Updating all uses of the secrets.PROJECT_MANAGEMENT_PAT to use a registered Github App (nv-morpheus#1730)

Removes all uses of `secrets.PROJECT_MANAGEMENT_PAT` to instead use the registered app and generate a token via the actions/create-github-app-token` action

## By Submitting this PR I confirm:
- I am familiar with the [Contributing Guidelines](https://github.com/nv-morpheus/Morpheus/blob/main/docs/source/developer_guide/contributing.md).
- When the PR is ready for review, new or existing tests cover these changes.
- When the PR is ready for review, the documentation is up to date with these changes.

Authors:
  - Michael Demoret (https://github.com/mdemoret-nv)

Approvers:
  - Ben Jarmak (https://github.com/jarmak-nv)
  - David Gardner (https://github.com/dagardner-nv)

URL: nv-morpheus#1730

Author: mdemoret-nv

.github/workflows/label-external-issues.yml

@@ -19,27 +19,35 @@ on:
   issues:
     types:
       - opened
-      
-env:
-  GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
 
 jobs:
   Label-Issue:
     runs-on: ubuntu-latest
     # Only run if the issue author is not part of NV-Morpheus
     if: ${{ ! contains(fromJSON('["OWNER", "MEMBER", "CONTRIBUTOR", "COLLABORATOR"]'), github.event.issue.author_association)}}
-    steps: 
+    steps:
+      - name: Generate Token
+        uses: actions/create-github-app-token@v1
+        id: generate-token
+        with:
+          app-id: ${{ secrets.ACTIONS_APP_ID }}
+          private-key: ${{ secrets.ACTIONS_APP_KEY }}
+
       - name: add-triage-label
+        env:
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
           issue_url=${{ github.event.issue.html_url }}
           gh issue edit ${issue_url} --add-label "Needs Triage,external"
-      
+
       - name: add-comment-to-issue
+        env:
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
            issue_url=${{ github.event.issue.html_url }}
            author=${{ github.event.issue.user.login }}
            echo ${author}
            gh issue comment ${issue_url} --body "Hi @${author}!
-             
+
              Thanks for submitting this issue - our team has been notified and we'll get back to you as soon as we can!
-             In the mean time, feel free to add any relevant information to this issue."
+             In the meantime, feel free to add any relevant information to this issue."

.github/workflows/project_automation_set_in_progress.yml

@@ -23,33 +23,33 @@ on:
   pull_request_review:
     # Run this action when a PR is reviewed
     types: [submitted]
-      
+
 env:
- ORG: ${{ github.event.repository.owner.login }}
- PR_NUMBER: ${{ github.event.pull_request.number }}
- REPO: ${{ github.event.repository.name }}
- PR_GLOBAL_ID: ${{ github.event.pull_request.node_id}}
+  ORG: ${{ github.event.repository.owner.login }}
+  PR_NUMBER: ${{ github.event.pull_request.number }}
+  REPO: ${{ github.event.repository.name }}
+  PR_GLOBAL_ID: ${{ github.event.pull_request.node_id}}
 
- # The environment vars below are hard-coded from external queries to save time + complexity here
- # Note: PVT means Project V2, not "Private"
- # PVT = Project V2, PVTSSF = Project V2 Single Select Field, PVTIF = Project V2 Iteration Field
- PROJECT_ID: "PVT_kwDOBkAsks4ACeio"
- STATUS_FIELD_ID: "PVTSSF_lADOBkAsks4ACeiozgBbno0"
- WORKING_SPRINT_FIELD_ID: "PVTIF_lADOBkAsks4ACeiozgJ_KCY"
- START_SPRINT_FIELD_ID: "PVTIF_lADOBkAsks4ACeiozgI90p0"
- IN_PROGRESS_PROJECT_OPTION_ID: "47fc9ee4"
- IN_REVIEW_PROJECT_OPTION_ID: "eb7a6302"
+  # The environment vars below are hard-coded from external queries to save time + complexity here
+  # Note: PVT means Project V2, not "Private"
+  # PVT = Project V2, PVTSSF = Project V2 Single Select Field, PVTIF = Project V2 Iteration Field
+  PROJECT_ID: "PVT_kwDOBkAsks4ACeio"
+  STATUS_FIELD_ID: "PVTSSF_lADOBkAsks4ACeiozgBbno0"
+  WORKING_SPRINT_FIELD_ID: "PVTIF_lADOBkAsks4ACeiozgJ_KCY"
+  START_SPRINT_FIELD_ID: "PVTIF_lADOBkAsks4ACeiozgI90p0"
+  IN_PROGRESS_PROJECT_OPTION_ID: "47fc9ee4"
+  IN_REVIEW_PROJECT_OPTION_ID: "eb7a6302"
 
 jobs:
   project_automation_in_progress:
     runs-on: ubuntu-latest
 
     # We use the default GitHub token to perform the draft update because
-    # The pull_request_review trigger does not grant access to the secrets.PROJECT_MANAGEMENT_PAT
+    # The pull_request_review trigger does not grant access to secrets
     permissions:
       issues: write
       pull-requests: write
-    
+
     steps:
       - name: Check if changes requested from a reviewer
         id: check_changes_requested
@@ -58,7 +58,7 @@ jobs:
           if [ ${{ github.event.review.state }} != 'changes_requested' ]; then
             echo "Changes not requested, exiting"
             exit 0
-          
+
           # If it is requesting changes, set PR to draft
           # We use the default token here since we're granting write access to the PR
           elif [ ${{ github.event.pull_request.draft }} == false ]; then
@@ -80,8 +80,6 @@ jobs:
       - name: Select Status Field Value
         id: select_status_field_value
         if: github.event_name == 'pull_request_target'
-        env:
-          GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
         run: |
           # If it's not a draft and it's an opened trigger, the status should be "Ready for Review", otherwise "In Progress"
           if [ ${{ github.event.pull_request.draft }} == false ] && [ ${{ github.event.action }} == "opened" ]; then
@@ -96,8 +94,6 @@ jobs:
       - name: Get PR Project ID
         id: get_pr_id
         if: github.event_name == 'pull_request_target'
-        env:
-          GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
         run: |
             # Query up to 10 projects for the PR
             gh api graphql -f query='
@@ -122,20 +118,18 @@ jobs:
                   }
                 }
               }' > project_data.json
-            
+
             # Filter the json result to only the project-specific ID for the PR
             # A PR can be in multiple projects so we need to filter by the project ID we want
             pr_id=$(jq -r '.data.organization.repository.issueOrPullRequest.projectItems.edges[] |
                            select(.node.project.id == "${{ env.PROJECT_ID }}") |
                            .node.id' project_data.json)
             echo "PR_ID=$pr_id" >> $GITHUB_ENV
         continue-on-error: true
-            
+
       - name: Set PR Fields
         id: set_pr_fields
         if: github.event_name == 'pull_request_target'
-        env:
-          GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
         run: |
             gh api graphql -f query='
                 mutation {
@@ -154,7 +148,7 @@ jobs:
                             }
                         }
                     }'
-        
+
             # Check if the PR has a start sprint assigned, save the result for the linked issues
             gh api graphql -f query='
                 query {
@@ -171,7 +165,7 @@ jobs:
                 }' > start_sprint_exists_data.json
               start_sprint_option_id=$(jq -r '.data.node.fieldValueByName.id' start_sprint_exists_data.json)
               echo "START_SPRINT_OPTION_ID=$start_sprint_option_id" >> $GITHUB_ENV
-                
+
             # If there is no start sprint assigned, assign the current start sprint
             if [ "$start_sprint_option_id" == 'null' ]; then
                 # Get current start sprint iteration id
@@ -197,7 +191,7 @@ jobs:
                     }' > start_sprint_option_data.json
                 current_start_sprint_option_id=$(jq -r '.data.node.field.configuration.iterations[0].id' start_sprint_option_data.json)
                 echo "CURRENT_START_SPRINT_OPTION_ID=$current_start_sprint_option_id" >> $GITHUB_ENV
-            
+
                 # The query below is constructed differently than the ones above due to bash variable syntax + github actions syntax interactions
                 QUERY="mutation {
                     updateProjectV2ItemFieldValue(
@@ -217,7 +211,7 @@ jobs:
                     }"
                 gh api graphql --field query="$QUERY"
             fi
-            
+
             # Assign the current working sprint to the PR (faster/simpler to just overwrite even if it is the same)
             gh api graphql -f query='
             query {
@@ -240,7 +234,7 @@ jobs:
                 }' > working_sprint_options_data.json
             current_working_sprint_option_id=$(jq -r '.data.node.field.configuration.iterations[0].id' working_sprint_options_data.json)
             echo "CURRENT_WORKING_SPRINT_OPTION_ID=$current_working_sprint_option_id" >> $GITHUB_ENV
-            
+
             # Set the working sprint to the current working sprint
             QUERY="mutation {
                 updateProjectV2ItemFieldValue(
@@ -260,12 +254,10 @@ jobs:
                 }"
             gh api graphql --field query="$QUERY"
         continue-on-error: true
-                  
+
       - name: Sync Linked Issues
         id: sync_linked_issues
         if: github.event_name == 'pull_request_target'
-        env:
-          GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
         run: |
             # Find the linked issues to the PR
             gh api graphql -f query='
@@ -303,7 +295,7 @@ jobs:
             issue_ids=$(jq -r '.data.organization.repository.issueOrPullRequest.closingIssuesReferences.edges[].node.projectItems.edges[] |
                                 select(.node.project.id == "${{ env.PROJECT_ID }}") |
                                 .node.id' linked_issues.json)
-            
+
             # For each linked issue, set the status to "In Progress", the Working Sprint to the current working sprint
             # If there's no Start Sprint, set that to the current Start Sprint as well
             for issue_id in $issue_ids; do

.github/workflows/project_automation_set_in_review.yml

@@ -20,7 +20,7 @@ on:
     # Run this action when a PR is opened or edited
     # Issues do not have a graphQL connection to linked PRs so we can't use that event
     types: [ready_for_review, review_requested]
-      
+
 env:
  ORG: ${{ github.event.repository.owner.login }}
  PR_NUMBER: ${{ github.event.pull_request.number }}
@@ -36,16 +36,23 @@ env:
 jobs:
   project_automation_in_review:
     runs-on: ubuntu-latest
-    
+
     steps:
+      - name: Generate Token
+        uses: actions/create-github-app-token@v1
+        id: generate-token
+        with:
+          app-id: ${{ secrets.ACTIONS_APP_ID }}
+          private-key: ${{ secrets.ACTIONS_APP_KEY }}
+
       - name: Wait 1 Second
         id: sleep
         run: sleep 1
-        
+
       - name: Get PR Project ID
         id: get_pr_id
         env:
-          GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
             # Query up to 10 projects for the PR
             gh api graphql -f query='
@@ -70,7 +77,7 @@ jobs:
                   }
                 }
               }' > project_data.json
-            
+
             # Filter the json result to only the project-specific ID for the PR
             # A PR can be in multiple projects so we need to filter by the project ID we want
             pr_id=$(jq -r '.data.organization.repository.issueOrPullRequest.projectItems.edges[] |
@@ -81,8 +88,8 @@ jobs:
 
       - name: Set PR to In Review
         id: set_pr_in_review
-        env: 
-          GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
+        env:
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
             # Update the PR status to In Review
             gh api graphql -f query='
@@ -107,7 +114,7 @@ jobs:
       - name: Set Linked Issues to In Review
         id: update_linked_issues
         env:
-          GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
             gh api graphql -f query='
               query {
@@ -144,7 +151,7 @@ jobs:
             issue_ids=$(jq -r '.data.organization.repository.issueOrPullRequest.closingIssuesReferences.edges[].node.projectItems.edges[] |
                                select(.node.project.id == "${{ env.PROJECT_ID }}") |
                                .node.id' linked_issue_data.json)
-            
+
             # Set Linked Issues to In Review
             for issue_id in $issue_ids; do
               # The query below is constructed differently than the others due to bash variable syntax + github actions syntax interactions

.github/workflows/project_automation_set_roadmap.yml

@@ -22,7 +22,7 @@ on:
   issues:
     # Run this action when an issue is closed
     types: [closed]
-      
+
 env:
  ORG: ${{ github.event.repository.owner.login }}
  PR_NUMBER: ${{ github.event.pull_request.number }} # evaluates to null for issues
@@ -38,13 +38,20 @@ env:
 jobs:
   project_automation_roadmap_on_close:
     runs-on: ubuntu-latest
-    
-    steps:        
+
+    steps:
+      - name: Generate Token
+        uses: actions/create-github-app-token@v1
+        id: generate-token
+        with:
+          app-id: ${{ secrets.ACTIONS_APP_ID }}
+          private-key: ${{ secrets.ACTIONS_APP_KEY }}
+
       - name: Get PR Project ID
         if: github.event_name == 'pull_request_target'
         id: get_pr_id
         env:
-          GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
             # Query up to 10 projects for the PR
             gh api graphql -f query='
@@ -69,20 +76,20 @@ jobs:
                   }
                 }
               }' > project_data.json
-            
+
             # Filter the json result to only the project-specific ID for the PR
             # A PR can be in multiple projects so we need to filter by the project ID we want
             pr_id=$(jq -r '.data.organization.repository.issueOrPullRequest.projectItems.edges[] |
                            select(.node.project.id == "${{ env.PROJECT_ID }}") |
                            .node.id' project_data.json)
             echo "ITEM_ID=$pr_id" >> $GITHUB_ENV
         continue-on-error: true
-    
+
       - name: Get Issue Project ID
         if: github.event_name == 'issues'
         id: get_issue_id
         env:
-          GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
             # Query up to 10 projects for the Issue
             gh api graphql -f query='
@@ -107,7 +114,7 @@ jobs:
                   }
                 }
               }' > project_data.json
-            
+
             # Filter the json result to only the project-specific ID for the PR
             # A PR can be in multiple projects so we need to filter by the project ID we want
             issue_id=$(jq -r '.data.organization.repository.issueOrPullRequest.projectItems.edges[] |
@@ -119,8 +126,8 @@ jobs:
       - name: Get Current Release
         id: get_current_release
         env:
-          GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
-        run: |            
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+        run: |
             # Get current roadmap id
             # We maintain the roadmap as a single select field in the project, with the first value being the upcoming release
 
@@ -146,8 +153,8 @@ jobs:
 
       - name: Set Item Roadmap
         id: set_item_roadmap
-        env: 
-          GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
+        env:
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
             # Perform the mutation to update the Roadmap
             gh api graphql -f query='