From d56bde73ecd493ddd746b95b07347a568eea0f00 Mon Sep 17 00:00:00 2001 From: Joao Marcal Date: Tue, 1 Oct 2024 11:34:48 +0100 Subject: [PATCH] chore(operator): fix CI to use new Github app instead of PAT --- .../operator-check-prepare-release-commit.yml | 10 +++++++++- .../operator-publish-operator-hub.yml | 4 ---- .github/workflows/operator-release-please.yml | 20 ++++++++++++++++--- .../operator-reusable-hub-release.yml | 19 +++++++++++------- 4 files changed, 38 insertions(+), 15 deletions(-) diff --git a/.github/workflows/operator-check-prepare-release-commit.yml b/.github/workflows/operator-check-prepare-release-commit.yml index 2099230718634..c8e900829580a 100644 --- a/.github/workflows/operator-check-prepare-release-commit.yml +++ b/.github/workflows/operator-check-prepare-release-commit.yml @@ -14,6 +14,14 @@ jobs: github.event.pull_request.head.ref == 'release-please--branches--main--components--operator' && contains(github.event.pull_request.title, 'chore( operator): community release') steps: + - id: "get_github_app_token" + name: Get GitHub Token + uses: "actions/create-github-app-token@v1" + with: + app-id: "${{ secrets.APP_ID }}" + owner: "${{ github.repository_owner }}" + private-key: "${{ secrets.APP_PRIVATE_KEY }}" + - name: Extract release version id: pr_semver env: @@ -31,7 +39,7 @@ jobs: - name: Check main commits for prepare release commit id: check_commit env: - GH_TOKEN: ${{ secrets.GH_TOKEN }} + GH_TOKEN: ${{ steps.get_github_app_token.outputs.token }} working-directory: "release" run: | COMMIT=$(gh search commits "chore(operator): prepare community release v${{ steps.pr_semver.outputs.semver }}") diff --git a/.github/workflows/operator-publish-operator-hub.yml b/.github/workflows/operator-publish-operator-hub.yml index c3fa69b466298..dd4d4c199af3e 100644 --- a/.github/workflows/operator-publish-operator-hub.yml +++ b/.github/workflows/operator-publish-operator-hub.yml @@ -10,8 +10,6 @@ jobs: with: org: redhat-openshift-ecosystem repo: community-operators-prod - secrets: - GRAFANABOT_GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} operator-hub-community-release: if: startsWith(github.event.release.tag_name, 'operator/') @@ -19,5 +17,3 @@ jobs: with: org: k8s-operatorhub repo: community-operators - secrets: - GRAFANABOT_GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} diff --git a/.github/workflows/operator-release-please.yml b/.github/workflows/operator-release-please.yml index 77be2bc58a237..266dfd26e3083 100644 --- a/.github/workflows/operator-release-please.yml +++ b/.github/workflows/operator-release-please.yml @@ -18,25 +18,39 @@ jobs: release_created: ${{ steps.release.outputs.operator--release_created }} release_name: ${{ steps.release.outputs.operator--tag_name }} steps: - - uses: google-github-actions/release-please-action@v4 + - id: "get_github_app_token" + name: Get GitHub App Token + uses: "actions/create-github-app-token@v1" + with: + app-id: "${{ secrets.APP_ID }}" + owner: "${{ github.repository_owner }}" + private-key: "${{ secrets.APP_PRIVATE_KEY }}" + - uses: googleapis/release-please-action@v4 id: release with: path: operator config-file: operator/release-please-config.json - token: ${{ secrets.GH_TOKEN }} + token: ${{ steps.get_github_app_token.outputs.token }} publishRelease: needs: - "releasePlease" runs-on: ubuntu-latest if: ${{ needs.releasePlease.outputs.release_created }} steps: + - id: "get_github_app_token" + name: Get GitHub App Token + uses: "actions/create-github-app-token@v1" + with: + app-id: "${{ secrets.APP_ID }}" + owner: "${{ github.repository_owner }}" + private-key: "${{ secrets.APP_PRIVATE_KEY }}" - name: "pull code to release" uses: "actions/checkout@v4" with: path: "release" - name: "publish release" env: - GH_TOKEN: ${{ secrets.GH_TOKEN }} + GH_TOKEN: ${{ steps.get_github_app_token.outputs.token }} working-directory: "release" run: | gh release edit "${{ needs.releasePlease.outputs.release_name }}" --draft=false --latest=false \ No newline at end of file diff --git a/.github/workflows/operator-reusable-hub-release.yml b/.github/workflows/operator-reusable-hub-release.yml index 862d072401dd3..ecf2794134172 100644 --- a/.github/workflows/operator-reusable-hub-release.yml +++ b/.github/workflows/operator-reusable-hub-release.yml @@ -9,14 +9,19 @@ on: repo: type: string required: true - secrets: - GRAFANABOT_GITHUB_TOKEN: - required: true jobs: create-operator-pull-request: runs-on: ubuntu-latest steps: + - id: "get_github_app_token" + name: Get GitHub App Token + uses: "actions/create-github-app-token@v1" + with: + app-id: "${{ secrets.APP_ID }}" + owner: "${{ github.repository_owner }}" + private-key: "${{ secrets.APP_PRIVATE_KEY }}" + - name: Set redhat-openshift-ecosystem specific variables if: ${{ inputs.org == 'redhat-openshift-ecosystem' }} env: @@ -36,7 +41,7 @@ jobs: - name: Sync fork env: - GH_TOKEN: ${{ secrets.GRAFANABOT_GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.get_github_app_token.outputs.token }} run: | # synchronizing the fork is fast, and avoids the need to fetch the full upstream repo # (fetching the upstream repo with "--depth 1" would lead to "shallow update not allowed" @@ -49,13 +54,13 @@ jobs: uses: actions/checkout@v4 with: repository: grafanabot/${{ inputs.repo }} - token: ${{ secrets.GRAFANABOT_GITHUB_TOKEN }} + token: ${{ steps.get_github_app_token.outputs.token }} - name: Checkout loki to tmp/ directory uses: actions/checkout@v4 with: repository: grafana/loki - token: ${{ secrets.GRAFANABOT_GITHUB_TOKEN }} + token: ${{ steps.get_github_app_token.outputs.token }} path: tmp/ - name: Update version @@ -85,7 +90,7 @@ jobs: - name: Create pull request against ${{ inputs.org }}/${{ inputs.repo }} env: VERSION: ${{ env.version }} - GH_TOKEN: ${{ secrets.GRAFANABOT_GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.get_github_app_token.outputs.token }} run: | message="Update the loki-operator to $VERSION" body="Release loki-operator \`$VERSION\`.