Give release action permissions to push to main

[StepanBrychta]

What does this change?

Gives the release GitHub action the necessary permissions to push changes directly into main.

This is done by configuring the release action to assume the role of the Wellcome Collection GitHub app when pushing changes to main. The implementation involves creating a token from the app's private key and follows official GitHub documentation.

Separately, the Wellcome Collection GitHub app was given the necessary permissions to bypass the requires-review rule.

How to test

I tested this change by temporarily removing the part of the workflow which publishes to Sonatype and running the GitHub action from this branch, which resulted in a successful push to main (see here), which I subsequently reverted.

How can we measure success?

The release action runs successfully.

Have we considered potential risks?

Giving the GitHub action full repo access comes with security risks. However, the original Buildkite pipeline was using a similar setup, so this should not introduce any new risks.

I have considered alternative release setups which do not involve pushing directly into main, but these setups have significant limitations (see here) and are not viable alternatives.

[github-actions]

Suspected binary incompatible evictions across all projects (summary)

• org.scala-lang:scala-library:2.12.17 is selected over {2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.8, 2.12.15, 2.12.16}
• org.scala-lang:scala-library:2.12.18 is selected over {2.12.15, 2.12.15, 2.12.17, 2.12.12, 2.12.12, 2.12.12, 2.12.12, 2.12.12, 2.12.12, 2.12.12, 2.12.12, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.8, 2.12.15, 2.12.15, 2.12.17, 2.12.17, 2.12.16, 2.12.15, 2.12.15}
• org.scala-lang:scala-library:2.12.19 is selected over {2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.8, 2.12.15, 2.12.17, 2.12.17, 2.12.17, 2.12.16, 2.12.15, 2.12.15, 2.12.15, 2.12.15}
• org.scala-lang:scala-library:2.12.19 is selected over {2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.8, 2.12.15, 2.12.17, 2.12.17, 2.12.17, 2.12.16, 2.12.15, 2.12.15, 2.12.15}
• org.scala-lang:scala-library:2.12.19 is selected over {2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.18, 2.12.18, 2.12.18, 2.12.8, 2.12.17, 2.12.15, 2.12.15, 2.12.18, 2.12.18, 2.12.18, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15}
• org.scala-lang:scala-library:2.12.19 is selected over {2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.18, 2.12.18, 2.12.18, 2.12.8, 2.12.17, 2.12.15, 2.12.15, 2.12.18, 2.12.18, 2.12.18, 2.12.15, 2.12.15, 2.12.15, 2.12.15}
• org.scala-lang:scala-library:2.12.19 is selected over {2.12.15, 2.12.15, 2.12.17, 2.12.12, 2.12.12, 2.12.12, 2.12.12, 2.12.12, 2.12.12, 2.12.12, 2.12.12, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.8, 2.12.15, 2.12.15, 2.12.17, 2.12.17, 2.12.16, 2.12.15, 2.12.15, 2.12.15, 2.12.15}
• org.scala-lang:scala-library:2.12.19 is selected over {2.12.15, 2.12.15, 2.12.18, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.18, 2.12.18, 2.12.18, 2.12.18, 2.12.8, 2.12.17, 2.12.15, 2.12.15, 2.12.17, 2.12.17, 2.12.16, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15}
• org.scala-lang:scala-library:2.12.19 is selected over {2.12.15, 2.12.15, 2.12.18, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.15, 2.12.18, 2.12.18, 2.12.18, 2.12.18, 2.12.8, 2.12.17, 2.12.15, 2.12.15, 2.12.17, 2.12.17, 2.12.16, 2.12.15, 2.12.15, 2.12.15, 2.12.15}
• org.scala-lang:scala-library:2.12.19 is selected over {2.12.15, 2.12.15, 2.12.8, 2.12.15, 2.12.15, 2.12.15, 2.12.15}
• org.scala-lang:scala-library:2.12.19 is selected over {2.12.15, 2.12.15, 2.12.8, 2.12.15, 2.12.15, 2.12.15}
• org.scala-lang:scala-library:2.12.19 is selected over {2.12.15, 2.12.15, 2.12.8, 2.12.15, 2.12.15}
• org.slf4j:slf4j-api:2.0.4 is selected over {1.7.36, 1.7.36, 1.7.9, 1.7.30, 1.7.30, 1.7.30, 1.7.30}
• org.slf4j:slf4j-api:2.0.4 is selected over {1.7.36, 1.7.36, 1.7.9, 1.7.30, 1.7.30, 1.7.30}
• org.slf4j:slf4j-api:2.0.7 is selected over {1.7.9, 1.7.30, 1.7.30, 1.7.30}
• org.slf4j:slf4j-api:2.0.7 is selected over {2.0.4, 1.7.36, 1.7.36, 1.7.9, 1.7.30, 1.7.30, 1.7.30}

See individual evictions stages for more detail

[agnesgaroux]

Very nice! 🙌
In today's episode of "Making it more complicated than it ought to be" I got it into my head that the private key had to be stored somewhere other than GHA secrets. This is real neat in tandem with actions/create-github-app-token@v1

[agnesgaroux]

Would it be safe to store this private key as an organisation GHA secret? that way we can let more repos use it as needed, but maybe it's safer to have different keys for different repos or even different workflows

[StepanBrychta]

@agnesgaroux Good idea, the key is now an organisation secret