From f54840bd9d285ef36c1522c53d2517b5a3ddfd97 Mon Sep 17 00:00:00 2001 From: Victor Martinez Date: Mon, 9 Sep 2024 14:22:15 +0200 Subject: [PATCH] github-action: use ephemeral tokens with the required permissions --- .github/workflows/updatecli.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/workflows/updatecli.yml b/.github/workflows/updatecli.yml index c942a12..c8f4b4f 100644 --- a/.github/workflows/updatecli.yml +++ b/.github/workflows/updatecli.yml @@ -17,6 +17,18 @@ jobs: steps: - uses: actions/checkout@v4 + - name: Get token + id: get_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }} + private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }} + permissions: >- + { + "contents": "write", + "pull_requests": "write" + } + - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io @@ -27,13 +39,13 @@ jobs: with: command: --experimental compose diff env: - GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }} + GITHUB_TOKEN: ${{ steps.get_token.outputs.token }} - uses: elastic/oblt-actions/updatecli/run@v1 with: command: --experimental compose apply env: - GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }} + GITHUB_TOKEN: ${{ steps.get_token.outputs.token }} - if: failure() uses: elastic/oblt-actions/slack/send@v1