From e4155ba322f7fbe23b093ec189cd050aad808a07 Mon Sep 17 00:00:00 2001
From: Victor Martinez <victormartinezrubio@gmail.com>
Date: Tue, 17 Sep 2024 13:12:52 +0200
Subject: [PATCH] github-action: use ephemeral tokens with the required
 permissions (#14010)

(cherry picked from commit abb9a9b091271ee0128c2306538bc62118cccce9)

# Conflicts:
#	.github/workflows/update-compose.yml
---
 .github/workflows/bump-elastic-stack.yml | 14 +++++++++++++-
 .github/workflows/bump-golang.yml        | 16 ++++++++++++++--
 .github/workflows/update-beats.yml       | 14 +++++++++++++-
 .github/workflows/update-compose.yml     | 20 ++++++++++++++++++--
 4 files changed, 58 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/bump-elastic-stack.yml b/.github/workflows/bump-elastic-stack.yml
index 30cf8c90559..9dd689165e9 100644
--- a/.github/workflows/bump-elastic-stack.yml
+++ b/.github/workflows/bump-elastic-stack.yml
@@ -30,12 +30,24 @@ jobs:
         with:
           ref: ${{ matrix.branch }}
 
+      - name: Get token
+        id: get_token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+        with:
+          app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }}
+          permissions: >-
+            {
+              "contents": "write",
+              "pull_requests": "write"
+            }
+
       - uses: elastic/oblt-actions/updatecli/run@v1
         with:
           command: --experimental apply --config .ci/updatecli/bump-elastic-stack-snapshot.yml --values .ci/updatecli/values.d/scm.yml
         env:
           BRANCH: ${{ matrix.branch }}
-          GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}
 
       - if: ${{ failure()  }}
         uses: elastic/oblt-actions/slack/send@v1
diff --git a/.github/workflows/bump-golang.yml b/.github/workflows/bump-golang.yml
index 36fb7b02f29..e1f704a363d 100644
--- a/.github/workflows/bump-golang.yml
+++ b/.github/workflows/bump-golang.yml
@@ -41,11 +41,23 @@ jobs:
 
       - uses: actions/checkout@v4
 
+      - name: Get token
+        id: get_token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+        with:
+          app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }}
+          permissions: >-
+            {
+              "contents": "write",
+              "pull_requests": "write"
+            }
+
       - uses: elastic/oblt-actions/updatecli/run@v1
         with:
           command: --experimental apply --config .ci/updatecli/bump-golang.yml --values .ci/updatecli/values.d/scm.yml
         env:
-          GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}
           GITHUB_BRANCH: 'main'
           GITHUB_LABELS: ${{ needs.labels.outputs.backports }}
 
@@ -62,7 +74,7 @@ jobs:
         with:
           command: --experimental apply --config .ci/updatecli/bump-golang.yml --values .ci/updatecli/values.d/scm.yml
         env:
-          GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}
           GITHUB_BRANCH: '7.17'
           GITHUB_LABELS: 'backport-skip'
 
diff --git a/.github/workflows/update-beats.yml b/.github/workflows/update-beats.yml
index 70a5f531355..43d482f77ca 100644
--- a/.github/workflows/update-beats.yml
+++ b/.github/workflows/update-beats.yml
@@ -30,6 +30,18 @@ jobs:
         with:
           ref: ${{ matrix.branch }}
 
+      - name: Get token
+        id: get_token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+        with:
+          app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }}
+          permissions: >-
+            {
+              "contents": "write",
+              "pull_requests": "write"
+            }
+
       - uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
@@ -39,7 +51,7 @@ jobs:
           command: --experimental apply --config .ci/updatecli/update-beats.yml --values .ci/updatecli/values.d/scm.yml
         env:
           BRANCH_NAME: ${{ matrix.branch }}
-          GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}
 
       - if: ${{ failure()  }}
         uses: elastic/oblt-actions/slack/send@v1
diff --git a/.github/workflows/update-compose.yml b/.github/workflows/update-compose.yml
index e9abe45779d..f7acba6dc7a 100644
--- a/.github/workflows/update-compose.yml
+++ b/.github/workflows/update-compose.yml
@@ -18,7 +18,23 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+<<<<<<< HEAD
       - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+=======
+      - name: Get token
+        id: get_token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+        with:
+          app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }}
+          permissions: >-
+            {
+              "contents": "write",
+              "pull_requests": "write"
+            }
+
+      - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+>>>>>>> abb9a9b09 (github-action: use ephemeral tokens with the required permissions (#14010))
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -28,13 +44,13 @@ jobs:
         with:
           command: --experimental compose diff
         env:
-          GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}
 
       - uses: elastic/oblt-actions/updatecli/run@v1
         with:
           command: --experimental compose apply
         env:
-          GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}
 
       - if: ${{ failure()  }}
         uses: elastic/oblt-actions/slack/send@v1