From d8662f363b98ea7a499db1f22e81e6a42ae0cdf7 Mon Sep 17 00:00:00 2001 From: Victor Martinez Date: Mon, 9 Sep 2024 12:59:28 +0200 Subject: [PATCH] ci: use ephemeral tokens with the required permissions --- .github/workflows/bump-opbeans-node.yml | 14 +++++++++++++- .github/workflows/create-tag.yml | 13 ++++++++++++- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/.github/workflows/bump-opbeans-node.yml b/.github/workflows/bump-opbeans-node.yml index 2df28ad..7715bde 100644 --- a/.github/workflows/bump-opbeans-node.yml +++ b/.github/workflows/bump-opbeans-node.yml @@ -22,11 +22,23 @@ jobs: node-version: 20 cache: 'npm' + - name: Get token + id: get_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }} + private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }} + permissions: >- + { + "contents": "write", + "pull_requests": "write" + } + - uses: elastic/oblt-actions/updatecli/run@v1 with: command: "--experimental apply --config .ci/bump-opbeans-node.yml" env: - GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }} + GITHUB_TOKEN: ${{ steps.get_token.outputs.token }} - if: failure() uses: elastic/oblt-actions/slack/send@v1 diff --git a/.github/workflows/create-tag.yml b/.github/workflows/create-tag.yml index e2a11ab..080ffac 100644 --- a/.github/workflows/create-tag.yml +++ b/.github/workflows/create-tag.yml @@ -21,6 +21,17 @@ jobs: with: fetch-depth: 0 # also fetch tags + - name: Get token + id: get_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }} + private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }} + permissions: >- + { + "contents": "write" + } + - run: make create-release env: - GH_TOKEN: ${{ secrets.CREATE_TAG_TOKEN }} + GH_TOKEN: ${{ steps.get_token.outputs.token }}