Skip to content

github-action: use ephemeral tokens with the required permissions#113

Merged
v1v merged 2 commits intomainfrom
gh-oblt/replace-token-with-app
Sep 16, 2024
Merged

github-action: use ephemeral tokens with the required permissions#113
v1v merged 2 commits intomainfrom
gh-oblt/replace-token-with-app

Conversation

@v1v
Copy link
Member

@v1v v1v commented Sep 9, 2024

Details

⚠️ This PR was created by an automated tool. Please review the changes carefully. ⚠️

What

Use https://github.com/tibdex/github-app-token to generate ephemeral tokens with the required
permissions only

This is the alternative to moving away from finer-grained GitHub tokens and reducing the
cumbersome of rotating them as we do nowadays.

Implementaiton details

We have used the same GitHub action in other places.

If there are any questions, please reach out to the @elastic/observablt-ci

@v1v v1v self-assigned this Sep 9, 2024
@v1v v1v requested a review from a team September 9, 2024 12:24
@v1v v1v added the changelog:dependencies When you add or update a dependency label Sep 9, 2024
@v1v
Copy link
Member Author

v1v commented Sep 9, 2024

I'll merge this as soon as we solve the CLA validation for GitHub Apps

@v1v
Copy link
Member Author

v1v commented Sep 9, 2024

The CLA checker will cause some disruptions - I'm working on it with the relevant CLA owners. For now, I'll keep this draft to avoid surprises.

@v1v v1v marked this pull request as draft September 9, 2024 14:07
@v1v v1v marked this pull request as ready for review September 16, 2024 10:02
@v1v v1v enabled auto-merge (squash) September 16, 2024 10:03
@v1v v1v merged commit 16c0261 into main Sep 16, 2024
@v1v v1v deleted the gh-oblt/replace-token-with-app branch September 16, 2024 10:04
v1v added a commit to v1v/oblt-actions that referenced this pull request Oct 7, 2024
@v1v
Merge remote-tracking branch 'upstream/main' into feature/deploy-my-k…
32d584b 
…ibana

* upstream/main: (51 commits)
  deps: Bump oblt-cli version to 7.6.2 (elastic#139)
  feat: undeploy-my-kibana (elastic#140)
  build(deps): bump the github-actions group across 2 directories with 2 updates (elastic#141)
  build(deps): bump the github-actions group across 6 directories with 1 update (elastic#138)
  chore: deps(oblt-cli): Bump oblt-cli version to 7.5.24 (elastic#137)
  feat: support wait for maven central (elastic#133)
  feat: migrate is-member-elastic-org (elastic#135)
  deps: Bump oblt-cli version to 7.5.22 (elastic#131)
  deps(updatecli): bump all policies (elastic#130)
  ci: use GitHub app for ephemeral tokens (elastic#129)
  Deprecate the `project-id` input in `google/auth` action. (elastic#124)
  deps(updatecli): bump all policies (elastic#122)
  chore: deps(oblt-cli): Bump oblt-cli version to 7.5.21 (elastic#121)
  build(deps): bump the github-actions group across 11 directories with 4 updates (elastic#125)
  github-action: use ephemeral tokens with the required permissions (elastic#113)
  feat(github): validate-comment (elastic#120)
  feat(pre-commit): migrate from apm-pipeline-library (elastic#119)
  deps(updatecli): bump all policies (elastic#117)
  feat(await-maven-artifact): migrate from https://github.com/elastic/apm-pipeline-library (elastic#118)
  Add `test-report` action (elastic#114)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@reakaleek reakaleek reakaleek approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@v1v v1v

Labels

changelog:dependencies When you add or update a dependency

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@v1v @reakaleek