Merge pull request #3 from propeller-heads/INFRA-116-Get-rid-of-GH_TO…

…KEN-in-github-workflows fix: INFRA-116-Change gh_token to app
propeller-heads · Oct 14, 2024 · 0c9f60b · 0c9f60b
2 parents 8a5e879 + a3f1853
commit 0c9f60b
Show file tree

Hide file tree

Showing 8 changed files with 75 additions and 18 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -11,6 +11,7 @@ jobs:
   tests-and-lints:
     uses: ./.github/workflows/tests-and-lints-template.yaml
     secrets:
+      infura_api_key: ${{ secrets.INFURA_API_KEY }}
       app_id: ${{ secrets.APP_ID }}
       app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
 
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -14,40 +14,57 @@ jobs:
   tests-and-lints:
     uses: ./.github/workflows/tests-and-lints-template.yaml
     secrets:
-      gh_token: ${{ secrets.GH_TOKEN }}
       infura_api_key: ${{ secrets.INFURA_API_KEY }}
+      app_id: ${{ secrets.APP_ID }}
+      app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
 
   protosim_py_release:
     name: Protosim-Py Release
     runs-on: ubuntu-latest
     needs:
       - tests-and-lints
     steps:
+      - name: Generate a token
+        id: generate-token
+        uses: getsentry/action-github-app-token@v2
+        with:
+          app_id: ${{ secrets.app_id }}
+          private_key: ${{ secrets.app_private_key }}
+
+      - name: Install git
+        run: sudo apt update && sudo apt install -y git
+
       - name: Check out Repo
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
+
       - name: Setup git to use https
         run: |
             git config --global credential.helper store
-            echo "https://${{ secrets.GH_TOKEN }}@github.com" > ~/.git-credentials
-            git config --global url."https://${{ secrets.GH_TOKEN }}@github.com".insteadOf ssh://github.com
+            echo "https://${{ steps.generate-token.outputs.token }}@github.com" > ~/.git-credentials
+            git config --global url."https://x-access-token:${{ steps.generate-token.outputs.token }}@github.com".insteadOf ssh://github.com
+
       - name: Set up Python 3.9
         uses: actions/setup-python@v4
         with:
           python-version: "3.9"
+
       - name: Setup Rust
         uses: actions-rs/toolchain@v1
         with:
           toolchain: stable
+
       - name: Install Maturin
         run: |
           python -m pip install --upgrade pip
           pip install maturin
+
       - name: Build protosim-py
         run: |
           cd protosim_py
           maturin build --release
+
       - name: Archive production artifacts
         uses: actions/upload-artifact@v3
         with:
@@ -61,19 +78,32 @@ jobs:
     needs:
       - tests-and-lints
     steps:
+      - name: Generate a token
+        id: generate-token
+        uses: getsentry/action-github-app-token@v2
+        with:
+          app_id: ${{ secrets.app_id }}
+          private_key: ${{ secrets.app_private_key }}
+
+      - name: Install git
+        run: sudo apt update && sudo apt install -y git
+
       - name: Check out Repo
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
+
       - name: Setup git to use https
         run: |
             git config --global credential.helper store
-            echo "https://${{ secrets.GH_TOKEN }}@github.com" > ~/.git-credentials
-            git config --global url."https://${{ secrets.GH_TOKEN }}@github.com".insteadOf ssh://github.com
+            echo "https://${{ steps.generate-token.outputs.token }}@github.com" > ~/.git-credentials
+            git config --global url."https://x-access-token:${{ steps.generate-token.outputs.token }}@github.com".insteadOf ssh://github.com
+
       - name: Set build variables
         run: |
           TAG=$(git describe --tags --abbrev=0)-SNAPSHOT.$(git rev-parse --short HEAD)
           echo "IMAGE=827659017777.dkr.ecr.eu-central-1.amazonaws.com/propeller-searcher:$TAG" >> $GITHUB_ENV
+
       - name: install-aws-cli
         uses: unfor19/install-aws-cli-action@v1
         with:
@@ -82,18 +112,22 @@ jobs:
           arch: amd64
           rootdir: ""
           workdir: ""
+
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v1
         with:
           role-to-assume: arn:aws:iam::827659017777:role/github-actions
           audience: sts.amazonaws.com
           aws-region: eu-central-1
+
       - name: Setup BuildX
         uses: docker/setup-buildx-action@v1
+
       - name: Login to ECR
         uses: docker/login-action@v1
         with:
           registry: 827659017777.dkr.ecr.eu-central-1.amazonaws.com
+
       - name: Build
         uses: docker/build-push-action@v2
         with:
@@ -104,5 +138,6 @@ jobs:
           tags: ${{ env.IMAGE }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+
       - name: Push
         run: docker push $IMAGE
diff --git a/.github/workflows/release_docker.yaml b/.github/workflows/release_docker.yaml
@@ -14,15 +14,26 @@ jobs:
   tests-and-lints:
     uses: ./.github/workflows/tests-and-lints-template.yaml
     secrets:
-      gh_token: ${{ secrets.GH_TOKEN }}
       infura_api_key: ${{ secrets.INFURA_API_KEY }}
+      app_id: ${{ secrets.APP_ID }}
+      app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
 
   docker_release:
     name: Docker Image Build
     runs-on: ubuntu-latest
     needs:
       - tests-and-lints
     steps:
+      - name: Generate a token
+        id: generate-token
+        uses: getsentry/action-github-app-token@v2
+        with:
+          app_id: ${{ secrets.app_id }}
+          private_key: ${{ secrets.app_private_key }}
+
+      - name: Install git
+        run: sudo apt update && sudo apt install -y git
+
       - name: Check out Repo
         uses: actions/checkout@v3
         with:
@@ -31,8 +42,8 @@ jobs:
       - name: Setup git to use https
         run: |
           git config --global credential.helper store
-          echo "https://${{ secrets.GH_TOKEN }}@github.com" > ~/.git-credentials
-          git config --global url."https://${{ secrets.GH_TOKEN }}@github.com".insteadOf ssh://github.com
+          echo "https://${{ steps.generate-token.outputs.token }}@github.com" > ~/.git-credentials
+          git config --global url."https://x-access-token:${{ steps.generate-token.outputs.token }}@github.com".insteadOf ssh://github.com
 
       - name: Set build variables
         run: |

diff --git a/.github/workflows/release_wheel.yaml b/.github/workflows/release_wheel.yaml
@@ -18,8 +18,9 @@ jobs:
   tests-and-lints:
     uses: ./.github/workflows/tests-and-lints-template.yaml
     secrets:
-      gh_token: ${{ secrets.GH_TOKEN }}
       infura_api_key: ${{ secrets.INFURA_API_KEY }}
+      app_id: ${{ secrets.APP_ID }}
+      app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
 
   build_python_wheel_linux:
     uses: propeller-heads/ci-cd-templates/.github/workflows/release-python-package.yaml@main
@@ -29,7 +30,8 @@ jobs:
       id-token: write
       contents: read
     secrets:
-      GH_TOKEN: ${{ secrets.GH_TOKEN }}
+      app_id: ${{ secrets.APP_ID }}
+      app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
     with:
       runs_on: 'ubuntu-latest'
       yum_packages: "pkgconfig openssl-devel"
@@ -43,8 +45,9 @@ jobs:
       id-token: write
       contents: read
     secrets:
-      GH_TOKEN: ${{ secrets.GH_TOKEN }}
+      app_id: ${{ secrets.APP_ID }}
+      app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
     with:
       runs_on: 'macos-latest'
       package_root: "protosim_py"
-      use_maturin: true
+      use_maturin: true
diff --git a/.github/workflows/tests-and-lints-template.yaml b/.github/workflows/tests-and-lints-template.yaml
@@ -12,6 +12,8 @@ on:
         type: number
         default: 15
     secrets:
+      infura_api_key:
+        required: true
       app_id:
         required: true
       app_private_key:
@@ -23,7 +25,7 @@ permissions:
 
 env:
   CARGO_TERM_COLOR: always
-    #INFURA_API_KEY: ${{ secrets.infura_api_key }}
+  INFURA_API_KEY: ${{ secrets.infura_api_key }}
 
 jobs:
   compile_and_test:

diff --git a/.github/workflows/v2-build-and-deploy-branch.yaml b/.github/workflows/v2-build-and-deploy-branch.yaml
@@ -25,7 +25,8 @@ jobs:
       image_tag: ${{ github.sha }}
       image_name: propeller-searcher
     secrets:
-      gh_token: ${{ secrets.GH_TOKEN }}
+      app_id: ${{ secrets.APP_ID }}
+      app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
 
   deploy-dev:
     needs:

diff --git a/.github/workflows/v2-main-workflow.yaml b/.github/workflows/v2-main-workflow.yaml
@@ -9,8 +9,9 @@ jobs:
   tests-and-lints:
     uses: ./.github/workflows/tests-and-lints-template.yaml
     secrets:
-      gh_token: ${{ secrets.GH_TOKEN }}
       infura_api_key: ${{ secrets.INFURA_API_KEY }}
+      app_id: ${{ secrets.APP_ID }}
+      app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
 
   check-release:
     uses: propeller-heads/ci-cd-templates/.github/workflows/release-v2.yaml@main
@@ -51,7 +52,8 @@ jobs:
       image_tag: ${{ needs.release.outputs.next_release_version }}
       image_name: propeller-searcher
     secrets:
-      gh_token: ${{ secrets.GH_TOKEN }}
+      app_id: ${{ secrets.APP_ID }}
+      app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
 
   promote-to-dev:
     needs:

diff --git a/.github/workflows/v2-release-maintenance.yaml b/.github/workflows/v2-release-maintenance.yaml
@@ -9,8 +9,9 @@ jobs:
   tests-and-lints:
     uses: ./.github/workflows/tests-and-lints-template.yaml
     secrets:
-      gh_token: ${{ secrets.GH_TOKEN }}
       infura_api_key: ${{ secrets.INFURA_API_KEY }}
+      app_id: ${{ secrets.APP_ID }}
+      app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
 
   check-release:
     uses: propeller-heads/ci-cd-templates/.github/workflows/release-v2.yaml@main
@@ -52,4 +53,5 @@ jobs:
       image_tag: ${{ needs.release.outputs.next_release_version }}
       image_name: propeller-searcher
     secrets:
-      gh_token: ${{ secrets.GH_TOKEN }}
+      app_id: ${{ secrets.APP_ID }}
+      app_private_key: ${{ secrets.APP_PRIVATE_KEY }}