ADR Suggestion Introduce EasyScience GitHub App for CI Automation

[AndrewSazonov]

To automate some tasks in GitHub Actions, we usually rely on the default GitHub bot or personal access tokens. Not all workflows can be implemented this way. Also, personal tokens are not ideal because they are user-specific and need to be individually maintained.

One example is the backmerge workflow described in another ADR (#44). In this case, branch protection rules block direct merges into the develop branch. To allow automation, we need a more advanced mechanism that can bypass branch protection rules in a controlled way.

GitHub supports this via GitHub Apps. A GitHub App can act on its own behalf and use the GitHub API directly, instead of acting as a specific user. This makes it suitable for organization-wide automation with clearly defined permissions.

For this reason, I have created and installed an EasyScience GitHub App for the whole organization (https://github.com/organizations/easyscience/settings/apps/):


• GitHub App name: easyscience

• Repository access: All repositories

To simplify usage, a composite action was created and added to the Copier templates. This allows workflows to authenticate using the EasyScience bot in a standard and reusable way.

Using the same bot for all automation (even for tasks that could use the default GitHub token) also makes the setup more consistent and professional.

Currently, the EasyScience GitHub App has the following permissions enabled (https://github.com/organizations/easyscience/settings/apps/easyscience/permissions):

• Actions: Read and write
• Contents: Read and write
• Metadata: Read-only
• Pull requests: Read and write

To use the EasyScience bot in a workflow, add the following step:

- name: Setup easyscience[bot]
  id: bot
  uses: ./.github/actions/setup-easyscience-bot
  with:
    app-id: ${{ vars.EASYSCIENCE_APP_ID }}
    private-key: ${{ secrets.EASYSCIENCE_APP_KEY }}

This step relies on two organization-wide settings that are already configured for EasyScience:

• Variable EASYSCIENCE_APP_ID
  https://github.com/organizations/easyscience/settings/variables/actions
• Secret EASYSCIENCE_APP_KEY
  https://github.com/organizations/easyscience/settings/secrets/actions

These are shared at the organization level, so individual repositories do not need to define them again.

Example usage can be found here:
https://github.com/easyscience/templates/blob/master/template/.github/workflows/release-pr.yml

The corresponding composite action is located at:
https://github.com/easyscience/templates/blob/master/template/.github/actions/setup-easyscience-bot/action.yml

The EasyScience bot has been tested both on a test project (easypeasy) and on a real project (easydiffraction library).