[7.17] ci: use ephemeral tokens instead of APM_SERVER_RELEASE_TOKEN (backport #14217) (#14218)

mergify[bot] · v1v · web-flow · commit 50f7378205fe · 2024-10-01T12:31:49.000Z
* ci: use ephemeral tokens (#14217) (cherry picked from commit 8e1eb29) # Conflicts: # .github/workflows/run-minor-release.yml * Apply suggestions from code review --------- Co-authored-by: Victor Martinez <victormartinezrubio@gmail.com>
diff --git a/.github/workflows/run-minor-release.yml b/.github/workflows/run-minor-release.yml
@@ -13,8 +13,9 @@ permissions:
   contents: read
 
 env:
-  SLACK_CHANNEL: "#apm-server-test-release"
-  
+  JOB_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+  SLACK_CHANNEL: "#apm-server"
+
 jobs:
   run-minor:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/run-patch-release.yml b/.github/workflows/run-patch-release.yml
@@ -19,7 +19,6 @@ permissions:
 env:
   JOB_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
   SLACK_CHANNEL: "#apm-server"
-  GH_TOKEN: ${{ secrets.APM_SERVER_RELEASE_TOKEN }}
 
 jobs:
   prepare:
@@ -54,13 +53,25 @@ jobs:
           # Use the makefile in the given release branch.
           ref: ${{ env.RELEASE_BRANCH }}
 
+      - name: Get token
+        id: get_token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+        with:
+          app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }}
+          permissions: >-
+            {
+              "contents": "write",
+              "pull_requests": "write"
+            }
+
       # Required to use a service account, otherwise PRs created by
       # GitHub bot won't trigger any CI builds.
       # See https://github.com/peter-evans/create-pull-request/issues/48#issuecomment-537478081
       - name: Configure git user
         uses: elastic/oblt-actions/git/setup@v1
         with:
-          github-token: ${{ env.GH_TOKEN }}
+          github-token: ${{ steps.get_token.outputs.token }}
 
       - name: Import GPG key
         uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4  # v6.1.0
@@ -71,6 +82,8 @@ jobs:
           git_commit_gpgsign: true
 
       - run: make patch-release
+        env:
+          GH_TOKEN: ${{ steps.get_token.outputs.token }}
 
       - if: success()
         uses: elastic/oblt-actions/slack/send@v1
