Skip to content

Commit aa36cb9

Browse files
v1vmergify[bot]
v1v
authored and
mergify[bot]
committed
ci: use ephemeral tokens (#14217)
(cherry picked from commit 8e1eb29)
1 parent 9d5406c commit aa36cb9

File tree

2 files changed

+30
-4
lines changed

2 files changed

+30
-4
lines changed

.github/workflows/run-minor-release.yml

Lines changed: 15 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,6 @@ permissions:
1919
env:
2020
JOB_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
2121
SLACK_CHANNEL: "#apm-server"
22-
GH_TOKEN: ${{ secrets.APM_SERVER_RELEASE_TOKEN }}
2322

2423
jobs:
2524
prepare:
@@ -58,6 +57,18 @@ jobs:
5857
The `${{ github.repository }}@${{ env.RELEASE_BRANCH }}` branch will be created Today.
5958
thread-timestamp: ${{ needs.prepare.outputs.slack-thread || '' }}
6059

60+
- name: Get token
61+
id: get_token
62+
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
63+
with:
64+
app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }}
65+
private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }}
66+
permissions: >-
67+
{
68+
"contents": "write",
69+
"pull_requests": "write"
70+
}
71+
6172
- uses: actions/checkout@v4
6273
with:
6374
# 0 indicates all history for all branches and tags.
@@ -69,7 +80,7 @@ jobs:
6980
- name: Configure git user
7081
uses: elastic/oblt-actions/git/setup@v1
7182
with:
72-
github-token: ${{ env.GH_TOKEN }}
83+
github-token: ${{ steps.get_token.outputs.token }}
7384

7485
- name: Import GPG key
7586
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
@@ -80,6 +91,8 @@ jobs:
8091
git_commit_gpgsign: true
8192

8293
- run: make minor-release
94+
env:
95+
GH_TOKEN: ${{ steps.get_token.outputs.token }}
8396

8497
- if: success()
8598
uses: elastic/oblt-actions/slack/[email protected]

.github/workflows/run-patch-release.yml

Lines changed: 15 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,6 @@ permissions:
1919
env:
2020
JOB_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
2121
SLACK_CHANNEL: "#apm-server"
22-
GH_TOKEN: ${{ secrets.APM_SERVER_RELEASE_TOKEN }}
2322

2423
jobs:
2524
prepare:
@@ -56,13 +55,25 @@ jobs:
5655
# Use the makefile in the given release branch.
5756
ref: ${{ env.RELEASE_BRANCH }}
5857

58+
- name: Get token
59+
id: get_token
60+
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
61+
with:
62+
app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }}
63+
private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }}
64+
permissions: >-
65+
{
66+
"contents": "write",
67+
"pull_requests": "write"
68+
}
69+
5970
# Required to use a service account, otherwise PRs created by
6071
# GitHub bot won't trigger any CI builds.
6172
# See https://github.com/peter-evans/create-pull-request/issues/48#issuecomment-537478081
6273
- name: Configure git user
6374
uses: elastic/oblt-actions/git/setup@v1
6475
with:
65-
github-token: ${{ env.GH_TOKEN }}
76+
github-token: ${{ steps.get_token.outputs.token }}
6677

6778
- name: Import GPG key
6879
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
@@ -73,6 +84,8 @@ jobs:
7384
git_commit_gpgsign: true
7485

7586
- run: make patch-release
87+
env:
88+
GH_TOKEN: ${{ steps.get_token.outputs.token }}
7689

7790
- if: success()
7891
uses: elastic/oblt-actions/slack/send@v1

0 commit comments

Comments
 (0)