From 4a670391a6e2e9a9f5bdd746096b51d3bbfa02a5 Mon Sep 17 00:00:00 2001 From: Victor Martinez Date: Wed, 22 May 2024 15:07:17 +0200 Subject: [PATCH] github-actions: use GitHub secrets (#39646) --- .../workflows/bump-elastic-stack-snapshot.yml | 40 +++++++++---- .github/workflows/bump-golang.yml | 57 +++++++++++-------- .../workflows/notify-stalled-snapshots.yml | 36 ++++-------- 3 files changed, 73 insertions(+), 60 deletions(-) diff --git a/.github/workflows/bump-elastic-stack-snapshot.yml b/.github/workflows/bump-elastic-stack-snapshot.yml index 835ead87a6a..46e5adb7fed 100644 --- a/.github/workflows/bump-elastic-stack-snapshot.yml +++ b/.github/workflows/bump-elastic-stack-snapshot.yml @@ -21,6 +21,9 @@ jobs: bump-elastic-stack: runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write needs: [filter] strategy: fail-fast: false @@ -28,15 +31,32 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: elastic/apm-pipeline-library/.github/actions/updatecli@current - with: - vaultUrl: ${{ secrets.VAULT_ADDR }} - vaultRoleId: ${{ secrets.VAULT_ROLE_ID }} - vaultSecretId: ${{ secrets.VAULT_SECRET_ID }} - pipeline: .github/workflows/updatecli.d/bump-elastic-stack-snapshot.yml - values: .github/workflows/updatecli.d/scm.yml - command: '--experimental apply' - notifySlackChannel: "#ingest-notifications" - messageIfFailure: ":traffic_cone: updatecli failed for `${{ github.repository }}@${{ github.ref_name }}`, `@update-me-with-the-slack-team-to-be-poked` please look what's going on <${{ env.JOB_URL }}|here>" + - name: Install Updatecli in the runner + uses: updatecli/updatecli-action@9a37c7e35598d7b37d8e7568b40ed9538112be01 # v0.76.1 + + - name: Run Updatecli in Apply mode + run: updatecli --experimental apply --config .github/workflows/updatecli.d/bump-elastic-stack-snapshot.yml --values .github/workflows/updatecli.d/scm.yml env: BRANCH: ${{ matrix.branch }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - if: ${{ failure() }} + uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0 + with: + channel-id: '#ingest-notifications' + payload: | + { + "text": "${{ env.SLACK_MESSAGE }}", + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "${{ env.SLACK_MESSAGE }}" + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + SLACK_MESSAGE: ":traffic_cone: updatecli failed for `${{ github.repository }}@${{ github.ref_name }}`, `@update-me-with-the-slack-team-to-be-poked` please look what's going on " diff --git a/.github/workflows/bump-golang.yml b/.github/workflows/bump-golang.yml index 751b8612571..ce0ad4446bd 100644 --- a/.github/workflows/bump-golang.yml +++ b/.github/workflows/bump-golang.yml @@ -10,34 +10,43 @@ permissions: contents: read jobs: - bump-main: + bump: runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + strategy: + fail-fast: false + matrix: + file: ['bump-golang.yml', 'bump-golang-7.17.yml'] steps: - uses: actions/checkout@v4 - - uses: elastic/apm-pipeline-library/.github/actions/updatecli@current - with: - vaultUrl: ${{ secrets.VAULT_ADDR }} - vaultRoleId: ${{ secrets.VAULT_ROLE_ID }} - vaultSecretId: ${{ secrets.VAULT_SECRET_ID }} - pipeline: .github/workflows/updatecli.d/bump-golang.yml - values: .github/workflows/updatecli.d/scm.yml - command: '--experimental apply' - notifySlackChannel: "#ingest-notifications" - messageIfFailure: ":traffic_cone: updatecli failed for `${{ github.repository }}@${{ github.ref_name }}`, `@update-me-with-the-slack-team-to-be-poked` please look what's going on <${{ env.JOB_URL }}|here>" + - name: Install Updatecli in the runner + uses: updatecli/updatecli-action@9a37c7e35598d7b37d8e7568b40ed9538112be01 # v0.76.1 - bump-7-17: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 + - name: Run Updatecli in Apply mode + run: updatecli --experimental apply --config .github/workflows/updatecli.d/${{ matrix.file }} --values .github/workflows/updatecli.d/scm.yml + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: elastic/apm-pipeline-library/.github/actions/updatecli@current + - if: ${{ failure() }} + uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0 with: - vaultUrl: ${{ secrets.VAULT_ADDR }} - vaultRoleId: ${{ secrets.VAULT_ROLE_ID }} - vaultSecretId: ${{ secrets.VAULT_SECRET_ID }} - pipeline: .github/workflows/updatecli.d/bump-golang-7.17.yml - values: .github/workflows/updatecli.d/scm.yml - command: '--experimental apply' - notifySlackChannel: "#ingest-notifications" - messageIfFailure: ":traffic_cone: updatecli failed for `${{ github.repository }}@${{ github.ref_name }}`, `@update-me-with-the-slack-team-to-be-poked` please look what's going on <${{ env.JOB_URL }}|here>" + channel-id: '#ingest-notifications' + payload: | + { + "text": "${{ env.SLACK_MESSAGE }}", + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "${{ env.SLACK_MESSAGE }}" + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + SLACK_MESSAGE: ":traffic_cone: updatecli failed for `${{ github.repository }}@${{ github.ref_name }}`, `@update-me-with-the-slack-team-to-be-poked` please look what's going on " diff --git a/.github/workflows/notify-stalled-snapshots.yml b/.github/workflows/notify-stalled-snapshots.yml index c34e03bde1a..b525cc4dc10 100644 --- a/.github/workflows/notify-stalled-snapshots.yml +++ b/.github/workflows/notify-stalled-snapshots.yml @@ -10,7 +10,6 @@ permissions: contents: read env: - EMAIL_VAULT_SECRET: secret/observability-team/ci/service-account/email-github-actions EMAIL: beats-contrib@elastic.co URL_QUERY: 'https://github.com/elastic/beats/pulls?q=is%3Apr+is%3Aopen+label%3ATeam%3ABeats-On-Call' JOB_URL: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" @@ -56,37 +55,22 @@ jobs: - if: ${{ contains(steps.search.outputs.found, 'true') }} name: Report obsoleted branches (slack) - uses: elastic/apm-pipeline-library/.github/actions/slack-message@current + uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0 with: - url: ${{ secrets.VAULT_ADDR }} - roleId: ${{ secrets.VAULT_ROLE_ID }} - secretId: ${{ secrets.VAULT_SECRET_ID }} - channel: "#ingest-notifications" - message: ":red_circle: Elastic Stack version for the `${{ matrix.branch }}` branch has not been updated for a while (`> 7 days`). Review the (<${{ env.URL_QUERY }}|open PRs>)" - - - if: ${{ contains(steps.search.outputs.found, 'true') }} - uses: hashicorp/vault-action@v2.5.0 - with: - url: ${{ secrets.VAULT_ADDR }} - roleId: ${{ secrets.VAULT_ROLE_ID }} - secretId: ${{ secrets.VAULT_SECRET_ID }} - method: approle - secrets: | - ${{ env.EMAIL_VAULT_SECRET }} username | MAIL_USERNAME ; - ${{ env.EMAIL_VAULT_SECRET }} app_token | MAIL_PASSWORD; - ${{ env.EMAIL_VAULT_SECRET }} from | MAIL_FROM; - ${{ env.EMAIL_VAULT_SECRET }} reply | MAIL_REPLY; - ${{ env.EMAIL_VAULT_SECRET }} server | MAIL_SERVER + channel-id: '#ingest-notifications' + payload: ":red_circle: Elastic Stack version for the `${{ matrix.branch }}` branch has not been updated for a while (`> 7 days`). Review the (<${{ env.URL_QUERY }}|open PRs>)" + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - if: ${{ contains(steps.search.outputs.found, 'true') }} name: Report obsoleted branches (email) uses: dawidd6/action-send-mail@6063705cefe50cb915fc53bb06d4049cae2953b2 with: - server_address: ${{ env.MAIL_SERVER }} - username: ${{ env.MAIL_USERNAME }} - password: ${{ env.MAIL_PASSWORD }} + server_address: ${{ secrets.MAIL_SERVER }} + username: ${{ secrets.MAIL_USERNAME }} + password: ${{ secrets.MAIL_PASSWORD }} subject: '[${{ matrix.branch }}] ${{ steps.date.outputs.date }}: Elastic Stack version has not been updated recently.' to: ${{ env.EMAIL }} - from: ${{ env.MAIL_FROM }} - reply_to: ${{ env.MAIL_REPLY }} + from: ${{ secrets.MAIL_FROM }} + reply_to: ${{ secrets.MAIL_REPLY }} body: 'Elastic Stack version for the ${{ matrix.branch }} branch has not been updated for a while (> 7 days). Review the open PRs in ${{ env.URL_QUERY }}. Generated automatically with ${{ env.JOB_URL }}'