From cf1f0df0b3c3d59e7a64ee5f276d9cad6e7df283 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Wed, 18 May 2022 15:05:28 +0200 Subject: [PATCH] ci: use jupyterhub-bot PAT to trigger github workflow on opened PRs --- .github/workflows/vuln-scan.yaml | 7 +----- .github/workflows/watch-dependencies.yaml | 28 ++--------------------- 2 files changed, 3 insertions(+), 32 deletions(-) diff --git a/.github/workflows/vuln-scan.yaml b/.github/workflows/vuln-scan.yaml index 493a095c42..7a629d043d 100644 --- a/.github/workflows/vuln-scan.yaml +++ b/.github/workflows/vuln-scan.yaml @@ -21,11 +21,6 @@ jobs: trivy_image_scan: if: github.repository == 'jupyterhub/zero-to-jupyterhub-k8s' runs-on: ubuntu-20.04 - # Write permissions granted for the peter-evans/create-pull-request action - # to push to a branch and create/update a PR - permissions: - contents: write - pull-requests: write strategy: fail-fast: false @@ -197,7 +192,7 @@ jobs: if: steps.analyze.outputs.proceed == 'yes' && github.event_name != 'pull_request' uses: peter-evans/create-pull-request@f094b77505fb89581e68a1163fbd2fffece39da1 with: - token: "${{ secrets.GITHUB_TOKEN }}" + token: "${{ secrets.jupyterhub_bot_pat }}" author: jupyterhub vuln-scan bot reviewers: consideratio branch: vuln-scan-${{ matrix.image_ref }} diff --git a/.github/workflows/watch-dependencies.yaml b/.github/workflows/watch-dependencies.yaml index 74a0997b3c..d717e72e3c 100644 --- a/.github/workflows/watch-dependencies.yaml +++ b/.github/workflows/watch-dependencies.yaml @@ -25,12 +25,6 @@ jobs: if: github.repository == 'jupyterhub/zero-to-jupyterhub-k8s' runs-on: ubuntu-20.04 - # Write permissions granted for the peter-evans/create-pull-request action - # to push to a branch and create/update a PR - permissions: - contents: write - pull-requests: write - strategy: fail-fast: false matrix: @@ -112,7 +106,7 @@ jobs: if: steps.local.outputs.tag != steps.latest.outputs.tag uses: peter-evans/create-pull-request@v4.0.3 with: - token: "${{ secrets.github_token }}" + token: "${{ secrets.jupyterhub_bot_pat }}" branch: update-image-${{ matrix.name }} labels: maintenance,dependencies commit-message: Update ${{ matrix.repository }} version from ${{ steps.local.outputs.tag }} to ${{ steps.latest.outputs.tag }} @@ -121,23 +115,11 @@ jobs: A new ${{ matrix.repository }} image version has been detected, version `${{ steps.latest.outputs.tag }}`. - - Please close and reopen this PR to run tests for now. This PR was - opened with a `secrets.github_token` and will therefore not trigger - other workflows to run. This can be resolved if we create a bot - account and use its personal access token instead. - update-jupyterhub-dependencies: # Don't run this job on forks if: github.repository == 'jupyterhub/zero-to-jupyterhub-k8s' runs-on: ubuntu-20.04 - # Write permissions granted for the peter-evans/create-pull-request action - # to push to a branch and create/update a PR - permissions: - contents: write - pull-requests: write - steps: - uses: actions/checkout@v3 - uses: actions/setup-python@v3 @@ -180,7 +162,7 @@ jobs: if: steps.local.outputs.version != steps.latest.outputs.version uses: peter-evans/create-pull-request@v4.0.3 with: - token: "${{ secrets.github_token }}" + token: "${{ secrets.jupyterhub_bot_pat }}" branch: update-jupyterhub labels: maintenance,dependencies commit-message: Update jupyterhub from ${{ steps.local.outputs.version }} to ${{ steps.latest.outputs.version }} @@ -188,9 +170,3 @@ jobs: body: >- A new jupyterhub version has been detected, version `${{ steps.latest.outputs.version }}`. - - - Please close and reopen this PR to run tests for now. This PR was - opened with a `secrets.github_token` and will therefore not trigger - other workflows to run. This can be resolved if we create a bot - account and use its personal access token instead.