Convert OPENTELEMETRYBOT_GITHUB_TOKEN org secret to fine-grained PAT

[trask]

See motivation at #1503 (comment).

I will be pinging the repos which are already using the org secret to let them know we'll be switching the org secret over to a fine-grained PAT.

Current target is to make this switch on Wed, June 28 (I'm on vacation next week so want to wait until afterwards in case any issues).

After we switch the org secret over to the fine-grained PAT, I'll revoke the old PAT.

[trask]

pinging all maintainers for repos that are using OPENTELEMETRYBOT_GITHUB_TOKEN

• https://github.com/open-telemetry/opentelemetry-collector - @open-telemetry/collector-maintainers
• https://github.com/open-telemetry/opentelemetry-collector-contrib - @open-telemetry/collector-contrib-maintainer
• https://github.com/open-telemetry/opentelemetry-go - @open-telemetry/go-maintainers
• https://github.com/open-telemetry/opentelemetry-go-build-tools - @open-telemetry/go-maintainers
• https://github.com/open-telemetry/opentelemetry-go-contrib - @open-telemetry/go-maintainers
• https://github.com/open-telemetry/opentelemetry-operator - @open-telemetry/operator-maintainers
• https://github.com/open-telemetry/opentelemetry-python - @open-telemetry/python-maintainers
• https://github.com/open-telemetry/opentelemetry-python-contrib - @open-telemetry/opentelemetry-python-contrib-maintainers
• https://github.com/open-telemetry/opentelemetry.io - @open-telemetry/docs-maintainers
• https://github.com/open-telemetry/experimental-arrow-collector - @open-telemetry/collector-maintainers

so far, the fine-grained token has only the permissions in the screenshot below.

this has been enough for the Java repos, but we aren't using @opentelemetrybot to update issues, so if you have any automation that requires updating issue (or anything else besides creating/updating PRs) let me know

[pavolloffay]

@trask thanks for letting us know.

In the operator repo we use the bot to sync some 3rd party GH repos and open PRs (similar to what is done in the java auto-instrumentation to submit PRs to the operator repo). Will that continue to work?

• https://github.com/open-telemetry/opentelemetry-operator/blob/80dd330bb0dd3990061738a104dad7e21994408b/.github/workflows/reusable-operator-hub-release.yaml#L35
• https://github.com/open-telemetry/opentelemetry-operator/blob/80dd330bb0dd3990061738a104dad7e21994408b/.github/workflows/reusable-operator-hub-release.yaml#L85

[codeboten]

After looking at the use of this token in the collector & collector-contrib repos, i believe the workflows will continue to work for those repos with the fine grained PAT.

[pellared]

Should be OK for:

• https://github.com/open-telemetry/opentelemetry-go
• https://github.com/open-telemetry/opentelemetry-go-build-tools
• https://github.com/open-telemetry/opentelemetry-go-contrib

[trask]

@pavolloffay I think you will need more access for that usage.

I've created a separate fine-grained PAT that I think will give you the access you need to opentelemetrybot's forks (see screenshot below).

@open-telemetry/technical-committee what do you think about storing this new fine-grained PAT in an org secret scoped to only opentelemetry-operator repository, named OPENTELEMETRYBOT_OPERATOR_FORKS_GITHUB_TOKEN.

[trask]

@open-telemetry/technical-committee what do you think about storing this new fine-grained PAT in an org secret scoped to only opentelemetry-operator repository, named OPENTELEMETRYBOT_OPERATOR_FORKS_GITHUB_TOKEN.

@arminru what do you think?

[arminru]

@open-telemetry/technical-committee what do you think about storing this new fine-grained PAT in an org secret scoped to only opentelemetry-operator repository, named OPENTELEMETRYBOT_OPERATOR_FORKS_GITHUB_TOKEN.

@arminru what do you think?

@trask +1 on using the fine-grained tokens scoped to individual repos instead of the org-wide OTel Bot token. I'll reach out to you directly to set it up.

[trask]

@arminru and I discussed on slack and agreed for now at least that we would share repo-specific tokens directly with maintainers of those repos instead of adding them as repo-scoped org secrets

@pavolloffay I'll send you a one-time link for the PAT that can be used for the above operator workflows

[ocelotl]

@trask In OTel Python we only use OPENTELMETRYBOT_GITHUB_TOKEN for our release process (you commited the .yml files yourself). We made a change to use OPENTELMETRYBOT_GITHUB_TOKEN afterwards.

[ocelotl]

In Pyhton we only use this token in our release process to create release PRs. We should be ok 👍