Reduce usage of admin token

.github/actions/check-release/action.yml

@@ -14,14 +14,11 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - shell: bash -eux {0}
+    - shell: bash
       id: install-releaser
       run: |
-        # Install Jupyter Releaser from git unless we are testing Releaser itself
-        if ! command -v jupyter-releaser &> /dev/null
-        then
-            pip install -q git+https://github.com/jupyter-server/jupyter_releaser.git@v2
-        fi
+        cd "${{ github.action_path }}/../../scripts"
+        bash install-releaser.sh
 
     - id: prep-release
       shell: bash -eux {0}

.github/actions/finalize-release/action.yml

@@ -32,14 +32,11 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - name: install-releaser
-      shell: bash -eux {0}
+    - shell: bash
+      id: install-releaser
       run: |
-        # Install Jupyter Releaser from git unless we are testing Releaser itself
-        if ! command -v jupyter-releaser &> /dev/null
-        then
-            pip install -q git+https://github.com/jupyter-server/jupyter_releaser.git@v2
-        fi
+        cd "${{ github.action_path }}/../../scripts"
+        bash install-releaser.sh
 
     - id: finalize-release
       shell: bash -eux {0}

.github/actions/install-releaser/action.yml

@@ -6,9 +6,5 @@ runs:
     - shell: bash
       id: install-releaser
       run: |
-        set -eux
-        # Install Jupyter Releaser from git unless we are testing Releaser itself
-        if ! command -v jupyter-releaser &> /dev/null
-        then
-            pip install -q git+https://github.com/jupyter-server/jupyter_releaser.git@v2
-        fi
+        cd "${{ github.action_path }}/../../scripts"
+        bash install-releaser.sh

.github/actions/populate-release/action.yml

@@ -4,6 +4,9 @@ inputs:
   token:
     description: "GitHub access token"
     required: true
+  personal_access_token:
+    description: "An admin Github access token used to push the changes"
+    required: true
   target:
     description: "The owner/repo GitHub target"
     required: false
@@ -29,14 +32,11 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - name: install-releaser
-      shell: bash -eux {0}
+    - shell: bash
+      id: install-releaser
       run: |
-        # Install Jupyter Releaser from git unless we are testing Releaser itself
-        if ! command -v jupyter-releaser &> /dev/null
-        then
-            pip install -q git+https://github.com/jupyter-server/jupyter_releaser.git@v2
-        fi
+        cd "${{ github.action_path }}/../../scripts"
+        bash install-releaser.sh
 
     - id: populate-release
       shell: bash -eux {0}
@@ -48,6 +48,7 @@ runs:
         export RH_STEPS_TO_SKIP=${{ inputs.steps_to_skip }}
         export RH_RELEASE_URL=${{ inputs.release_url }}
         export RH_BRANCH=${{ inputs.branch }}
+        export RH_PERSONAL_ACCESS_TOKEN=${{ inputs.personal_access_token }}
         python -m jupyter_releaser.actions.populate_release
 
     - if: ${{ failure() }}

.github/actions/prep-release/action.yml

@@ -38,14 +38,11 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - name: install-releaser
-      shell: bash -eux {0}
+    - shell: bash
+      id: install-releaser
       run: |
-        # Install Jupyter Releaser from git unless we are testing Releaser itself
-        if ! command -v jupyter-releaser &> /dev/null
-        then
-            pip install -q git+https://github.com/jupyter-server/jupyter_releaser.git@v2
-        fi
+        cd "${{ github.action_path }}/../../scripts"
+        bash install-releaser.sh
 
     - id: prep-release
       shell: bash -eux {0}

.github/actions/publish-changelog/action.yml

@@ -21,14 +21,11 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - name: install-releaser
-      shell: bash -eux {0}
+    - shell: bash
+      id: install-releaser
       run: |
-        # Install Jupyter Releaser from git unless we are testing Releaser itself
-        if ! command -v jupyter-releaser &> /dev/null
-        then
-            pip install -q git+https://github.com/jupyter-server/jupyter_releaser.git@v2
-        fi
+        cd "${{ github.action_path }}/../../scripts"
+        bash install-releaser.sh
 
     - id: publish-changelog
       shell: bash -eux {0}

.github/scripts/install-releaser.sh

@@ -0,0 +1,10 @@
+set -eux
+# Install Jupyter Releaser if it is not already installed
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+if ! command -v jupyter-releaser &> /dev/null
+then
+    cd "${SCRIPT_DIR}/../.."
+    pip install -e .
+fi

.github/workflows/prep-self-release.yml

@@ -37,7 +37,7 @@ jobs:
         id: prep-release
         uses: jupyter-server/jupyter_releaser/.github/actions/prep-release@v2
         with:
-          token: ${{ secrets.ADMIN_GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           version_spec: ${{ github.event.inputs.version_spec }}
           post_version_spec: ${{ github.event.inputs.post_version_spec }}
           target: jupyter-server/jupyter_releaser

.github/workflows/publish-self-release.yml

@@ -31,7 +31,7 @@ jobs:
         id: populate-release
         uses: jupyter-server/jupyter_releaser/.github/actions/populate-release@v2
         with:
-          token: ${{ secrets.ADMIN_GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           target: jupyter-server/jupyter_releaser
           branch: ${{ github.event.inputs.branch }}
           release_url: ${{ github.event.inputs.release_url }}
@@ -43,7 +43,7 @@ jobs:
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
         uses: jupyter-server/jupyter_releaser/.github/actions/finalize-release@v2
         with:
-          token: ${{ secrets.ADMIN_GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           target: ${{ github.event.inputs.target }}
           release_url: ${{ steps.populate-release.outputs.release_url }}
 

docs/source/get_started/making_release_from_releaser.md

@@ -18,6 +18,15 @@ already uses Jupyter Releaser.
 
 - Set up PyPI:
 
+<details><summary>Using PyPI trusted publisher (modern way)</summary>
+
+- Set up your PyPI project by [adding a trusted publisher](https://docs.pypi.org/trusted-publishers/adding-a-publisher/)
+  - if you use the example workflows, the _workflow name_ is `publish-release.yml` (or `full-release.yml`) and the
+    _environment_ should be left blank.
+- Ensure the publish release job as `permissions`: `id-token : write` (see the [documentation](https://docs.pypi.org/trusted-publishers/using-a-publisher/))
+
+</details>
+
 <details><summary>Using PyPI token (legacy way)</summary>
 
 - If the repo generates PyPI release(s), create a scoped PyPI [token](https://packaging.python.org/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#saving-credentials-on-github). We recommend using a scoped token for security reasons.
@@ -40,15 +49,6 @@ already uses Jupyter Releaser.
 
 </details>
 
-<details><summary>Using PyPI trusted publisher (modern way)</summary>
-
-- Set up your PyPI project by [adding a trusted publisher](https://docs.pypi.org/trusted-publishers/adding-a-publisher/)
-  - if you use the example workflows, the _workflow name_ is `publish-release.yml` (or `full-release.yml`) and the
-    _environment_ should be left blank.
-- Ensure the publish release job as `permissions`: `id-token : write` (see the [documentation](https://docs.pypi.org/trusted-publishers/using-a-publisher/))
-
-</details>
-
 - If the repo generates npm release(s), add access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens), saved as `NPM_TOKEN` in "Secrets".
 
 > If you want to set _provenance_ on your package, you need to ensure the publish release job as `permissions`: `id-token : write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions)).

docs/source/how_to_guides/convert_repo_from_repo.md

@@ -16,32 +16,25 @@ See checklist below for details:
 
 ## Checklist for Adoption
 
-- [ ] Add a GitHub [personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token), preferably from a "machine user" GitHub
-  account that has admin access to the repository. The token itself will
-  need "public_repo", and "repo:status" permissions. Save the token as
-  `ADMIN_GITHUB_TOKEN`
-  in the [repository secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository). We need this
-  access token to allow for branch protection rules, which block the pushing
-  of commits when using the `GITHUB_TOKEN`, even when run from an admin user
-  account.
-
 - [ ] Set up PyPI:
 
+<details><summary>Using PyPI trusted publisher (modern way)</summary>
+
+- Set up your PyPI project by [adding a trusted publisher](https://docs.pypi.org/trusted-publishers/adding-a-publisher/)
+  - if you use the example workflows, the _workflow name_ is `publish-release.yml` (or `full-release.yml`) and the
+    _environment_ should be kept as `release` (unless you choose a different name).
+- Ensure the publish release job as `permissions`: `id-token : write` (see the [documentation](https://docs.pypi.org/trusted-publishers/using-a-publisher/))
+
+</details>
+
 <details><summary>Using PyPI token (legacy way)</summary>
 
 - Add access token for the [PyPI registry](https://packaging.python.org/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#saving-credentials-on-github) stored as `PYPI_TOKEN`.
   _Note_ For security reasons, it is recommended that you scope the access
   to a single repository. Additionally, this token should belong to a
   machine account and not a user account.
-
-</details>
-
-<details><summary>Using PyPI trusted publisher (modern way)</summary>
-
-- Set up your PyPI project by [adding a trusted publisher](https://docs.pypi.org/trusted-publishers/adding-a-publisher/)
-  - if you use the example workflows, the _workflow name_ is `publish-release.yml` (or `full-release.yml`) and the
-    _environment_ should be left blank.
-- Ensure the publish release job as `permissions`: `id-token : write` (see the [documentation](https://docs.pypi.org/trusted-publishers/using-a-publisher/))
+- Additionally, you should still use a GitHub [environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment) to ensure write permissions
+  for the repo do not automatically grant release permissions.
 
 </details>
 
@@ -106,6 +99,10 @@ version_info = tuple(parts)
 
 - [ ] Copy `prep-release.yml` and `publish-release.yml` from the `example-workflows` folder in this repository.
 
+- [ ] If you repo has required PR checks, you must either have a `.github/jupyterlab-probot.yml` file or add a `pr-ci-trigger` option to your `releaser`
+  configuration.  If using `jupyterlab-probot`, the config should be `@jupyterlab-probot, please restart ci`.  This config will cause releaser to
+  make the comment on the forwardport changelog PR or post-silent changelog PRs.
+
 - [ ] Optionally add configuration to the repository if non-standard options or hooks are needed.
 
 - [ ] If desired, add `check_release` job, changelog, and `hatch` support to other active release branches

example-workflows/full-release.yml

@@ -29,18 +29,22 @@ on:
 jobs:
   full_release:
     runs-on: ubuntu-latest
+    environment: release
     permissions:
       # This is useful if you want to use PyPI trusted publisher
       # and NPM provenance
       id-token: write
+      pull-requests: write
+      contents: write
+      issues: write
     steps:
       - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
 
       - name: Prep Release
         id: prep-release
         uses: jupyter-server/jupyter_releaser/.github/actions/prep-release@v2
         with:
-          token: ${{ secrets.ADMIN_GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           version_spec: ${{ github.event.inputs.version_spec }}
           post_version_spec: ${{ github.event.inputs.post_version_spec }}
           branch: ${{ github.event.inputs.branch }}
@@ -52,7 +56,7 @@ jobs:
         id: populate-release
         uses: jupyter-server/jupyter_releaser/.github/actions/populate-release@v2
         with:
-          token: ${{ secrets.ADMIN_GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           branch: ${{ github.event.inputs.branch }}
           release_url: ${{ steps.prep-release.outputs.release_url }}
           steps_to_skip: ${{ github.event.inputs.steps_to_skip }}
@@ -67,7 +71,7 @@ jobs:
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
         uses: jupyter-server/jupyter_releaser/.github/actions/finalize-release@v2
         with:
-          token: ${{ secrets.ADMIN_GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           release_url: ${{ steps.populate-release.outputs.release_url }}
 
       - name: "** Next Step **"

example-workflows/prep-release.yml

@@ -26,14 +26,17 @@ on:
 jobs:
   prep_release:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: write
     steps:
       - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
 
       - name: Prep Release
         id: prep-release
         uses: jupyter-server/jupyter_releaser/.github/actions/prep-release@v2
         with:
-          token: ${{ secrets.ADMIN_GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           version_spec: ${{ github.event.inputs.version_spec }}
           post_version_spec: ${{ github.event.inputs.post_version_spec }}
           branch: ${{ github.event.inputs.branch }}

example-workflows/publish-changelog.yml

@@ -11,14 +11,18 @@ on:
 
 jobs:
   publish_changelog:
+    permissions:
+      pull-requests: write
+      contents: write
+      issues: write
     runs-on: ubuntu-latest
     steps:
       - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
       - name: Publish changelog
         id: publish-changelog
         uses: jupyter-server/jupyter_releaser/.github/actions/publish-changelog@v2
         with:
-          token: ${{ secrets.ADMIN_GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           branch: ${{ github.event.inputs.branch }}
 
       - name: "** Next Step **"

example-workflows/publish-release.yml

@@ -15,18 +15,22 @@ on:
 jobs:
   publish_release:
     runs-on: ubuntu-latest
+    environment: release
     permissions:
       # This is useful if you want to use PyPI trusted publisher
       # and NPM provenance
       id-token: write
+      pull-requests: write
+      contents: write
+      issues: write
     steps:
       - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
 
       - name: Populate Release
         id: populate-release
         uses: jupyter-server/jupyter_releaser/.github/actions/populate-release@v2
         with:
-          token: ${{ secrets.ADMIN_GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           branch: ${{ github.event.inputs.branch }}
           release_url: ${{ github.event.inputs.release_url }}
           steps_to_skip: ${{ github.event.inputs.steps_to_skip }}
@@ -41,7 +45,7 @@ jobs:
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
         uses: jupyter-server/jupyter_releaser/.github/actions/finalize-release@v2
         with:
-          token: ${{ secrets.ADMIN_GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           release_url: ${{ steps.populate-release.outputs.release_url }}
 
       - name: "** Next Step **"