diff --git a/.github/workflows/post_release_version_bump.yml b/.github/workflows/post_release_version_bump.yml index 1a02e0b1a..6d53768c5 100644 --- a/.github/workflows/post_release_version_bump.yml +++ b/.github/workflows/post_release_version_bump.yml @@ -7,7 +7,11 @@ on: description: 'Version number (e.g., 1.0.1)' required: true +env: + AWS_DEFAULT_REGION: us-east-1 + permissions: + id-token: write contents: write pull-requests: write @@ -31,7 +35,7 @@ jobs: run: | CURRENT_VERSION=$(grep '__version__' aws-opentelemetry-distro/src/amazon/opentelemetry/distro/version.py | sed -E 's/__version__ = "([0-9]+\.[0-9]+)\.[0-9]+.*"/\1/') echo "CURRENT_MAJOR_MINOR_VERSION=$CURRENT_VERSION" >> $GITHUB_ENV - + - name: Set major and minor for current version run: | echo "CURRENT_MAJOR=$(echo $CURRENT_MAJOR_MINOR_VERSION | cut -d. -f1)" >> $GITHUB_ENV @@ -48,16 +52,31 @@ jobs: echo "Input version is behind main's current major.minor version, don't need to update major version" exit 1 fi - + prepare-main: runs-on: ubuntu-latest needs: check-version steps: + - name: Configure AWS credentials for BOT secrets + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.AWS_ROLE_ARN_SECRETS_MANAGER }} + aws-region: ${{ env.AWS_DEFAULT_REGION }} + + - name: Get Bot secrets + uses: aws-actions/aws-secretsmanager-get-secrets@v1 + id: bot_secrets + with: + secret-ids: | + BOT_TOKEN ,${{ secrets.BOT_TOKEN_SECRET_ARN }} + parse-json-secrets: true + - name: Setup Git uses: actions/checkout@v2 with: fetch-depth: 0 + token: ${{ env.BOT_TOKEN_GITHUB_RW_PATOKEN }} - name: Configure Git run: | @@ -88,7 +107,7 @@ jobs: - name: Create Pull Request to main env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ env.BOT_TOKEN_GITHUB_RW_PATOKEN }} run: | DEV_VERSION="${{ github.event.inputs.version }}.dev0" gh pr create --title "Post release $VERSION: Update version to $DEV_VERSION" \ diff --git a/.github/workflows/pre_release_prepare.yml b/.github/workflows/pre_release_prepare.yml index 426a911e8..a6f83cc73 100644 --- a/.github/workflows/pre_release_prepare.yml +++ b/.github/workflows/pre_release_prepare.yml @@ -11,19 +11,38 @@ on: required: true default: 'false' +env: + AWS_DEFAULT_REGION: us-east-1 + permissions: contents: write pull-requests: write + id-token: write jobs: update-version-and-create-pr: runs-on: ubuntu-latest steps: + - name: Configure AWS credentials for BOT secrets + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.AWS_ROLE_ARN_SECRETS_MANAGER }} + aws-region: ${{ env.AWS_DEFAULT_REGION }} + + - name: Get Bot secrets + uses: aws-actions/aws-secretsmanager-get-secrets@v1 + id: bot_secrets + with: + secret-ids: | + BOT_TOKEN ,${{ secrets.BOT_TOKEN_SECRET_ARN }} + parse-json-secrets: true + - name: Checkout main branch uses: actions/checkout@v3 with: ref: 'main' + token: ${{ env.BOT_TOKEN_GITHUB_RW_PATOKEN }} - name: Setup Git run: | @@ -77,7 +96,7 @@ jobs: - name: Create pull request against the release branch env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ env.BOT_TOKEN_GITHUB_RW_PATOKEN }} run: | gh pr create --title "Pre-release: Update version to ${VERSION}" \ --body "This PR updates the version to ${VERSION}. diff --git a/.github/workflows/release_build.yml b/.github/workflows/release_build.yml index 0765f45b9..2f8236374 100644 --- a/.github/workflows/release_build.yml +++ b/.github/workflows/release_build.yml @@ -44,7 +44,7 @@ jobs: - name: Configure AWS credentials for PyPI secrets uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: ${{ secrets.AWS_ROLE_ARN_PYPI_RELEASE }} + role-to-assume: ${{ secrets.AWS_ROLE_ARN_SECRETS_MANAGER }} aws-region: ${{ env.AWS_DEFAULT_REGION }} - name: Get PyPI secrets