Skip to content

Commit

Permalink
github-action: use ephemeral tokens with the required permissions (#1…
Browse files Browse the repository at this point in the history
…4010)

(cherry picked from commit abb9a9b)

# Conflicts:
#	.github/workflows/update-compose.yml
  • Loading branch information
v1v authored and mergify[bot] committed Sep 17, 2024
1 parent 3812d5d commit e4155ba
Show file tree
Hide file tree
Showing 4 changed files with 58 additions and 6 deletions.
14 changes: 13 additions & 1 deletion .github/workflows/bump-elastic-stack.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,12 +30,24 @@ jobs:
with:
ref: ${{ matrix.branch }}

- name: Get token
id: get_token
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }}
private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }}
permissions: >-
{
"contents": "write",
"pull_requests": "write"
}
- uses: elastic/oblt-actions/updatecli/run@v1
with:
command: --experimental apply --config .ci/updatecli/bump-elastic-stack-snapshot.yml --values .ci/updatecli/values.d/scm.yml
env:
BRANCH: ${{ matrix.branch }}
GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }}
GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}

- if: ${{ failure() }}
uses: elastic/oblt-actions/slack/send@v1
Expand Down
16 changes: 14 additions & 2 deletions .github/workflows/bump-golang.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,11 +41,23 @@ jobs:

- uses: actions/checkout@v4

- name: Get token
id: get_token
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }}
private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }}
permissions: >-
{
"contents": "write",
"pull_requests": "write"
}
- uses: elastic/oblt-actions/updatecli/run@v1
with:
command: --experimental apply --config .ci/updatecli/bump-golang.yml --values .ci/updatecli/values.d/scm.yml
env:
GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }}
GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}
GITHUB_BRANCH: 'main'
GITHUB_LABELS: ${{ needs.labels.outputs.backports }}

Expand All @@ -62,7 +74,7 @@ jobs:
with:
command: --experimental apply --config .ci/updatecli/bump-golang.yml --values .ci/updatecli/values.d/scm.yml
env:
GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }}
GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}
GITHUB_BRANCH: '7.17'
GITHUB_LABELS: 'backport-skip'

Expand Down
14 changes: 13 additions & 1 deletion .github/workflows/update-beats.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,18 @@ jobs:
with:
ref: ${{ matrix.branch }}

- name: Get token
id: get_token
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }}
private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }}
permissions: >-
{
"contents": "write",
"pull_requests": "write"
}
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
Expand All @@ -39,7 +51,7 @@ jobs:
command: --experimental apply --config .ci/updatecli/update-beats.yml --values .ci/updatecli/values.d/scm.yml
env:
BRANCH_NAME: ${{ matrix.branch }}
GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }}
GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}

- if: ${{ failure() }}
uses: elastic/oblt-actions/slack/send@v1
Expand Down
20 changes: 18 additions & 2 deletions .github/workflows/update-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,23 @@ jobs:
steps:
- uses: actions/checkout@v4

<<<<<<< HEAD
- uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
=======
- name: Get token
id: get_token
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }}
private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }}
permissions: >-
{
"contents": "write",
"pull_requests": "write"
}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
>>>>>>> abb9a9b09 (github-action: use ephemeral tokens with the required permissions (#14010))
with:
registry: ghcr.io
username: ${{ github.actor }}
Expand All @@ -28,13 +44,13 @@ jobs:
with:
command: --experimental compose diff
env:
GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }}
GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}

- uses: elastic/oblt-actions/updatecli/run@v1
with:
command: --experimental compose apply
env:
GITHUB_TOKEN: ${{ secrets.UPDATECLI_GH_TOKEN }}
GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}

- if: ${{ failure() }}
uses: elastic/oblt-actions/slack/send@v1
Expand Down

0 comments on commit e4155ba

Please sign in to comment.