ci: use deploy key (#1262)

## Proposed changes Now with #1261, the bot has to overcome/bypass the checks. The way of doing it is using a Deploy Key. This PR does that.
coveo · Apr 4, 2023 · d2d389d · d2d389d
1 parent d4309a4
commit d2d389d
Show file tree

Hide file tree

Showing 6 changed files with 51 additions and 10 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -91,3 +91,4 @@ jobs:
           RELEASER_CLIENT_ID: ${{ secrets.RELEASER_CLIENT_ID }}
           RELEASER_CLIENT_SECRET: ${{ secrets.RELEASER_CLIENT_SECRET }}
           RELEASER_INSTALLATION_ID: ${{ secrets.RELEASER_INSTALLATION_ID }}
+          DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/cli/source/package.json b/packages/cli/source/package.json
@@ -26,6 +26,7 @@
   },
   "devDependencies": {
     "@coveo/cli-commons-dev": "6.0.5",
+    "@coveo/semantic-monorepo-tools": "1.7.0",
     "@oclif/test": "2.2.21",
     "@types/jest": "29.4.0",
     "@types/node": "18.15.1",

diff --git a/utils/release/git-lock.mjs b/utils/release/git-lock.mjs
@@ -6,6 +6,7 @@ import {
   gitCommit,
   gitPush,
   gitAdd,
+  gitSetupSshRemote,
 } from '@coveo/semantic-monorepo-tools';
 import {dedent} from 'ts-dedent';
 
@@ -19,6 +20,9 @@ import {spawnSync} from 'node:child_process';
 const isPrerelease = process.env.IS_PRERELEASE === 'true';
 const noLockRequired = Boolean(process.env.NO_LOCK);
 const PATH = '.';
+const REPO_OWNER = 'coveo';
+const REPO_NAME = 'cli';
+const GIT_SSH_REMOTE = 'deploy';
 
 const ensureUpToDateBranch = async () => {
   // Lock-out master
@@ -42,10 +46,15 @@ const ensureUpToDateBranch = async () => {
  * This will make .github\workflows\git-lock-fail.yml run and thus fail the associated check.
  */
 const lockBranch = async () => {
+  const DEPLOY_KEY = process.env.DEPLOY_KEY;
+  if (DEPLOY_KEY === undefined) {
+    throw new Error('Deploy key is undefined');
+  }
+  await gitSetupSshRemote(REPO_OWNER, REPO_NAME, DEPLOY_KEY, GIT_SSH_REMOTE);
   writeFileSync('.git-lock', '');
   await gitAdd('.git-lock');
   await gitCommit('lock master', PATH);
-  await gitPush();
+  await gitPush(GIT_SSH_REMOTE);
   spawnSync('git', ['reset', '--hard', 'HEAD~1']);
 };
 

diff --git a/utils/release/git-publish-all.mjs b/utils/release/git-publish-all.mjs
@@ -21,6 +21,7 @@ import {
   gitCommitTree,
   gitUpdateRef,
   gitPublishBranch,
+  gitSetRefOnCommit,
 } from '@coveo/semantic-monorepo-tools';
 import {Octokit} from 'octokit';
 import {createAppAuth} from '@octokit/auth-app';
@@ -32,6 +33,7 @@ import {removeWriteAccessRestrictions} from './lock-master.mjs';
 const CLI_PKG_MATCHER = /^@coveo\/cli@(?<version>\d+\.\d+\.\d+)$/gm;
 const REPO_OWNER = 'coveo';
 const REPO_NAME = 'cli';
+const GIT_SSH_REMOTE = 'deploy';
 
 const getCliChangelog = () => {
   const changelog = readFileSync('packages/cli/core/CHANGELOG.md', {
@@ -199,13 +201,12 @@ async function commitChanges(releaseNumber, commitMessage, octokit) {
   /**
    * We then update the mainBranch to this new verified commit.
    */
-  await octokit.rest.git.updateRef({
-    owner: REPO_OWNER,
-    repo: REPO_NAME,
-    ref: `refs/heads/${mainBranchName}`,
-    sha: commit.data.sha,
-    force: true,
-  });
+  await gitSetRefOnCommit(
+    GIT_SSH_REMOTE,
+    `refs/heads/${mainBranchName}`,
+    commit.data.sha,
+    true
+  );
 
   // Delete the temp branch
   await gitDeleteRemoteBranch('origin', tempBranchName);

diff --git a/utils/release/package.json b/utils/release/package.json
@@ -5,7 +5,7 @@
   "version": "1.0.0",
   "type": "module",
   "dependencies": {
-    "@coveo/semantic-monorepo-tools": "1.6.1",
+    "@coveo/semantic-monorepo-tools": "1.7.0",
     "@octokit/auth-app": "^4.0.9",
     "async-retry": "1.3.3",
     "conventional-changelog-angular": "5.0.13",