET: ${{ inputs.app_secret }}
+
       - name: Generate token
         id: generate_token
         uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
         with:
-          app_id: ${{secrets.gh_app_id}}
-          private_key: ${{secrets.gh_app_private_key}}
+          app_id: ${{steps.op-load-secret.outputs.APP_ID}}
+          private_key: ${{steps.op-load-secret.outputs.APP_SECRET}}
+
       - run: gh -R "$GITHUB_REPOSITORY" pr merge --squash --auto --delete-branch "$PR_NUMBER"
         env:
           GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} # Use GitHub App to trigger GitHub Actions Workflow by merge commit.

diff --git a/.github/workflows/wc-update-aqua-checksums.yaml b/.github/workflows/wc-update-aqua-checksums.yaml
@@ -1,21 +1,140 @@
 ---
 name: update-aqua-checksums
+
 on:
   workflow_call:
-    secrets:
-      gh_app_id:
+    inputs:
+      aqua_policy_config:
+        required: false
+        type: string
+      aqua_version:
+        required: true
+        type: string
+      policy_allow:
+        required: false
+        type: string
+      working_directory:
+        required: false
+        default: ""
+        type: string
+      prune:
+        required: false
+        default: false
+        type: boolean
+      ref:
+        required: false
+        type: string
+      runs-on:
+        required: false
+        type: string
+        default: '"ubuntu-latest"'
+        description: |
+          JSON string for runs-on.
+          e.g.
+          runs-on: '"macos-latest"'
+          runs-on: '["foo"]'
+      app_id:
         required: true
-      gh_app_private_key:
+        type: string
+        description: The Secret Reference URL for the AppID stored in 1Password
+      app_secret:
         required: true
+        type: string
+        description: The Secret Reference URL for the AppSecret stored in 1Password
+    secrets:
+      op_service_account_token:
+        required: true
+
+env:
+  AQUA_POLICY_CONFIG: ${{inputs.aqua_policy_config}}
+  AQUA_LOG_COLOR: always
+
+permissions: {}
+
 jobs:
   update-aqua-checksums:
     # Update aqua-checksums.json and push a commit
-    uses: aquaproj/update-checksum-workflow/.github/workflows/update-checksum.yaml@01a3dfca0b401e2fa1ff11f2b840d227806deca1 # v0.1.7
+    runs-on: ${{fromJSON(inputs.runs-on)}}
     permissions:
-      contents: read
-    with:
-      aqua_version: v2.10.1
-      prune: true
-    secrets:
-      gh_app_id: ${{secrets.gh_app_id}}
-      gh_app_private_key: ${{secrets.gh_app_private_key}}
+      contents: read # To checkout private repository
+    steps:
+      - name: Get ref
+        id: ref
+        run: |
+          set -eu
+          ref=""
+          case "$GITHUB_EVENT_NAME" in
+            "pull_request" ) ref="${{github.event.pull_request.head.sha}}";;
+          esac
+          if [ -n "${{inputs.ref}}" ]; then
+            ref="${{inputs.ref}}"
+          fi
+          echo "ref=$ref" >> "$GITHUB_OUTPUT"
+
+      - name: Load secrets
+        uses: 1password/load-secrets-action@d1a4e73495bde3551cf63f6c048588b8f734e21d # v1.3.1
+        id: op-load-secret
+        with:
+          export-env: false
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          APP_ID: ${{ inputs.app_id }}
+          APP_SECRET: ${{ inputs.app_secret }}
+
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
+        with:
+          app_id: ${{steps.op-load-secret.outputs.APP_ID}}
+          private_key: ${{steps.op-load-secret.outputs.APP_SECRET}}
+
+      - name: Get skip_push
+        id: skip_push
+        run: |
+          set -eu
+          skip_push=""
+          case "$GITHUB_EVENT_NAME" in
+            "pull_request" ) skip_push="${{github.event.pull_request.head.repo.fork}}";;
+          esac
+          if [ -z "$skip_push" ]; then
+            skip_push=false
+          fi
+          if [ "$TOKEN_TYPE" = "empty" ]; then
+            skip_push=false
+          fi
+          echo "skip_push=$skip_push" >> "$GITHUB_OUTPUT"
+        env:
+          TOKEN_TYPE: ${{steps.generate_token.outputs.token_type}}
+
+      - name: Checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          ref: ${{steps.ref.outputs.ref}}
+
+      - uses: aquaproj/aqua-installer@36dc5833b04eb63f06e3bb818aa6b7a6e6db99a9 # v2.1.2
+        if: steps.generate_token.outputs.token_type == 'empty'
+        # Install ghcp
+        with:
+          aqua_version: ${{inputs.aqua_version}}
+        env:
+          AQUA_GITHUB_TOKEN: ${{github.token}}
+      - uses: aquaproj/aqua-installer@36dc5833b04eb63f06e3bb818aa6b7a6e6db99a9 # v2.1.2
+        if: ${{steps.generate_token.outputs.token_type != 'empty'}}
+        # Install ghcp
+        with:
+          aqua_version: ${{inputs.aqua_version}}
+          policy_allow: ${{inputs.policy_allow}}
+        env:
+          AQUA_GITHUB_TOKEN: ${{steps.generate_token.outputs.token}}
+
+      - uses: aquaproj/update-checksum-action@2fb7f676d407d4fb8c2c466c19d09d3ddec4f82f # v0.2.2
+        with:
+          skip_push: ${{steps.skip_push.outputs.skip_push}}
+          prune: ${{inputs.prune}}
+          working_directory: ${{inputs.working_directory}}
+        env:
+          # To trigger GitHub Actions Workflow by pushing a commit, GitHub App token is required.
+          # github.token doesn't trigger GitHub Actions Workflow.
+          # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow
+          # > When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, will not create a new workflow run.
+          GITHUB_TOKEN: ${{steps.generate_token.outputs.token}}