workflows/labels: run with app token

This gives us a much higher rate limit of 12.5k requests per hour. If
the app is not available, we fallback to the regular `github.token`.
This can happen when testing in forks without setting up an app.

.github/workflows/labels.yml

@@ -13,6 +13,9 @@ on:
       headBranch:
         required: true
         type: string
+    secrets:
+      NIXPKGS_CI_APP_PRIVATE_KEY:
+        required: true
   workflow_dispatch:
     inputs:
       updatedWithin:
@@ -28,6 +31,8 @@ concurrency:
   # PR- and manually-triggered runs will be cancelled, but scheduled runs will be queued.
   cancel-in-progress: ${{ github.event_name != 'schedule' }}
 
+# This is used as fallback without app only.
+# This happens when testing in forks without setting up that app.
 permissions:
   issues: write # needed to create *new* labels
   pull-requests: write
@@ -44,9 +49,18 @@ jobs:
       - name: Install dependencies
         run: npm install @actions/artifact bottleneck
 
+      # Use a GitHub App, because it has much higher rate limits: 12,500 instead of 5,000 req / hour.
+      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        if: vars.NIXPKGS_CI_APP_ID
+        id: app-token
+        with:
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
+          permission-pull-requests: write
+
       - name: Log current API rate limits
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
         run: gh api /rate_limit | jq
 
       - name: Labels from API data and Eval results
@@ -54,6 +68,7 @@ jobs:
         env:
           UPDATED_WITHIN: ${{ inputs.updatedWithin }}
         with:
+          github-token: ${{ steps.app-token.outputs.token || github.token }}
           script: |
             const Bottleneck = require('bottleneck')
             const path = require('node:path')
@@ -272,7 +287,7 @@ jobs:
 
       - name: Log current API rate limits
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
         run: gh api /rate_limit | jq
 
       - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
@@ -281,7 +296,7 @@ jobs:
           github.event_name == 'pull_request_target' &&
           !contains(fromJSON(inputs.headBranch).type, 'development')
         with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          repo-token: ${{ steps.app-token.outputs.token }}
           configuration-path: .github/labeler.yml # default
           sync-labels: true
 
@@ -291,7 +306,7 @@ jobs:
           github.event_name == 'pull_request_target' &&
           !contains(fromJSON(inputs.headBranch).type, 'development')
         with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          repo-token: ${{ steps.app-token.outputs.token }}
           configuration-path: .github/labeler-no-sync.yml
           sync-labels: false
 
@@ -304,11 +319,11 @@ jobs:
           github.event_name == 'pull_request_target' &&
           contains(fromJSON(inputs.headBranch).type, 'development')
         with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          repo-token: ${{ steps.app-token.outputs.token }}
           configuration-path: .github/labeler-development-branches.yml
           sync-labels: true
 
       - name: Log current API rate limits
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
         run: gh api /rate_limit | jq

.github/workflows/pr.yml

@@ -103,6 +103,8 @@ jobs:
     permissions:
       issues: write
       pull-requests: write
+    secrets:
+      NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
     with:
       headBranch: ${{ needs.prepare.outputs.headBranch }}