Revise to use separate workflow with GitHub app

.github/workflows/ci.yaml

@@ -15,75 +15,13 @@ env:
   NODE_OPTIONS: --max_old_space_size=6144
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-permissions: {}
-
 jobs:
-  dedupe:
-    name: Deduplicate dependencies
-    # Skip unless this is a dependabot pull request
-    if: |
-      github.actor == 'dependabot[bot]' &&
-      startsWith(github.head_ref, 'dependabot/npm_and_yarn/')
-    permissions:
-      contents: write
-    runs-on: ubuntu-latest
-    outputs:
-      # Downstream jobs need to use this SHA to get the dedupe commit
-      sha: ${{ steps.get-sha.outputs.sha }}
-    steps:
-      - name: Check out files from GitHub
-        uses: actions/checkout@v3.3.0
-        with:
-          # Checkout PR head instead of merge commit
-          # Use ref, not SHA, so reruns get the dedupe commit
-          ref: ${{ github.event.pull_request.head.ref }}
-      - name: Set up Node ${{ env.NODE_VERSION }}
-        uses: actions/setup-node@v3.6.0
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: yarn
-      - name: Install dependencies
-        # Do not run build scripts as a security measure since job has write permissions
-        run: yarn install --immutable --mode=skip-build
-      - name: Deduplicate dependencies
-        run: yarn dedupe --mode=skip-build
-      - name: Commit changes
-        run: |
-          git config user.name "GitHub Action"
-          git config user.email "github-action@users.noreply.github.com"
-          git add yarn.lock
-          git commit -m "Deduplicate dependencies" || exit 0
-          git push origin "HEAD:${GITHUB_HEAD_REF}"
-          echo "DEDUPED=true" >> "${GITHUB_ENV}"
-      - name: Output updated SHA for merge commit
-        id: get-sha
-        shell: bash
-        timeout-minutes: 15
-        run: |
-          if [[ -v DEDUPED ]]; then
-            echo "Waiting for GitHub to do the mergability check and update the commit SHA..."
-            while [[ -z "${sha}" || "${sha}" == "${GITHUB_SHA}" ]]; do
-              sleep 5s
-              sha=$(git ls-remote origin "${GITHUB_REF}" | awk '{print $1}')
-            done
-          else
-            echo "No deduplication required so using current merge commit SHA"
-            # Still need to query remote here in case of rerun where previous attempt was deduplicated
-            sha=$(git ls-remote origin "${GITHUB_REF}" | awk '{print $1}')
-          fi
-          echo "Done - SHA is ${sha}"
-          echo "sha=${sha}" >> "${GITHUB_OUTPUT}"
   lint:
     name: Lint and check format
-    needs: dedupe
-    # Allow dedupe job to be skipped
-    if: ${{ !failure() && !cancelled() }}
     runs-on: ubuntu-latest
     steps:
       - name: Check out files from GitHub
         uses: actions/checkout@v3.3.0
-        with:
-          ref: ${{ needs.dedupe.outputs.sha }}
       - name: Set up Node ${{ env.NODE_VERSION }}
         uses: actions/setup-node@v3.6.0
         with:
@@ -103,15 +41,10 @@ jobs:
         run: yarn dedupe --check
   test:
     name: Run tests
-    needs: dedupe
-    # Allow dedupe job to be skipped
-    if: ${{ !failure() && !cancelled() }}
     runs-on: ubuntu-latest
     steps:
       - name: Check out files from GitHub
         uses: actions/checkout@v3.3.0
-        with:
-          ref: ${{ needs.dedupe.outputs.sha }}
       - name: Set up Node ${{ env.NODE_VERSION }}
         uses: actions/setup-node@v3.6.0
         with:
@@ -125,15 +58,11 @@ jobs:
         run: yarn run test
   build:
     name: Build frontend
-    needs: [dedupe, lint, test]
+    needs: [lint, test]
-    # Allow dedupe job to be skipped
-    if: ${{ !failure() && !cancelled() }}
     runs-on: ubuntu-latest
     steps:
       - name: Check out files from GitHub
         uses: actions/checkout@v3.3.0
-        with:
-          ref: ${{ needs.dedupe.outputs.sha }}
       - name: Set up Node ${{ env.NODE_VERSION }}
         uses: actions/setup-node@v3.6.0
         with:
@@ -148,14 +77,10 @@ jobs:
   supervisor:
     name: Build supervisor
     needs: [lint, test]
-    # Allow dedupe job to be skipped
-    if: ${{ !failure() && !cancelled() }}
     runs-on: ubuntu-latest
     steps:
       - name: Check out files from GitHub
         uses: actions/checkout@v3.3.0
-        with:
-          ref: ${{ needs.dedupe.outputs.sha }}
       - name: Set up Node ${{ env.NODE_VERSION }}
         uses: actions/setup-node@v3.6.0
         with:

.github/workflows/dedupe.yaml

@@ -0,0 +1,50 @@
+name: Deduplicate Dependabot
+
+on:
+  push:
+    branches:
+      - dependabot/npm_and_yarn/*
+
+env:
+  NODE_VERSION: 16
+  NODE_OPTIONS: --max_old_space_size=6144
+
+permissions:
+  contents: write
+
+jobs:
+  dedupe:
+    name: Deduplicate dependencies
+    # Only trigger on initial commit from dependabot
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate app token
+        # Use a GitHub app to checkout and commit in order to re-trigger the CI workflow
+        # (because actions with GITHUB_TOKEN do not trigger new events)
+        id: generate_token
+        uses: tibdex/github-app-token@v1.7.0
+        with:
+          app_id: ${{ secrets.HA_COMMITTER_APP_ID }}
+          private_key: ${{ secrets.HA_COMMITTER_PRIVATE_KEY }}
+      - name: Check out files from GitHub
+        uses: actions/checkout@v3.3.0
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+      - name: Set up Node ${{ env.NODE_VERSION }}
+        uses: actions/setup-node@v3.6.0
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: yarn
+      - name: Install dependencies
+        # Do not run build scripts as a security measure since job has write permissions
+        run: yarn install --immutable --mode=skip-build
+      - name: Deduplicate dependencies
+        run: yarn dedupe --mode=skip-build
+      - name: Commit changes
+        run: |
+          git config user.name "Home Assistant Committer"
+          git config user.email "hello@home-assistant.io"
+          git add yarn.lock
+          git commit -m "Deduplicate dependencies" || exit 0
+          git push origin "HEAD:${GITHUB_HEAD_REF}"