fix(github-action): update actions/create-github-app-token action to … #15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: "Flux Localhost Build" | |
on: | |
workflow_dispatch: | |
inputs: | |
version: | |
description: Flux version to build | |
# renovate: datasource=docker depName=ghcr.io/fluxcd/flux-manifests | |
default: "2.2.3" | |
required: true | |
push: | |
branches: ["main"] | |
paths: | |
- kube/bootstrap/flux | |
- kube/clusters/*/flux/flux-install*.yaml | |
- .github/workflows/flux-localhost-build.yaml | |
env: | |
# renovate: datasource=docker depName=ghcr.io/fluxcd/flux-manifests | |
FLUX_VERSION: "2.2.3" | |
OUTFILE: "kube/bootstrap/flux/flux-install-localhost-manifests.yaml" | |
jobs: | |
flux-localhost-build: | |
name: Flux Localhost Build | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
pull-requests: write | |
steps: | |
- name: "Setup variables" # Renovate can't edit the version in `env` block if there's other ${{}} stuff around | |
id: "vars" | |
shell: "bash" | |
run: | | |
echo "FLUX_VERSION=${{ github.event.inputs.version || env.FLUX_VERSION }}" >> "${GITHUB_ENV}" | |
echo "BRANCH=flux-localhost-build-${{ github.event.inputs.version || env.FLUX_VERSION }}" >> "${GITHUB_ENV}" | |
echo "MESSAGE=feat(bootstrap/flux)!: build Flux v${{ github.event.inputs.version || env.FLUX_VERSION }} localhost install manifests" >> "${GITHUB_ENV}" | |
- name: "Generate Short Lived OAuth App Token (ghs_*)" | |
uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1 | |
id: oauth-token | |
with: | |
app-id: "${{ secrets.BOT_APP_ID }}" # $BOT_APP_ID is found in GitHub App main settings page | |
private-key: "${{ secrets.BOT_JWT_PRIVATE_KEY }}" # $BOT_JWT_PRIVATE_KEY is generated in GitHub App main settings page, uses the X.509 private key format | |
- name: Setup Flux | |
uses: fluxcd/flux2/action@534684601ec8888beb0cc4f51117b59e97606c4d # v2.2.3 | |
with: | |
version: "${{ env.FLUX_VERSION }}" | |
- name: Checkout | |
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 | |
with: | |
token: "${{ steps.oauth-token.outputs.token }}" | |
- name: Build Flux Install Manifests | |
shell: bash | |
env: | |
GH_TOKEN: "${{ steps.oauth-token.outputs.token }}" | |
run: | | |
git config push.autoSetupRemote true | |
git config user.name "${{ secrets.BOT_USERNAME }}[bot]" | |
git config user.email "${{ secrets.BOT_API_ID }}+${{ secrets.BOT_USERNAME }}[bot]@users.noreply.github.com" # get $BOT_API_ID from `curl -s 'https://api.github.com/users/$(BOT_USERNAME)%5Bbot%5D' | yq .id` | |
git checkout -b ${{ env.BRANCH }} main | |
git push origin ${{ env.BRANCH }} --force | |
mkdir -p /tmp/flux | |
flux pull artifact oci://ghcr.io/fluxcd/flux-manifests:v${{ env.FLUX_VERSION }} --output /tmp/flux/ | |
flux build kustomization zzz-flux --path /tmp/flux --kustomization-file ./kube/clusters/biohazard/flux/flux-install-localhost.yaml --dry-run | tee ./${{ env.OUTFILE }} | |
# below is yoinked from https://gist.github.com/swinton/03e84635b45c78353b1f71e41007fc7c | |
- name: Commit Changes # with commit signing | |
shell: bash | |
env: | |
GH_TOKEN: "${{ steps.oauth-token.outputs.token }}" | |
GITHUB_TOKEN: "${{ steps.oauth-token.outputs.token }}" | |
FILE_TO_COMMIT: "${{ env.OUTFILE }}" | |
DESTINATION_BRANCH: "${{ env.BRANCH }}" | |
run: | | |
export MESSAGE="${{ env.MESSAGE }}" | |
export SHA=$( git rev-parse ${{ env.DESTINATION_BRANCH }}:${{ env.FILE_TO_COMMIT }} ) | |
base64 -i -w0 ${{ env.FILE_TO_COMMIT }} > /tmp/base64data | |
if gh api --method PUT /repos/:owner/:repo/contents/${{ env.FILE_TO_COMMIT }} \ | |
--field message="${MESSAGE}" \ | |
--field content="@/tmp/base64data" \ | |
--field encoding="base64" \ | |
--field branch="${{ env.DESTINATION_BRANCH }}" \ | |
--field sha="${SHA}" ; then | |
echo "Pushed signed commit to GitHub." | |
elif gh api --method PUT /repos/:owner/:repo/contents/${{ env.FILE_TO_COMMIT }} \ | |
--field message="${MESSAGE}" \ | |
--field content="@/tmp/base64data" \ | |
--field encoding="base64" \ | |
--field branch="${{ env.DESTINATION_BRANCH }}" ; then | |
echo "Pushed signed commit to GitHub." | |
else | |
echo "No changes to push or errored pushing." | |
fi | |
gh pr create --base main --head ${{ env.BRANCH }} --title "${{ env.MESSAGE }}" --body "Updates Flux install manifests, patched for use with localhost hostNetwork, to the ${{ env.FLUX_VERSION }} version." --reviewer ${{ github.repository_owner }} |