From 89940fe2e8321f6285d073960df211d3c301f33b Mon Sep 17 00:00:00 2001 From: Victor Martinez Date: Tue, 17 Sep 2024 13:12:52 +0200 Subject: [PATCH] github-action: use ephemeral tokens with the required permissions (#14010) (cherry picked from commit abb9a9b091271ee0128c2306538bc62118cccce9) # Conflicts: # .github/workflows/bump-golang.yml # .github/workflows/update-compose.yml --- .github/workflows/bump-elastic-stack.yml | 14 +++++++++++++- .github/workflows/bump-golang.yml | 20 +++++++++++++++++++- .github/workflows/update-beats.yml | 14 +++++++++++++- .github/workflows/update-compose.yml | 20 ++++++++++++++++++-- 4 files changed, 63 insertions(+), 5 deletions(-) diff --git a/.github/workflows/bump-elastic-stack.yml b/.github/workflows/bump-elastic-stack.yml index 36a16bbb4a1..a6df8e227db 100644 --- a/.github/workflows/bump-elastic-stack.yml +++ b/.github/workflows/bump-elastic-stack.yml @@ -30,12 +30,24 @@ jobs: with: ref: ${{ matrix.branch }} + - name: Get token + id: get_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }} + private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }} + permissions: >- + { + "contents": "write", + "pull_requests": "write" + } + - uses: elastic/oblt-actions/updatecli/run@v1 with: command: --experimental apply --config .ci/updatecli/bump-elastic-stack-snapshot.yml --values .ci/updatecli/values.d/scm.yml env: BRANCH: ${{ matrix.branch }} - GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }} + GITHUB_TOKEN: ${{ steps.get_token.outputs.token }} - if: ${{ failure() }} uses: elastic/oblt-actions/slack/send@v1 diff --git a/.github/workflows/bump-golang.yml b/.github/workflows/bump-golang.yml index 8e4d15075d3..0269c5d18ae 100644 --- a/.github/workflows/bump-golang.yml +++ b/.github/workflows/bump-golang.yml @@ -16,11 +16,29 @@ jobs: - uses: actions/checkout@v4 + - name: Get token + id: get_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }} + private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }} + permissions: >- + { + "contents": "write", + "pull_requests": "write" + } + - uses: elastic/oblt-actions/updatecli/run@v1 with: command: --experimental apply --config .ci/updatecli/bump-golang.yml --values .ci/updatecli/values.d/scm.yml env: +<<<<<<< HEAD GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }} +======= + GITHUB_TOKEN: ${{ steps.get_token.outputs.token }} + GITHUB_BRANCH: 'main' + GITHUB_LABELS: ${{ needs.labels.outputs.backports }} +>>>>>>> abb9a9b09 (github-action: use ephemeral tokens with the required permissions (#14010)) bump-7: runs-on: ubuntu-latest @@ -33,7 +51,7 @@ jobs: with: command: --experimental apply --config .ci/updatecli/bump-golang.yml --values .ci/updatecli/values.d/scm.yml env: - GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }} + GITHUB_TOKEN: ${{ steps.get_token.outputs.token }} GITHUB_BRANCH: '7.17' GITHUB_LABELS: 'backport-skip' diff --git a/.github/workflows/update-beats.yml b/.github/workflows/update-beats.yml index 9570c89a82b..cdacf8f7a3a 100644 --- a/.github/workflows/update-beats.yml +++ b/.github/workflows/update-beats.yml @@ -29,6 +29,18 @@ jobs: with: ref: ${{ matrix.branch }} + - name: Get token + id: get_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }} + private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }} + permissions: >- + { + "contents": "write", + "pull_requests": "write" + } + - uses: actions/setup-go@v5 with: go-version-file: go.mod @@ -38,7 +50,7 @@ jobs: command: --experimental apply --config .ci/updatecli/update-beats.yml --values .ci/updatecli/values.d/scm.yml env: BRANCH_NAME: ${{ matrix.branch }} - GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }} + GITHUB_TOKEN: ${{ steps.get_token.outputs.token }} - if: ${{ failure() }} uses: elastic/oblt-actions/slack/send@v1 diff --git a/.github/workflows/update-compose.yml b/.github/workflows/update-compose.yml index e9abe45779d..f7acba6dc7a 100644 --- a/.github/workflows/update-compose.yml +++ b/.github/workflows/update-compose.yml @@ -18,7 +18,23 @@ jobs: steps: - uses: actions/checkout@v4 +<<<<<<< HEAD - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 +======= + - name: Get token + id: get_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }} + private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }} + permissions: >- + { + "contents": "write", + "pull_requests": "write" + } + + - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 +>>>>>>> abb9a9b09 (github-action: use ephemeral tokens with the required permissions (#14010)) with: registry: ghcr.io username: ${{ github.actor }} @@ -28,13 +44,13 @@ jobs: with: command: --experimental compose diff env: - GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }} + GITHUB_TOKEN: ${{ steps.get_token.outputs.token }} - uses: elastic/oblt-actions/updatecli/run@v1 with: command: --experimental compose apply env: - GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }} + GITHUB_TOKEN: ${{ steps.get_token.outputs.token }} - if: ${{ failure() }} uses: elastic/oblt-actions/slack/send@v1