From 93c0e7ffad8c5832c5ff82822bf5f5040f28b595 Mon Sep 17 00:00:00 2001 From: Jesse Szwedko Date: Mon, 10 Jul 2023 15:06:23 -0700 Subject: [PATCH 1/5] chore(ci): Use GitHub App token for team membership rather than user PAT This will decouple the token from a specific user and instead to the organization. To enable this I created an app, "Datadog - Vector CI", with read access to the organization to be able to check membership. We can move additional permissions to this app in the future if we like. For example, I think the `GH_PROJECT_PAT` usage could potentially be moved from the robot user. Signed-off-by: Jesse Szwedko --- .github/workflows/comment-trigger.yml | 8 +++++++- .github/workflows/gardener_open_pr.yml | 10 ++++++++-- .github/workflows/integration-comment.yml | 16 ++++++++++++++-- .github/workflows/integration.yml | 4 ++-- 4 files changed, 31 insertions(+), 7 deletions(-) diff --git a/.github/workflows/comment-trigger.yml b/.github/workflows/comment-trigger.yml index cc087179e7b91..8cb2c3780887e 100644 --- a/.github/workflows/comment-trigger.yml +++ b/.github/workflows/comment-trigger.yml @@ -59,13 +59,19 @@ jobs: || contains(github.event.comment.body, '/ci-run-k8s') ) steps: + - name: Generate authentication token + id: generate_token + uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 + with: + app_id: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_ID }} + private_key: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_PRIVATE_KEY }} - name: Get PR comment author id: comment uses: tspascoal/get-user-teams-membership@v2 with: username: ${{ github.actor }} team: 'Vector' - GITHUB_TOKEN: ${{ secrets.GH_PAT_ORG }} + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} - name: Validate author membership if: steps.comment.outputs.isTeamMember == 'false' diff --git a/.github/workflows/gardener_open_pr.yml b/.github/workflows/gardener_open_pr.yml index e9b0fef67ba05..fa5596c0d0518 100644 --- a/.github/workflows/gardener_open_pr.yml +++ b/.github/workflows/gardener_open_pr.yml @@ -13,17 +13,23 @@ jobs: runs-on: ubuntu-latest if: ${{ github.actor != 'dependabot[bot]' }} steps: + - name: Generate authentication token + id: generate_token + uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 + with: + app_id: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_ID }} + private_key: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_PRIVATE_KEY }} - uses: tspascoal/get-user-teams-membership@v2 id: checkVectorMember with: username: ${{ github.actor }} team: vector - GITHUB_TOKEN: ${{ secrets.GH_PAT_ORG }} + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} - uses: actions/add-to-project@v0.5.0 if: ${{ steps.checkVectorMember.outputs.isTeamMember == 'false' }} with: project-url: https://github.com/orgs/vectordotdev/projects/49 - github-token: ${{ secrets.GH_PROJECT_PAT }} + github-token: ${{ steps.generate_token.outputs.token }} add-dependabot-to-project: name: Add dependabot PR to Gardener project board runs-on: ubuntu-latest diff --git a/.github/workflows/integration-comment.yml b/.github/workflows/integration-comment.yml index f014f82a69312..c07673def28be 100644 --- a/.github/workflows/integration-comment.yml +++ b/.github/workflows/integration-comment.yml @@ -47,13 +47,19 @@ jobs: runs-on: ubuntu-latest if: contains(github.event.comment.body, '/ci-run-integration') || contains(github.event.comment.body, '/ci-run-all') steps: + - name: Generate authentication token + id: generate_token + uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 + with: + app_id: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_ID }} + private_key: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_PRIVATE_KEY }} - name: Get PR comment author id: comment uses: tspascoal/get-user-teams-membership@v2 with: username: ${{ github.actor }} team: 'Vector' - GITHUB_TOKEN: ${{ secrets.GH_PAT_ORG }} + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} - name: Validate author membership if: steps.comment.outputs.isTeamMember == 'false' @@ -365,13 +371,19 @@ jobs: needs: integration-tests if: always() && (contains(github.event.comment.body, '/ci-run-integration') || contains(github.event.comment.body, '/ci-run-all')) steps: + - name: Generate authentication token + id: generate_token + uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 + with: + app_id: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_ID }} + private_key: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_PRIVATE_KEY }} - name: Validate issue comment if: github.event_name == 'issue_comment' uses: tspascoal/get-user-teams-membership@v2 with: username: ${{ github.actor }} team: 'Vector' - GITHUB_TOKEN: ${{ secrets.GH_PAT_ORG }} + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} - name: (PR comment) Get PR branch uses: xt0rted/pull-request-comment-branch@v2 diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index af7fe4d5852df..edd714fe89558 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -98,9 +98,9 @@ jobs: - name: Determine if secrets are defined (PR author is team member). if: github.event_name == 'pull_request' env: - GH_PAT_ORG: ${{ secrets.GH_PAT_ORG }} + GH_APP_DATADOG_VECTOR_CI_APP_ID: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_ID }} run: | - if [[ "$GH_PAT_ORG" != "" ]] ; then + if [[ "$GH_APP_DATADOG_VECTOR_CI_APP_ID" != "" ]] ; then echo "PR_HAS_ACCESS_TO_SECRETS=true" >> "$GITHUB_ENV" else echo "PR_HAS_ACCESS_TO_SECRETS=false" >> "$GITHUB_ENV" From a978932ec42f672c25183985e2fbfcaf80518368 Mon Sep 17 00:00:00 2001 From: Jesse Szwedko Date: Tue, 11 Jul 2023 10:32:01 -0700 Subject: [PATCH 2/5] trigger int tests Signed-off-by: Jesse Szwedko --- src/sources/amqp.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/sources/amqp.rs b/src/sources/amqp.rs index f5cf22f493a61..3bd3ce5555641 100644 --- a/src/sources/amqp.rs +++ b/src/sources/amqp.rs @@ -1,5 +1,6 @@ //! `AMQP` source. //! Handles version AMQP 0.9.1 which is used by RabbitMQ. +//! run integration tests use crate::{ amqp::AmqpConfig, codecs::{Decoder, DecodingConfig}, From fd9be80726b70c83f2f4ee2961c21abef21075de Mon Sep 17 00:00:00 2001 From: Jesse Szwedko Date: Tue, 11 Jul 2023 10:47:16 -0700 Subject: [PATCH 3/5] test in another workflow Signed-off-by: Jesse Szwedko --- .github/workflows/test.yml | 17 +++++++++++++++++ src/sources/amqp.rs | 1 - 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index dda403b3b6030..3df8f996c4492 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -40,6 +40,23 @@ jobs: env: CARGO_INCREMENTAL: 0 steps: + - name: Generate authentication token + id: generate_token + uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 + with: + app_id: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_ID }} + private_key: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_PRIVATE_KEY }} + - name: Get PR comment author + id: comment + uses: tspascoal/get-user-teams-membership@v2 + with: + username: ${{ github.actor }} + team: 'Vector' + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} + + - name: Validate author membership + if: steps.comment.outputs.isTeamMember == 'false' + run: exit 1 - uses: actions/checkout@v3 with: # check-version needs tags diff --git a/src/sources/amqp.rs b/src/sources/amqp.rs index 3bd3ce5555641..f5cf22f493a61 100644 --- a/src/sources/amqp.rs +++ b/src/sources/amqp.rs @@ -1,6 +1,5 @@ //! `AMQP` source. //! Handles version AMQP 0.9.1 which is used by RabbitMQ. -//! run integration tests use crate::{ amqp::AmqpConfig, codecs::{Decoder, DecodingConfig}, From 78ca360f689866f4114d22343f868b64a4ce23c1 Mon Sep 17 00:00:00 2001 From: Jesse Szwedko Date: Tue, 11 Jul 2023 10:53:27 -0700 Subject: [PATCH 4/5] remove test steps Signed-off-by: Jesse Szwedko --- .github/workflows/test.yml | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3df8f996c4492..dda403b3b6030 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -40,23 +40,6 @@ jobs: env: CARGO_INCREMENTAL: 0 steps: - - name: Generate authentication token - id: generate_token - uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 - with: - app_id: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_ID }} - private_key: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_PRIVATE_KEY }} - - name: Get PR comment author - id: comment - uses: tspascoal/get-user-teams-membership@v2 - with: - username: ${{ github.actor }} - team: 'Vector' - GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} - - - name: Validate author membership - if: steps.comment.outputs.isTeamMember == 'false' - run: exit 1 - uses: actions/checkout@v3 with: # check-version needs tags From e7cb0d47ab419884eb23ecdde20d0f2aa7744fb3 Mon Sep 17 00:00:00 2001 From: Jesse Szwedko Date: Tue, 11 Jul 2023 11:00:21 -0700 Subject: [PATCH 5/5] Didn't mean to replace GH_PROJECT_PAT usage Signed-off-by: Jesse Szwedko --- .github/workflows/gardener_open_pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gardener_open_pr.yml b/.github/workflows/gardener_open_pr.yml index fa5596c0d0518..4fc84c07cc5ea 100644 --- a/.github/workflows/gardener_open_pr.yml +++ b/.github/workflows/gardener_open_pr.yml @@ -29,7 +29,7 @@ jobs: if: ${{ steps.checkVectorMember.outputs.isTeamMember == 'false' }} with: project-url: https://github.com/orgs/vectordotdev/projects/49 - github-token: ${{ steps.generate_token.outputs.token }} + github-token: ${{ secrets.GH_PROJECT_PAT }} add-dependabot-to-project: name: Add dependabot PR to Gardener project board runs-on: ubuntu-latest