From 71d00f2e3e10225ff0f335b90175065d181cc6f3 Mon Sep 17 00:00:00 2001
From: andrew <andrew@expensify.com>
Date: Fri, 18 Dec 2020 12:03:44 -0700
Subject: [PATCH] Tweak wording and secrets

---
 .github/workflows/README.md     | 4 +++-
 .github/workflows/automerge.yml | 2 +-
 .github/workflows/cla.yml       | 2 +-
 .github/workflows/version.yml   | 4 ++--
 README.md                       | 2 +-
 5 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/README.md b/.github/workflows/README.md
index e78b661c60d6..ff6727d674c0 100644
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@@ -4,7 +4,9 @@
 1. Do **not** use `pull_request_target` trigger unless an external fork needs access to secrets, or a _write_ `GITHUB_TOKEN`.
 1. Do **not ever** write a `pull_request_target` trigger with an explicit PR checkout, e.g. using `actions/checkout@v2`. This is [discussed further here](https://securitylab.github.com/research/github-actions-preventing-pwn-requests)
 1. **Do use** the `pull_request` trigger as it does not send internal secrets and only grants a _read_ `GITHUB_TOKEN`.   
-1. If an external action needs access to any secret (`GITHUB_TOKEN` or internal secret), use the commit hash to prevent a modification of underlying source code at that version.
+1. If an external action needs access to any secret (`GITHUB_TOKEN` or internal secret), use the commit hash of the workflow to prevent a modification of underlying source code at that version. For example:
+    1. **Bad:** `hmarr/auto-approve-action@v2.0.0` Relies on the tag
+    1. **Good:** `hmarr/auto-approve-action@7782c7e2bdf62b4d79bdcded8332808fd2f179cd` Explicit Git hash
 1. When creating secrets, use tightly scoped secrets that only allow access to that specific action's requirement
 1. Review all modifications to our workflows with extra scrutiny, it is important to get it correct the first time.
 1. Test workflow changes in your own public fork, for example: https://github.com/Andrew-Test-Org/Public-Test-Repo
diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml
index 7ebed6a2ce1e..b1faf6401c64 100644
--- a/.github/workflows/automerge.yml
+++ b/.github/workflows/automerge.yml
@@ -24,7 +24,7 @@ jobs:
               uses: hmarr/auto-approve-action@7782c7e2bdf62b4d79bdcded8332808fd2f179cd
               with:
                   github-token: ${{ secrets.GITHUB_TOKEN }}
-              if: github.event.label.name == 'automerge' && github.actor == 'botify' && steps.changed.outputs.files_updated == 'android/app/build.gradle ios/ExpensifyCash/Info.plist ios/ExpensifyCashTests/Info.plist package-lock.json package.json' && steps.changed.outputs.files_created == '' && steps.changed.outputs.files_deleted == ''
+              if: github.event.label.name == 'automerge' && github.actor == 'OSBotify' && steps.changed.outputs.files_updated == 'android/app/build.gradle ios/ExpensifyCash/Info.plist ios/ExpensifyCashTests/Info.plist package-lock.json package.json' && steps.changed.outputs.files_created == '' && steps.changed.outputs.files_deleted == ''
 
             - name: Check for an auto merge
               # Version: 0.12.0
diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
index 5e7c1766d0a9..4c695e248b93 100644
--- a/.github/workflows/cla.yml
+++ b/.github/workflows/cla.yml
@@ -16,7 +16,7 @@ jobs:
               uses: cla-assistant/github-action@5a4ef1e1a1f75bceafd9b12704f8a6da576bcf14
               env:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-                  PERSONAL_ACCESS_TOKEN : ${{ secrets.BOTIFY_TOKEN }}
+                  PERSONAL_ACCESS_TOKEN : ${{ secrets.OS_BOTIFY_TOKEN }}
               with:
                   path-to-signatures: '${{ github.repository }}/cla.json'
                   path-to-document: 'https://github.com/${{ github.repository }}/blob/master/CLA.md'
diff --git a/.github/workflows/version.yml b/.github/workflows/version.yml
index a8276384d3c9..c1be3a70324e 100644
--- a/.github/workflows/version.yml
+++ b/.github/workflows/version.yml
@@ -13,7 +13,7 @@ jobs:
             - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
               with:
                   fetch-depth: 0
-                  token: ${{ secrets.BOTIFY_TOKEN }}
+                  token: ${{ secrets.OS_BOTIFY_TOKEN }}
 
             - name: Setup Node
               uses: actions/setup-node@v1
@@ -52,7 +52,7 @@ jobs:
                     source_branch: version-bump-${{ github.sha }}
                     destination_branch: "master"
                     pr_label: "automerge"
-                    github_token: ${{ secrets.BOTIFY_TOKEN }}
+                    github_token: ${{ secrets.OS_BOTIFY_TOKEN }}
 
             # This Slack step is duplicated in all workflows, if you make a change to this step, make sure to update all
             # the other workflows with the same change
diff --git a/README.md b/README.md
index d483dbc98bd5..9cb6e3d5cbf5 100644
--- a/README.md
+++ b/README.md
@@ -257,7 +257,7 @@ The GitHub workflows require a large list of secrets to deploy, notify and test
     3. `ios/chat_expensify_appstore.mobileprovision`
     4. `ios/Certificates.p12.gpg`
 2. `SLACK_WEBHOOK` - Sends Slack notifications via Slack WebHook https://expensify.slack.com/services/B01AX48D7MM
-3. `BOTIFY_TOKEN` - Personal access token for @Botify user in GitHub
+3. `OS_BOTIFY_TOKEN` - Personal access token for @OSBotify user in GitHub
 4. `CSC_LINK` - Required to be set for desktop code signing: https://www.electron.build/code-signing.html#travis-appveyor-and-other-ci-servers
 5. `CSC_KEY_PASSWORD` - Required to be set for desktop code signing: https://www.electron.build/code-signing.html#travis-appveyor-and-other-ci-servers
 6. `APPLE_ID` - Required for notarizing desktop code in `desktop/notarize.js`