deploy: allow deploying in forks

It would be nice if we could deploy the Azure Function contingent on the
presence of the `AZURE_CLIENT_ID` secret. However, this is not possible
in GitHub workflows: the job-level `if:` conditions lack access to the
`secrets` context. Strangely enough, they _do_ have access to the `vars`
context...

To successfully deploy the Azure Function, it needs to know which
`gitgitgadget-workflows` fork to target when triggering workflow runs,
anyway, so let's _require_ a repository variable called
`DEPLOY_WITH_WORKFLOWS` that specifies that fork in the form
`<org>/gitgitgadget-workflows`.

Note that such a fork _must_ have the `CONFIG` repository variable that
contains the corresponding project configuration; The `deploy` workflow
will retrieve this configuration and overwrite
`gitgitgadget-config.json` with it, augmenting the `workflowsRepo`
information on the fly.

Also note: In order to read that `CONFIG` repository variable (which for
some unfathomable reason cannot be read via the regular `GITHUB_TOKEN`
available in GitHub workflows...), the GitHub App needs to be installed
on that repository and configured in this here repository via the
`GITGITGADGET_GITHUB_APP_ID` and `GITGITGADGET_GITHUB_APP_PRIVATE_KEY`
secrets. This poses a bit of a Catch-22 because the Azure Function is
expected to already be deployed when the GitHub App is registered, but
the workflow should be used for the initial deployment, too. To
accommodate for that, instead of erroring out, the workflow will merely
warn when the repository variable cannot be read, and continue with the
default configuration instead. Those secrets should be defined directly
after registering the GitHub App.

Signed-off-by: Johannes Schindelin <[email protected]>

Author: dscho

.github/workflows/deploy.yml

@@ -15,11 +15,50 @@ permissions:
 
 jobs:
   deploy:
-    if: github.event.repository.fork == false
+    if: github.event.repository.fork == false || vars.DEPLOY_WITH_WORKFLOWS != ''
     environment: deploy-to-azure
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
+      - name: parse DEPLOY_WITH_WORKFLOWS
+        if: vars.DEPLOY_WITH_WORKFLOWS != '' && contains(vars.DEPLOY_WITH_WORKFLOWS, '/')
+        id: parsed
+        env:
+          WORKFLOWS_REPO: '${{ vars.DEPLOY_WITH_WORKFLOWS }}'
+        run: |
+          echo "owner=${WORKFLOWS_REPO%%/*}" >>$GITHUB_OUTPUT &&
+          echo "name=${WORKFLOWS_REPO#*/}" >>$GITHUB_OUTPUT
+      - uses: actions/create-github-app-token@v1
+        if: steps.parsed.outputs.owner != '' && env.GITHUB_APP_ID != '' && env.GITHUB_APP_PRIVATE_KEY != ''
+        id: workflows-repo-token
+        env:
+          GITHUB_APP_ID: ${{ secrets.GITGITGADGET_GITHUB_APP_ID }}
+          GITHUB_APP_PRIVATE_KEY: ${{ secrets.GITGITGADGET_GITHUB_APP_PRIVATE_KEY }}
+        with:
+          app-id: ${{ secrets.GITGITGADGET_GITHUB_APP_ID }}
+          private-key: ${{ secrets.GITGITGADGET_GITHUB_APP_PRIVATE_KEY }}
+          owner: ${{ steps.parsed.outputs.owner }}
+          repositories: ${{ steps.parsed.outputs.name }}
+      - name: retrieve `vars.CONFIG` from workflows repo
+        if: vars.DEPLOY_WITH_WORKFLOWS != ''
+        env:
+          WORKFLOWS_REPO: '${{ vars.DEPLOY_WITH_WORKFLOWS }}'
+          GH_TOKEN: ${{ steps.workflows-repo-token.outputs.token || secrets.GITHUB_TOKEN }}
+        run: |
+          set -x &&
+          if ! CONFIG="$(gh variable get CONFIG --repo "$WORKFLOWS_REPO")"
+          then
+            echo "::warning::Could not retrieve variable CONFIG from $WORKFLOWS_REPO (please configure GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY)"
+            CONFIG="$(cat GitGitGadget/gitgitgadget-config.json)"
+          fi &&
+          jq '. + {
+            "workflowsRepo": {
+              "owner": "${{ steps.parsed.outputs.owner }}",
+              "name": "${{ steps.parsed.outputs.name }}"
+            }
+          }' <<<"$CONFIG" >GitGitGadget/gitgitgadget-config.json &&
+          echo "Using the following configuration:" &&
+          cat GitGitGadget/gitgitgadget-config.json
       - name: 'Login via Azure CLI'
         uses: azure/login@v2
         with: