Skip to content

Commit

Permalink
ci: use GitHub app for ephemeral tokens
Browse files Browse the repository at this point in the history
  • Loading branch information
v1v committed Sep 17, 2024
1 parent 9a12b98 commit 64063fd
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 11 deletions.
24 changes: 18 additions & 6 deletions .github/workflows/pre-post-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,17 +53,29 @@ jobs:
runs-on: ubuntu-latest
needs:
- validate-tag
permissions:
contents: write
env:
GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
steps:
- name: Get token
id: get_token
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }}
private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }}
permissions: >-
{
"contents": "write",
"pull_requests": "write"
}
repositories: >-
["${{github.repository}}"]
- uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
token: ${{ env.GITHUB_TOKEN }}
token: ${{ steps.get_token.outputs.token }}

- uses: elastic/oblt-actions/git/setup@v1
with:
github-token: ${{ steps.get_token.outputs.token }}

- name: Create the release tag (post phase)
if: inputs.phase == 'post'
Expand Down Expand Up @@ -95,4 +107,4 @@ jobs:
- name: Create the ${{ inputs.phase }} release PR
run: gh pr create --title="${{ inputs.pr_title }}" --base main --head ${{ env.BRANCH_NAME }} -b "${{ inputs.pr_body }}"
env:
GH_TOKEN: ${{ env.GITHUB_TOKEN }}
GH_TOKEN: ${{ steps.get_token.outputs.token }}
21 changes: 16 additions & 5 deletions .github/workflows/release-step-3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -213,17 +213,28 @@ jobs:
runs-on: ubuntu-latest
needs:
- post-release
permissions:
contents: write
env:
GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
steps:
- name: Get token
id: get_token
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }}
private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }}
permissions: >-
{
"contents": "write"
}
repositories: >-
["${{github.repository}}"]
- uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
token: ${{ env.GITHUB_TOKEN }}
token: ${{ steps.get_token.outputs.token }}

- uses: elastic/oblt-actions/git/setup@v1
with:
github-token: ${{ steps.get_token.outputs.token }}

- name: Update major branch
if: ${{ ! inputs.dry_run }}
Expand Down

0 comments on commit 64063fd

Please sign in to comment.