From 3b171e24555c71215c51f88dd639376ef37f8ea9 Mon Sep 17 00:00:00 2001 From: Victor Martinez Date: Tue, 17 Sep 2024 12:04:10 +0200 Subject: [PATCH 1/2] ci: use GitHub app for ephemeral tokens --- .github/workflows/release.yml | 24 ++++++++++++++++++----- .github/workflows/updateVersionBranch.yml | 23 ++++++++++++++++++---- 2 files changed, 38 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 191978076..ca9ed2891 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -110,16 +110,30 @@ jobs: name: Post Release needs: release runs-on: ubuntu-latest - permissions: - contents: write - env: - GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }} steps: + - name: Get token + id: get_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }} + private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }} + permissions: >- + { + "contents": "write", + "pull_requests": "write" + } + repositories: >- + ["${{github.repository}}"] + - uses: actions/checkout@v4 with: ref: ${{ inputs.branch_specifier || 'main' }} - token: ${{ env.GITHUB_TOKEN }} + token: ${{ steps.get_token.outputs.token }} + - uses: elastic/oblt-actions/git/setup@v1 + with: + github-token: ${{ steps.get_token.outputs.token }} + - uses: ./.github/actions/setup - if: ${{ ! inputs.dry_run }} run: ./gradlew postDeploy -Prelease=true -Pversion_override=${{ inputs.version_override_specifier || '' }} diff --git a/.github/workflows/updateVersionBranch.yml b/.github/workflows/updateVersionBranch.yml index 769514b6c..5e5ae4a35 100644 --- a/.github/workflows/updateVersionBranch.yml +++ b/.github/workflows/updateVersionBranch.yml @@ -9,21 +9,36 @@ on: - closed permissions: - contents: write + contents: read jobs: if_merged_postDeploy: if: github.event.pull_request.merged == true && startsWith(github.event.pull_request.head.ref, 'post-release/') runs-on: ubuntu-latest name: Create PR to update version branch - env: - GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }} steps: + - name: Get token + id: get_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }} + private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }} + permissions: >- + { + "contents": "write", + "pull_requests": "write" + } + repositories: >- + ["${{github.repository}}"] + - uses: actions/checkout@v4 with: fetch-depth: 0 + token: ${{ steps.get_token.outputs.token }} - uses: elastic/oblt-actions/git/setup@v1 + with: + github-token: ${{ steps.get_token.outputs.token }} - uses: actions-ecosystem/action-regex-match@v2 id: major-version @@ -39,5 +54,5 @@ jobs: git push -u origin $CONFLICT_RESOLUTION_BRANCH gh pr create --base ${{ env.BASE_BRANCH }} --title 'Merge main into version branch' --body 'Created by Github action :robot:' --reviewer elastic/apm-agent-android env: - GH_TOKEN: ${{ env.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.get_token.outputs.token }} BASE_BRANCH: "${{ steps.major-version.outputs.group1 }}.x" \ No newline at end of file From ccb9f1c33f5e85392e31a725b5420e8c82a37d08 Mon Sep 17 00:00:00 2001 From: Victor Martinez Date: Tue, 17 Sep 2024 12:57:41 +0200 Subject: [PATCH 2/2] Apply suggestions from code review --- .github/workflows/release.yml | 2 +- .github/workflows/updateVersionBranch.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ca9ed2891..95de32513 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -123,7 +123,7 @@ jobs: "pull_requests": "write" } repositories: >- - ["${{github.repository}}"] + ["apm-agent-android"] - uses: actions/checkout@v4 with: diff --git a/.github/workflows/updateVersionBranch.yml b/.github/workflows/updateVersionBranch.yml index 5e5ae4a35..7fdf0351a 100644 --- a/.github/workflows/updateVersionBranch.yml +++ b/.github/workflows/updateVersionBranch.yml @@ -29,7 +29,7 @@ jobs: "pull_requests": "write" } repositories: >- - ["${{github.repository}}"] + ["apm-agent-android"] - uses: actions/checkout@v4 with: