Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci: use GitHub app for ephemeral tokens
Browse files Browse the repository at this point in the history
v1v committed Sep 17, 2024

Verified

This commit was signed with the committer’s verified signature.
v1v Victor Martinez
1 parent 9a12b98 commit 64063fd
Showing 2 changed files with 34 additions and 11 deletions.
24 changes: 18 additions & 6 deletions .github/workflows/pre-post-release.yml
Original file line number Diff line number Diff line change
@@ -53,17 +53,29 @@ jobs:
runs-on: ubuntu-latest
needs:
- validate-tag
permissions:
contents: write
env:
GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
steps:
- name: Get token
id: get_token
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }}
private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }}
permissions: >-
{
"contents": "write",
"pull_requests": "write"
}
repositories: >-
["${{github.repository}}"]
- uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
token: ${{ env.GITHUB_TOKEN }}
token: ${{ steps.get_token.outputs.token }}

- uses: elastic/oblt-actions/git/setup@v1
with:
github-token: ${{ steps.get_token.outputs.token }}

- name: Create the release tag (post phase)
if: inputs.phase == 'post'
@@ -95,4 +107,4 @@ jobs:
- name: Create the ${{ inputs.phase }} release PR
run: gh pr create --title="${{ inputs.pr_title }}" --base main --head ${{ env.BRANCH_NAME }} -b "${{ inputs.pr_body }}"
env:
GH_TOKEN: ${{ env.GITHUB_TOKEN }}
GH_TOKEN: ${{ steps.get_token.outputs.token }}
21 changes: 16 additions & 5 deletions .github/workflows/release-step-3.yml
Original file line number Diff line number Diff line change
@@ -213,17 +213,28 @@ jobs:
runs-on: ubuntu-latest
needs:
- post-release
permissions:
contents: write
env:
GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
steps:
- name: Get token
id: get_token
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }}
private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }}
permissions: >-
{
"contents": "write"
}
repositories: >-
["${{github.repository}}"]
- uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
token: ${{ env.GITHUB_TOKEN }}
token: ${{ steps.get_token.outputs.token }}

- uses: elastic/oblt-actions/git/setup@v1
with:
github-token: ${{ steps.get_token.outputs.token }}

- name: Update major branch
if: ${{ ! inputs.dry_run }}

0 comments on commit 64063fd

Please sign in to comment.