Optionally override the active GitHub App via the environment

dscho · dscho · commit 7657e4dd4013 · 2026-03-31T10:08:25.000+02:00
To support embargoed builds in a private fork, we need to be able to do
things outside of the regular `git-for-windows` org. This also requires
a GitHub App to be installed on that org, and to allow for developing
that App separately from the public one (so that urgent fixes can be
made in private, without notifying anyone of ongoing security work), it
must be a GitHub App other than the one that is installed in the
`git-for-windows` org.

Also fix the check_run tests to use `sender.login: 'ghost'`, which is
what GitHub actually sends for check runs created via the API by an app
nowadays (yes, this changed at some stage, and we had to adapt).

Assisted-by: Claude Opus 4.6
Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
diff --git a/GitForWindowsHelper/cascading-runs.js b/GitForWindowsHelper/cascading-runs.js
@@ -1,4 +1,4 @@
-const { activeOrg } = require('./org')
+const { activeBot, activeOrg } = require('./org')
 
 const getToken = (() => {
     const tokens = {}
@@ -14,7 +14,7 @@ const getToken = (() => {
 })()
 
 const isAllowed = async (context, owner, repo, login) => {
-    if (login === 'gitforwindowshelper[bot]') return true
+    if (login === `${activeBot}[bot]`) return true
     const getCollaboratorPermissions = require('./get-collaborator-permissions')
     const token = await getToken(context, owner, repo)
     const permission = await getCollaboratorPermissions(context, token, owner, repo, login)
@@ -117,8 +117,8 @@ const cascadingRuns = async (context, req) => {
     const checkRunRepo = req.body.repository.name
     const checkRun = req.body.check_run
     const name = checkRun.name
-    const sender = req.body.sender.login === 'ghost' && checkRun?.app?.slug === 'gitforwindowshelper'
-        ? 'gitforwindowshelper[bot]' : req.body.sender.login
+    const sender = req.body.sender.login === 'ghost' && checkRun?.app?.slug === activeBot
+        ? `${activeBot}[bot]` : req.body.sender.login
 
     if (action === 'completed') {
         if (name === 'tag-git') {
diff --git a/GitForWindowsHelper/finalize-g4w-release.js b/GitForWindowsHelper/finalize-g4w-release.js
@@ -1,4 +1,4 @@
-const { activeOrg } = require('./org')
+const { activeOrg, activeBot } = require('./org')
 
 module.exports = async (context, req) => {
     if (req.body.action !== 'completed') return "Nothing to do here: workflow run did not complete yet"
@@ -23,7 +23,7 @@ module.exports = async (context, req) => {
     })()
 
     const isAllowed = async (login) => {
-        if (login === 'gitforwindowshelper[bot]') return true
+        if (login === `${activeBot}[bot]`) return true
         const getCollaboratorPermissions = require('./get-collaborator-permissions')
         const token = await getToken()
         const permission = await getCollaboratorPermissions(context, token, owner, repo, login)
diff --git a/GitForWindowsHelper/index.js b/GitForWindowsHelper/index.js
@@ -1,5 +1,5 @@
 const validateGitHubWebHook = require('./validate-github-webhook')
-const { activeOrg } = require('./org')
+const { activeBot, activeOrg } = require('./org')
 
 module.exports = async function (context, req) {
     const withStatus = (status, headers, body) => {
@@ -54,7 +54,7 @@ module.exports = async function (context, req) {
     try {
         const { cascadingRuns, handlePush } = require('./cascading-runs.js')
         if (req.headers['x-github-event'] === 'check_run'
-            && req.body.check_run?.app?.slug === 'gitforwindowshelper'
+            && req.body.check_run?.app?.slug === activeBot
             && req.body.repository.full_name === `${activeOrg}/git`
             && req.body.action === 'completed') return ok(await cascadingRuns(context, req))
 
diff --git a/GitForWindowsHelper/org.js b/GitForWindowsHelper/org.js
@@ -1,3 +1,4 @@
 module.exports = {
-    activeOrg: process.env.ACTIVE_ORG || 'git-for-windows'
+    activeOrg: process.env.ACTIVE_ORG || 'git-for-windows',
+    activeBot: process.env.ACTIVE_BOT || 'gitforwindowshelper',
 }
diff --git a/__tests__/index.test.js b/__tests__/index.test.js
@@ -798,6 +798,9 @@ test('a completed `tag-git` run triggers `git-artifacts` runs', async () => {
                 slug: 'gitforwindowshelper',
             },
         },
+        sender: {
+            login: 'ghost'
+        },
         installation: {
             id: 123
         },
@@ -999,6 +1002,9 @@ test('the third completed `git-artifacts-<arch>` check-run triggers an `upload-s
                 slug: 'gitforwindowshelper',
             },
         },
+        sender: {
+            login: 'ghost'
+        },
         installation: {
             id: 123
         },

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
`1`	`1`	`module.exports = {`
`2`		`- activeOrg: process.env.ACTIVE_ORG \|\| 'git-for-windows'`
	`2`	`+ activeOrg: process.env.ACTIVE_ORG \|\| 'git-for-windows',`
	`3`	`+ activeBot: process.env.ACTIVE_BOT \|\| 'gitforwindowshelper',`
`3`	`4`	`}`