ci: sign commits in bump_version workflow [SEC-2166]

.github/workflows/bump_version.yml

@@ -5,76 +5,46 @@
 jobs:
   bump-version:
     runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: write
-      pull-requests: write
-      checks: write
+    permissions: {}
     env:
-      NEW_SEMGREP_VERSION: ${{ github.event.inputs.version }}
+      NEW_SEMGREP_VERSION: ${{ inputs.version }}
     steps:
-      - id: jwt
-        env:
-          EXPIRATION: 600
-          ISSUER: ${{ secrets.SEMGREP_CI_APP_ID }}
-          PRIVATE_KEY: ${{ secrets.SEMGREP_CI_APP_KEY }}
-        name: Get JWT for semgrep-ci GitHub App
-        uses: docker://public.ecr.aws/y9k7q4m1/devops/cicd:latest
-
       - id: token
         name: Get token for semgrep-ci GitHub App
-        run: |
-          TOKEN="$(curl -X POST \
-          -H "Authorization: Bearer ${{ steps.jwt.outputs.jwt }}" \
-          -H "Accept: application/vnd.github.v3+json" \
-          "https://api.github.com/app/installations/${{ secrets.SEMGREP_CI_APP_INSTALLATION_ID }}/access_tokens" | \
-          jq -r .token)"
-          echo "::add-mask::$TOKEN"
-          echo "token=$TOKEN" >> $GITHUB_OUTPUT
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        with:
+          client-id: ${{ secrets.SEMGREP_CI_CLIENT_ID }}
+          private-key: ${{ secrets.SEMGREP_CI_APP_KEY }}
+          repositories: pre-commit
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          token: ${{ steps.token.outputs.token }}
+          persist-credentials: false
 
       - name: Bump version in this repo
         run: scripts/bump-version.sh "${NEW_SEMGREP_VERSION}"
 
-      - name: Commit and push
-        id: commit
-        env:
-          BRANCH: "gha/bump-version-${{ github.event.inputs.version }}-${{ github.run_id }}-${{ github.run_attempt }}"
-          SUBJECT: "Bump setup to ${{ github.event.inputs.version }}"
-        run: |
-          git config user.name ${{ github.actor }}
-          git config user.email ${{ github.actor }}@users.noreply.github.com
-          git checkout -b $BRANCH
-          git commit -am "$SUBJECT"
-          git tag "v${NEW_SEMGREP_VERSION}" HEAD
-          git remote -vv
-          git push --set-upstream origin $BRANCH
-          git push origin tag "v$NEW_SEMGREP_VERSION"
-          echo "branch=$BRANCH" >> $GITHUB_OUTPUT
-          echo "subject=$SUBJECT" >> $GITHUB_OUTPUT
+      - name: Open bump-version PR
+        id: cpr
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
+        with:
+          token: ${{ steps.token.outputs.token }}
+          branch: "gha/bump-version-${{ inputs.version }}-${{ github.run_id }}-${{ github.run_attempt }}"
+          base: ${{ github.event.repository.default_branch }}
+          title: "chore: update pre-commit to semgrep ${{ inputs.version }}"
+          body: "Bump Semgrep Version to ${{ inputs.version }}"
+          commit-message: "Bump setup to ${{ inputs.version }}"
+          sign-commits: true
 
-      - name: Create PR
-        id: open-pr
+      - name: Tag release on bump branch
+        if: steps.cpr.outputs.pull-request-operation != 'none'
         env:
-          SOURCE: "${{ steps.commit.outputs.branch }}"
-          TARGET: "${{ github.event.repository.default_branch }}"
-          TITLE: "chore: update pre-commit to semgrep ${{ inputs.version }}"
-          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
-          VERSION: "${{ inputs.version }}"
+          GH_TOKEN: ${{ steps.token.outputs.token }}
+          SHA: ${{ steps.cpr.outputs.pull-request-head-sha }}
         run: |
-          # check if the branch already has a pull request open
-          if gh pr list --head ${SOURCE} | grep -vq "no pull requests"; then
-              # pull request already open
-              echo "pull request from SOURCE ${SOURCE} to TARGET ${TARGET} is already open";
-              echo "cancelling release"
-              exit 1
-          fi
-          # open new pull request with the body of from the local template.
-          res=$(gh pr create --title "${TITLE}" --body "Bump Semgrep Version to ${VERSION}" \
-            --base "${TARGET}" --head "${SOURCE}")
+          gh api -X POST "repos/${{ github.repository }}/git/refs" \
+            -f ref="refs/tags/v${NEW_SEMGREP_VERSION}" \
+            -f sha="${SHA}"
 
 name: bump-version
 on: