devops: migrate automations to GitHub App (#35273)

.github/workflows/cherry_pick_into_release_branch.yml

@@ -59,10 +59,15 @@ jobs:
         echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_OUTPUT
         git checkout -b "$BRANCH_NAME"
         git push origin $BRANCH_NAME
+    - uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        app-id: ${{ vars.PLAYWRIGHT_APP_ID }}
+        private-key: ${{ secrets.PLAYWRIGHT_PRIVATE_KEY }}
     - name: Create Pull Request
       uses: actions/github-script@v7
       with:
-        github-token: ${{ secrets.REPOSITORY_DISPATCH_PERSONAL_ACCESS_TOKEN }}
+        github-token: ${{ steps.app-token.outputs.token }}
         script: |
           const readableCommitHashesList = '${{ github.event.inputs.commit_hashes }}'.split(',').map(hash => `- ${hash}`).join('\n');
           const response = await github.rest.pulls.create({

.github/workflows/pr_check_client_side_changes.yml

@@ -16,10 +16,20 @@ jobs:
     if: github.repository == 'microsoft/playwright'
     steps:
       - uses: actions/checkout@v4
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.PLAYWRIGHT_APP_ID }}
+          private-key: ${{ secrets.PLAYWRIGHT_PRIVATE_KEY }}
+          repositories: |
+            playwright
+            playwright-python
+            playwright-java
+            playwright-dotnet
       - name: Create GitHub issue
         uses: actions/github-script@v7
         with:
-          github-token: ${{ secrets.REPOSITORY_DISPATCH_PERSONAL_ACCESS_TOKEN }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             const currentPlaywrightVersion = require('./package.json').version.match(/\d+\.\d+/)[0];
             const { data } = await github.rest.git.getCommit({
@@ -61,4 +71,4 @@ jobs:
                 issue_number: issueNumber,
                 body: newBody
               })
-            }
+            }

.github/workflows/publish_canary.yml

@@ -72,13 +72,19 @@ jobs:
     - uses: actions/setup-node@v4
       with:
         node-version: 18
+    - uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        app-id: ${{ vars.PLAYWRIGHT_APP_ID }}
+        private-key: ${{ secrets.PLAYWRIGHT_PRIVATE_KEY }}
+        repositories: playwright.dev
     - name: Deploy Canary
       run: bash utils/build/deploy-trace-viewer.sh --canary
       if: contains(github.ref, 'main')
       env:
-        GH_SERVICE_ACCOUNT_TOKEN: ${{ secrets.REPOSITORY_DISPATCH_PERSONAL_ACCESS_TOKEN }}
+        GH_SERVICE_ACCOUNT_TOKEN: ${{ steps.app-token.outputs.token }}
     - name: Deploy BETA
       run: bash utils/build/deploy-trace-viewer.sh --beta
       if: contains(github.ref, 'release')
       env:
-        GH_SERVICE_ACCOUNT_TOKEN: ${{ secrets.REPOSITORY_DISPATCH_PERSONAL_ACCESS_TOKEN }}
+        GH_SERVICE_ACCOUNT_TOKEN: ${{ steps.app-token.outputs.token }}

.github/workflows/publish_release_traceviewer.yml

@@ -14,7 +14,13 @@ jobs:
     - uses: actions/setup-node@v4
       with:
         node-version: 18
+    - uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        app-id: ${{ vars.PLAYWRIGHT_APP_ID }}
+        private-key: ${{ secrets.PLAYWRIGHT_PRIVATE_KEY }}
+        repositories: playwright.dev
     - name: Deploy Stable
       run: bash utils/build/deploy-trace-viewer.sh --stable
       env:
-        GH_SERVICE_ACCOUNT_TOKEN: ${{ secrets.REPOSITORY_DISPATCH_PERSONAL_ACCESS_TOKEN }}
+        GH_SERVICE_ACCOUNT_TOKEN: ${{ steps.app-token.outputs.token }}

.github/workflows/roll_browser_into_playwright.yml

@@ -49,10 +49,15 @@ jobs:
         git add .
         git commit -m "feat(${BROWSER}): roll to r${REVISION}"
         git push origin $BRANCH_NAME --force
+    - uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        app-id: ${{ vars.PLAYWRIGHT_APP_ID }}
+        private-key: ${{ secrets.PLAYWRIGHT_PRIVATE_KEY }}
     - name: Create Pull Request
       uses: actions/github-script@v7
       with:
-        github-token: ${{ secrets.REPOSITORY_DISPATCH_PERSONAL_ACCESS_TOKEN }}
+        github-token: ${{ steps.app-token.outputs.token }}
         script: |
           const response = await github.rest.pulls.create({
             owner: 'microsoft',

.github/workflows/roll_driver_nodejs.yml

@@ -33,11 +33,16 @@ jobs:
           git add .
           git commit -m "chore(driver): roll driver to recent Node.js LTS version"
           git push origin $BRANCH_NAME
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.PLAYWRIGHT_APP_ID }}
+          private-key: ${{ secrets.PLAYWRIGHT_PRIVATE_KEY }}
       - name: Create Pull Request
         if: ${{ steps.prepare-branch.outputs.HAS_CHANGES == '1' }}
         uses: actions/github-script@v7
         with:
-          github-token: ${{ secrets.REPOSITORY_DISPATCH_PERSONAL_ACCESS_TOKEN }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             await github.rest.pulls.create({
               owner: 'microsoft',

.github/workflows/trigger_tests.yml

@@ -11,6 +11,12 @@ jobs:
     name: "trigger"
     runs-on: ubuntu-24.04
     steps:
+    - uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        app-id: ${{ vars.PLAYWRIGHT_APP_ID }}
+        private-key: ${{ secrets.PLAYWRIGHT_PRIVATE_KEY }}
+        repositories: playwright-browsers
     - run: |
         curl -X POST \
           -H "Accept: application/vnd.github.v3+json" \
@@ -18,4 +24,4 @@ jobs:
           --data "{\"event_type\": \"playwright_tests\", \"client_payload\": {\"ref\": \"${GITHUB_SHA}\"}}" \
           https://api.github.com/repos/microsoft/playwright-browsers/dispatches
       env:
-        GH_TOKEN: ${{ secrets.REPOSITORY_DISPATCH_PERSONAL_ACCESS_TOKEN }}
+        GH_TOKEN: ${{ steps.app-token.outputs.token }}