Chore: Use github app token for publishing release (#571)

* Chore: Use github app token for publishing release * Update .drone.yml * fix secrets * fix secret paths * Revert "fix secret paths" This reverts commit 49c6e20. * try to fix secret path * migrate GH app token retrieval to script * move to new script file * Update get_gh_token.sh * add log * change file permission * fix export * change source to . * fix script * Update publish_github_release.sh * clean up * Update .drone.yml --------- Co-authored-by: Agnès Toulet <[email protected]>
grafana · Oct 14, 2024 · 7f8175b · 7f8175b
1 parent 614dc6b
commit 7f8175b
Show file tree

Hide file tree

Showing 5 changed files with 63 additions and 9 deletions.
diff --git a/.drone.yml b/.drone.yml
@@ -433,6 +433,7 @@ steps:
   name: package-alpine-x64-no-chromium
 - commands:
   - ./scripts/generate_md5sum.sh
+  - . ./scripts/get_gh_token.sh
   - ./scripts/publish_github_release.sh
   depends_on:
   - package-linux-x64-glibc
@@ -441,8 +442,12 @@ steps:
   - package-linux-x64-glibc-no-chromium
   - package-alpine-x64-no-chromium
   environment:
-    GITHUB_TOKEN:
-      from_secret: github_token
+    GITHUB_APP_ID:
+      from_secret: github_app_id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github_app_private_key
+    GITHUB_INSTALLATION_ID:
+      from_secret: github_app_installation_id
   image: cibuilds/github:0.13.0
   name: publish_to_github
 - commands:
@@ -495,10 +500,22 @@ kind: secret
 name: gcr
 ---
 get:
-  name: github_token
-  path: ci/data/repo/grafana/grafana-image-renderer/github_actions
+  name: app-id
+  path: ci/data/repo/grafana/grafana-image-renderer/github-app
 kind: secret
-name: github_token
+name: github_app_id
+---
+get:
+  name: private-key
+  path: ci/data/repo/grafana/grafana-image-renderer/github-app
+kind: secret
+name: github_app_private_key
+---
+get:
+  name: app-installation-id
+  path: ci/data/repo/grafana/grafana-image-renderer/github-app
+kind: secret
+name: github_app_installation_id
 ---
 get:
   name: gcom_publish_token
@@ -525,6 +542,6 @@ kind: secret
 name: gar
 ---
 kind: signature
-hmac: aef686a708994a7210707534e31b9ccd2c5b4356fb2f09afa3505914c43c6aea
+hmac: 5e72ddb2d00dec40054f0640eb9048e0375790ce7300d0863138e5f98cfb7a0c
 
 ...
diff --git a/scripts/drone/promotion.star b/scripts/drone/promotion.star
@@ -7,10 +7,14 @@ def publish_gh_release():
         'image': 'cibuilds/github:0.13.0',
         'commands': [
             './scripts/generate_md5sum.sh',
+            '. ./scripts/get_gh_token.sh',
             './scripts/publish_github_release.sh',
         ],
         'environment': {
-            'GITHUB_TOKEN': from_secret('github_token'),
+            # These are passed as secrets for security
+            'GITHUB_APP_ID': from_secret('github_app_id'),
+            'GITHUB_APP_PRIVATE_KEY': from_secret('github_app_private_key'),
+            'GITHUB_INSTALLATION_ID': from_secret('github_app_installation_id'),
         },
         'depends_on': [
             'package-linux-x64-glibc',

diff --git a/scripts/drone/vault.star b/scripts/drone/vault.star
@@ -17,7 +17,9 @@ def vault_secret(name, path, key):
 def secrets():
     return [
         vault_secret(gcr_pull_secret, 'secret/data/common/gcr', '.dockerconfigjson'),
-        vault_secret('github_token', 'ci/data/repo/grafana/grafana-image-renderer/github_actions', 'github_token'),
+        vault_secret('github_app_id', 'ci/data/repo/grafana/grafana-image-renderer/github-app', 'app-id'),
+        vault_secret('github_app_private_key', 'ci/data/repo/grafana/grafana-image-renderer/github-app', 'private-key'),
+        vault_secret('github_app_installation_id', 'ci/data/repo/grafana/grafana-image-renderer/github-app', 'app-installation-id'),
         vault_secret('gcom_publish_token', 'infra/data/ci/drone-plugins', 'gcom_publish_token'),
         vault_secret('grafana_api_key', 'infra/data/ci/drone-plugins', 'grafana_api_key'),
         vault_secret('srcclr_api_token', 'infra/data/ci/drone-plugins', 'srcclr_api_token'),

diff --git a/scripts/get_gh_token.sh b/scripts/get_gh_token.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -e
+
+# Ensure necessary tools are installed
+apk add --no-cache openssl curl jq
+
+# Write the private key to a file
+echo "$GITHUB_APP_PRIVATE_KEY" > private-key.pem
+chmod 600 private-key.pem
+
+# Generate the JWT
+NOW=$(date +%s)
+EXPIRATION=$(($NOW + 600))
+HEADER=$(printf '{"alg":"RS256","typ":"JWT"}' | openssl base64 -A | tr '+/' '-_' | tr -d '=')
+PAYLOAD=$(printf '{"iat":%d,"exp":%d,"iss":"%s"}' $NOW $EXPIRATION $GITHUB_APP_ID | openssl base64 -A | tr '+/' '-_' | tr -d '=')
+HEADER_PAYLOAD="$HEADER.$PAYLOAD"
+SIGNATURE=$(echo -n "$HEADER_PAYLOAD" | openssl dgst -sha256 -sign ./private-key.pem | openssl base64 -A | tr '+/' '-_' | tr -d '=')
+JWT="$HEADER_PAYLOAD.$SIGNATURE"
+
+# Request the installation access token
+RESPONSE=$(curl -s -X POST \
+  -H "Authorization: Bearer $JWT" \
+  -H "Accept: application/vnd.github+json" \
+  https://api.github.com/app/installations/$GITHUB_INSTALLATION_ID/access_tokens)
+
+# Extract the token from the response
+GITHUB_TOKEN=$(echo $RESPONSE | jq -r '.token')
+
+# Export the token for use in subsequent commands
+export GITHUB_TOKEN
diff --git a/scripts/publish_github_release.sh b/scripts/publish_github_release.sh
@@ -23,7 +23,7 @@ git config user.name "Drone Automation"
 
 echo "Pushing tag v${VERSION}..."
 git tag v"${VERSION}"
-git push "https://${GITHUB_TOKEN}@github.com/grafana/grafana-image-renderer.git" v"${VERSION}"
+git push "https://${GITHUB_APP_ID}:${GITHUB_TOKEN}@github.com/grafana/grafana-image-renderer.git" v"${VERSION}"
 
 echo "Pushing multiple artifacts to release v${VERSION}..."
 ghr \