Skip to content

Commit

Permalink
github-action: use ephemeral tokens with the required permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
v1v committed Sep 9, 2024
1 parent 2bc17e5 commit f54840b
Showing 1 changed file with 14 additions and 2 deletions.
16 changes: 14 additions & 2 deletions .github/workflows/updatecli.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,18 @@ jobs:
steps:
- uses: actions/checkout@v4

- name: Get token
id: get_token
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }}
private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }}
permissions: >-
{
"contents": "write",
"pull_requests": "write"
}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
Expand All @@ -27,13 +39,13 @@ jobs:
with:
command: --experimental compose diff
env:
GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }}
GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}

- uses: elastic/oblt-actions/updatecli/run@v1
with:
command: --experimental compose apply
env:
GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }}
GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}

- if: failure()
uses: elastic/oblt-actions/slack/send@v1
Expand Down

0 comments on commit f54840b

Please sign in to comment.