From 440194a4332e68280d38ae6ccffb1d5fc7bcbd7c Mon Sep 17 00:00:00 2001 From: Victor Martinez Date: Tue, 17 Sep 2024 13:08:02 +0200 Subject: [PATCH] ci: use GitHub app for ephemeral tokens --- .github/workflows/pre-post-release.yml | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/.github/workflows/pre-post-release.yml b/.github/workflows/pre-post-release.yml index 9c97905c..8922e855 100644 --- a/.github/workflows/pre-post-release.yml +++ b/.github/workflows/pre-post-release.yml @@ -52,19 +52,30 @@ jobs: runs-on: ubuntu-latest needs: - validate-tag - permissions: - contents: write - env: - GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }} steps: + + - name: Get token + id: get_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }} + private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }} + permissions: >- + { + "contents": "write", + "pull_requests": "write" + } + repositories: >- + ["elastic-otel-java"] + - uses: actions/checkout@v4 with: ref: ${{ inputs.ref }} - token: ${{ env.GITHUB_TOKEN }} + token: ${{ steps.get_token.outputs.token }} - uses: elastic/oblt-actions/git/setup@v1 with: - github-token: ${{ env.GITHUB_TOKEN }} + github-token: ${{ steps.get_token.outputs.token }} - name: Create the release tag (post phase) if: inputs.phase == 'post' @@ -96,4 +107,4 @@ jobs: - name: Create the ${{ inputs.phase }} release PR run: gh pr create --title="${{ inputs.pr_title }}" --base main --head ${{ env.BRANCH_NAME }} -b "${{ inputs.pr_body }}" env: - GH_TOKEN: ${{ env.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.get_token.outputs.token }}