Skip to content

Commit

Permalink
GitHub Token
Browse files Browse the repository at this point in the history 
Previously all of the workflows used secrets.GITHUB_TOKEN.  In the end the
de-privileged nature of this token proved to be too much and this change
migrates the workflows to use bot-specific token instead.

Signed-off-by: Ben Hale <[email protected]>
  • Loading branch information
@nebhale
nebhale committed Nov 3, 2020
1 parent 480d302 commit 7c57515
Show file tree
Hide file tree
Showing 15 changed files with 41 additions and 25 deletions.
6 changes: 4 additions & 2 deletions .github/pipeline-descriptor.yml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
github_token: ${{ secrets.JAVA_GITHUB_TOKEN }}

codeowners:
- path: "*"
owner: "@paketo-buildpacks/java-buildpacks"

docker_credentials:
- registry: ghcr.io
username: ${{ secrets.JAVA_GHCR_USERNAME }}
password: ${{ secrets.JAVA_GHCR_TOKEN }}
username: ${{ secrets.JAVA_GITHUB_USERNAME }}
password: ${{ secrets.JAVA_GITHUB_TOKEN }}

actions:
- source: adopt-openjdk-dependency
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/update-pipeline.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ jobs:
runs-on:
- ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/setup-go@v2
with:
go-version: "1.15"
Expand All @@ -20,6 +19,7 @@ jobs:
set -euo pipefail
GO111MODULE=on go get -u -ldflags="-s -w" github.com/paketo-buildpacks/pipeline-builder/cmd/octo
- uses: actions/checkout@v2
- id: pipeline
name: Update Pipeline
run: |
Expand Down Expand Up @@ -56,7 +56,7 @@ jobs:
echo "::set-output name=release-notes::${RELEASE_NOTES//$'\n'/%0A}"
env:
DESCRIPTOR: .github/pipeline-descriptor.yml
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.JAVA_GITHUB_TOKEN }}
- uses: peter-evans/create-pull-request@v3
with:
body: |-
Expand All @@ -75,4 +75,4 @@ jobs:
labels: semver:patch, type:task
signoff: true
title: Bump pipeline from ${{ steps.pipeline.outputs.old-version }} to ${{ steps.pipeline.outputs.new-version }}
token: ${{ secrets.GITHUB_TOKEN }}
token: ${{ secrets.JAVA_GITHUB_TOKEN }}
11 changes: 10 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ The Pipeline Builder is a collection of tools related to GitHub Actions and othe
- [Pipeline Updater](#pipeline-updater)
- [Release Drafter](#release-drafter)
- [Descriptor](#descriptor)
- [`github_token` (REQUIRED)](#github_token-required)
- [`codeowners`](#codeowners)
- [`package`](#package)
- [`builder`](#builder)
Expand Down Expand Up @@ -88,7 +89,15 @@ A pipeline-updating workflow is added to the repository to ensure that workflows
Draft release notes are created on every commit to `main`. These notes take into account every PR since the previous release in order to create a division of the types of changes that were made and the semver scope of the change to work out the next release number.

### Descriptor
The descriptor is a YAML document with a number of top-level keys that correspond to new workflows, modified workflows, or artifacts. All top-level keys are optional.
The descriptor is a YAML document with a number of top-level keys that correspond to new workflows, modified workflows, or artifacts. All top-level keys except `github_token` are optional.

#### `github_token` (REQUIRED)
```yaml
github_token: ${{ secrets.JAVA_GITHUB_TOKEN }}
```
`github_token` represents the token to be used in the many places where the GitHub API access is required. The token must be granted the `repo`, `write:packages`, and `workflow` scopes.

![Token Scopes](token-scopes.png)

#### `codeowners`
```yaml
Expand Down
10 changes: 5 additions & 5 deletions octo/builder_dependencies.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ func ContributeBuilderDependencies(descriptor Descriptor) ([]Contribution, error
}
}

if c, err := contributeLifecycle(); err != nil {
if c, err := contributeLifecycle(descriptor); err != nil {
return nil, err
} else {
contributions = append(contributions, c)
Expand Down Expand Up @@ -118,7 +118,7 @@ func contributeBuildImage(descriptor Descriptor, image string, classifier string
{
Uses: "peter-evans/create-pull-request@v3",
With: map[string]interface{}{
"token": "${{ secrets.GITHUB_TOKEN }}",
"token": descriptor.GitHubToken,
"commit-message": fmt.Sprintf(`Bump %[1]s from ${{ steps.build-image.outputs.old-version }} to ${{ steps.build-image.outputs.new-version }}
Bumps %[1]s from ${{ steps.build-image.outputs.old-version }} to ${{ steps.build-image.outputs.new-version }}.`, image),
Expand All @@ -142,7 +142,7 @@ Bumps %[1]s from ${{ steps.build-image.outputs.old-version }} to ${{ steps.build
return NewActionContribution(w)
}

func contributeLifecycle() (Contribution, error) {
func contributeLifecycle(descriptor Descriptor) (Contribution, error) {
w := actions.Workflow{
Name: "Update Lifecycle",
On: map[event.Type]event.Event{
Expand Down Expand Up @@ -177,7 +177,7 @@ func contributeLifecycle() (Contribution, error) {
"glob": `lifecycle-v[^+]+\+linux\.x86-64\.tgz`,
"owner": "buildpacks",
"repository": "lifecycle",
"token": "${{ secrets.GITHUB_TOKEN }}",
"token": descriptor.GitHubToken,
},
},
{
Expand All @@ -191,7 +191,7 @@ func contributeLifecycle() (Contribution, error) {
{
Uses: "peter-evans/create-pull-request@v3",
With: map[string]interface{}{
"token": "${{ secrets.GITHUB_TOKEN }}",
"token": descriptor.GitHubToken,
"commit-message": `Bump lifecycle from ${{ steps.lifecycle.outputs.old-version }} to ${{ steps.lifecycle.outputs.new-version }}
Bumps lifecycle from ${{ steps.lifecycle.outputs.old-version }} to ${{ steps.lifecycle.outputs.new-version }}.`,
Expand Down
2 changes: 1 addition & 1 deletion octo/buildpack_dependencies.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ func ContributeBuildpackDependencies(descriptor Descriptor) ([]Contribution, err
}, {
Uses: "peter-evans/create-pull-request@v3",
With: map[string]interface{}{
"token": "${{ secrets.GITHUB_TOKEN }}",
"token": descriptor.GitHubToken,
"commit-message": fmt.Sprintf(`Bump %[1]s from ${{ steps.buildpack.outputs.old-version }} to ${{ steps.buildpack.outputs.new-version }}
Bumps %[1]s from ${{ steps.buildpack.outputs.old-version }} to ${{ steps.buildpack.outputs.new-version }}.`, d.Name),
Expand Down
2 changes: 1 addition & 1 deletion octo/create_builder.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ func ContributeCreateBuilder(descriptor Descriptor) (*Contribution, error) {
Run: statikString("/update-release-digest.sh"),
Env: map[string]string{
"DIGEST": "${{ steps.builder.outputs.digest }}",
"GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}",
"GITHUB_TOKEN": descriptor.GitHubToken,
},
},
},
Expand Down
2 changes: 1 addition & 1 deletion octo/create_package.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ func ContributeCreatePackage(descriptor Descriptor) (*Contribution, error) {
Run: statikString("/update-release-digest.sh"),
Env: map[string]string{
"DIGEST": "${{ steps.package.outputs.digest }}",
"GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}",
"GITHUB_TOKEN": descriptor.GitHubToken,
},
},
},
Expand Down
5 changes: 5 additions & 0 deletions octo/descriptor.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ import (
)

type Descriptor struct {
GitHubToken string `yaml:"github_token"`
Path string
CodeOwners []CodeOwner
Builder *Builder
Expand Down Expand Up @@ -101,6 +102,10 @@ func NewDescriptor(path string) (Descriptor, error) {
return Descriptor{}, fmt.Errorf("unable to decode descriptor from %s\n%w", path, err)
}

if d.GitHubToken == "" {
return Descriptor{}, fmt.Errorf("github_token is required")
}

if d.Path == "" {
d.Path = ".."
}
Expand Down
4 changes: 2 additions & 2 deletions octo/draft_release.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ func ContributeDraftRelease(descriptor Descriptor) ([]Contribution, error) {
{
Id: "release-drafter",
Uses: "release-drafter/release-drafter@v5",
Env: map[string]string{"GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}"},
Env: map[string]string{"GITHUB_TOKEN": descriptor.GitHubToken},
},
},
},
Expand Down Expand Up @@ -141,7 +141,7 @@ func ContributeDraftRelease(descriptor Descriptor) ([]Contribution, error) {
Name: "Update draft release with buildpack information",
Run: statikString("/update-draft-release-buildpack.sh"),
Env: map[string]string{
"GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}",
"GITHUB_TOKEN": descriptor.GitHubToken,
"RELEASE_ID": "${{ steps.release-drafter.outputs.id }}",
"RELEASE_TAG_NAME": "${{ steps.release-drafter.outputs.tag_name }}",
"RELEASE_NAME": "${{ steps.release-drafter.outputs.name }}",
Expand Down
4 changes: 2 additions & 2 deletions octo/labels.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ import (
"github.com/paketo-buildpacks/pipeline-builder/octo/labels"
)

func ContributeLabels() ([]Contribution, error) {
func ContributeLabels(descriptor Descriptor) ([]Contribution, error) {
var contributions []Contribution

l := []labels.Label{
Expand Down Expand Up @@ -100,7 +100,7 @@ func ContributeLabels() ([]Contribution, error) {
},
{
Uses: "micnncim/action-label-syncer@v1",
Env: map[string]string{"GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}"},
Env: map[string]string{"GITHUB_TOKEN": descriptor.GitHubToken},
},
},
},
Expand Down
4 changes: 2 additions & 2 deletions octo/octo.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ func (o Octo) Contribute() error {
contributions = append(contributions, c...)
}

if c, err := ContributeLabels(); err != nil {
if c, err := ContributeLabels(descriptor); err != nil {
return err
} else {
contributions = append(contributions, c...)
Expand All @@ -118,7 +118,7 @@ func (o Octo) Contribute() error {
contributions = append(contributions, *c)
}

if c, err := ContributeUpdatePipeline(); err != nil {
if c, err := ContributeUpdatePipeline(descriptor); err != nil {
return err
} else {
contributions = append(contributions, c)
Expand Down
2 changes: 1 addition & 1 deletion octo/package_dependencies.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ func contributePackageDependency(descriptor Descriptor, name string) (Contributi
{
Uses: "peter-evans/create-pull-request@v3",
With: map[string]interface{}{
"token": "${{ secrets.GITHUB_TOKEN }}",
"token": descriptor.GitHubToken,
"commit-message": fmt.Sprintf(`Bump %[1]s from ${{ steps.package.outputs.old-version }} to ${{ steps.package.outputs.new-version }}
Bumps %[1]s from ${{ steps.package.outputs.old-version }} to ${{ steps.package.outputs.new-version }}.`, name),
Expand Down
2 changes: 1 addition & 1 deletion octo/statik/statik.go
View file

Large diffs are not rendered by default.

6 changes: 3 additions & 3 deletions octo/update_pipeline.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ import (
"github.com/paketo-buildpacks/pipeline-builder/octo/actions/event"
)

func ContributeUpdatePipeline() (Contribution, error) {
func ContributeUpdatePipeline(descriptor Descriptor) (Contribution, error) {
w := actions.Workflow{
Name: "Update Pipeline",
On: map[event.Type]event.Event{
Expand Down Expand Up @@ -51,14 +51,14 @@ func ContributeUpdatePipeline() (Contribution, error) {
Name: "Update Pipeline",
Run: statikString("/update-pipeline.sh"),
Env: map[string]string{
"GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}",
"GITHUB_TOKEN": descriptor.GitHubToken,
"DESCRIPTOR": filepath.Join(".github", "pipeline-descriptor.yml"),
},
},
{
Uses: "peter-evans/create-pull-request@v3",
With: map[string]interface{}{
"token": "${{ secrets.GITHUB_TOKEN }}",
"token": descriptor.GitHubToken,
"commit-message": `Bump pipeline from ${{ steps.pipeline.outputs.old-version }} to ${{ steps.pipeline.outputs.new-version }}
Bumps pipeline from ${{ steps.pipeline.outputs.old-version }} to ${{ steps.pipeline.outputs.new-version }}.`,
Expand Down
Binary file added token-scopes.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 7c57515

Please sign in to comment.