chore(operator): fix CI to use new Github app instead of PAT (grafana…

…#14328)
ojroques · Oct 4, 2024 · 0992d2a · 0992d2a
1 parent f4d58ab
commit 0992d2a
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 15 deletions.
diff --git a/.github/workflows/operator-check-prepare-release-commit.yml b/.github/workflows/operator-check-prepare-release-commit.yml
@@ -14,6 +14,14 @@ jobs:
       github.event.pull_request.head.ref == 'release-please--branches--main--components--operator' && 
       contains(github.event.pull_request.title, 'chore( operator): community release')
     steps:
+      - id: "get_github_app_token"
+        name: Get GitHub Token
+        uses: "actions/create-github-app-token@v1"
+        with:
+          app-id: "${{ secrets.APP_ID }}"
+          owner: "${{ github.repository_owner }}"
+          private-key: "${{ secrets.APP_PRIVATE_KEY }}"
+
       - name: Extract release version
         id: pr_semver
         env:
@@ -31,7 +39,7 @@ jobs:
       - name: Check main commits for prepare release commit
         id: check_commit
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          GH_TOKEN: ${{ steps.get_github_app_token.outputs.token }}
         working-directory: "release"
         run: |
           COMMIT=$(gh search commits "chore(operator): prepare community release v${{ steps.pr_semver.outputs.semver }}")

diff --git a/.github/workflows/operator-publish-operator-hub.yml b/.github/workflows/operator-publish-operator-hub.yml
@@ -10,14 +10,10 @@ jobs:
     with:
       org: redhat-openshift-ecosystem
       repo: community-operators-prod
-    secrets:
-      GRAFANABOT_GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
 
   operator-hub-community-release:
     if: startsWith(github.event.release.tag_name, 'operator/')
     uses: ./.github/workflows/operator-reusable-hub-release.yml
     with:
       org: k8s-operatorhub
       repo: community-operators
-    secrets:
-      GRAFANABOT_GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
diff --git a/.github/workflows/operator-release-please.yml b/.github/workflows/operator-release-please.yml
@@ -18,25 +18,39 @@ jobs:
       release_created: ${{ steps.release.outputs.operator--release_created }}
       release_name: ${{ steps.release.outputs.operator--tag_name }}
     steps:
-      - uses: google-github-actions/release-please-action@v4
+      - id: "get_github_app_token"
+        name: Get GitHub App Token
+        uses: "actions/create-github-app-token@v1"
+        with:
+          app-id: "${{ secrets.APP_ID }}"
+          owner: "${{ github.repository_owner }}"
+          private-key: "${{ secrets.APP_PRIVATE_KEY }}"
+      - uses: googleapis/release-please-action@v4
         id: release
         with:
           path: operator
           config-file: operator/release-please-config.json
-          token: ${{ secrets.GH_TOKEN }}
+          token: ${{ steps.get_github_app_token.outputs.token }}
   publishRelease:
     needs:
     - "releasePlease"
     runs-on: ubuntu-latest
     if: ${{ needs.releasePlease.outputs.release_created }}
     steps:
+      - id: "get_github_app_token"
+        name: Get GitHub App Token
+        uses: "actions/create-github-app-token@v1"
+        with:
+          app-id: "${{ secrets.APP_ID }}"
+          owner: "${{ github.repository_owner }}"
+          private-key: "${{ secrets.APP_PRIVATE_KEY }}"
       - name: "pull code to release"
         uses: "actions/checkout@v4"
         with:
           path: "release"
       - name: "publish release"
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          GH_TOKEN: ${{ steps.get_github_app_token.outputs.token }}
         working-directory: "release"
         run: |
           gh release edit "${{ needs.releasePlease.outputs.release_name }}" --draft=false --latest=false
diff --git a/.github/workflows/operator-reusable-hub-release.yml b/.github/workflows/operator-reusable-hub-release.yml
@@ -9,14 +9,19 @@ on:
       repo:
         type: string
         required: true
-    secrets:
-      GRAFANABOT_GITHUB_TOKEN:
-        required: true
 
 jobs:
   create-operator-pull-request:
     runs-on: ubuntu-latest
     steps:
+      - id: "get_github_app_token"
+        name: Get GitHub App Token
+        uses: "actions/create-github-app-token@v1"
+        with:
+          app-id: "${{ secrets.APP_ID }}"
+          owner: "${{ github.repository_owner }}"
+          private-key: "${{ secrets.APP_PRIVATE_KEY }}"
+
       - name: Set redhat-openshift-ecosystem specific variables
         if: ${{ inputs.org == 'redhat-openshift-ecosystem' }}
         env:
@@ -36,7 +41,7 @@ jobs:
 
       - name: Sync fork
         env:
-          GH_TOKEN: ${{ secrets.GRAFANABOT_GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.get_github_app_token.outputs.token }}
         run: |
           # synchronizing the fork is fast, and avoids the need to fetch the full upstream repo
           # (fetching the upstream repo with "--depth 1" would lead to "shallow update not allowed"
@@ -49,13 +54,13 @@ jobs:
         uses: actions/checkout@v4
         with:
           repository: grafanabot/${{ inputs.repo }}
-          token: ${{ secrets.GRAFANABOT_GITHUB_TOKEN }}
+          token: ${{ steps.get_github_app_token.outputs.token }}
 
       - name: Checkout loki to tmp/ directory
         uses: actions/checkout@v4
         with:
           repository: grafana/loki
-          token: ${{ secrets.GRAFANABOT_GITHUB_TOKEN }}
+          token: ${{ steps.get_github_app_token.outputs.token }}
           path: tmp/
 
       - name: Update version
@@ -85,7 +90,7 @@ jobs:
       - name: Create pull request against ${{ inputs.org }}/${{ inputs.repo }}
         env:
           VERSION: ${{ env.version }}
-          GH_TOKEN: ${{ secrets.GRAFANABOT_GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.get_github_app_token.outputs.token }}
         run: |
           message="Update the loki-operator to $VERSION"
           body="Release loki-operator \`$VERSION\`.