Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use new GitHub app in workflows instead of token #10650

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Use new GitHub app in workflows instead of token #10650

wants to merge 4 commits into from
+125 −20

Conversation

armandgrillet
Copy link
Contributor

This uses the same GitHub app as the one we use in backend-enterprise. This should allow us to stop using the GitHub token we were previously using.

@armandgrillet armandgrillet self-assigned this Feb 14, 2025
@armandgrillet armandgrillet requested a review from a team as a code owner February 14, 2025 13:15
dimitarvdimitrov
dimitarvdimitrov reviewed Feb 14, 2025
View reviewed changes
Copy link
Contributor

@dimitarvdimitrov dimitarvdimitrov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the backport and helm-weekly-release-pr workflows are also using GH_BOT_ACCESS_TOKEN

narqo
narqo reviewed Feb 14, 2025
View reviewed changes
.github/workflows/compare-helm-with-jsonnet.yml
- name: Download yq
uses: dsaltares/[email protected]
with:
repo: 'mikefarah/yq'
version: 'tags/v4.30.6'
file: 'yq_linux_amd64'
target: 'bin/yq'
token: ${{ secrets.GITHUB_TOKEN }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For this one, and other similar cases below, do we have any problems with GITHUB_TOKEN, actually? This one is a short-lived token, auto generated by GitHub, only for the life-time of the action's execution (ref GitHub docs).

That is, GH_BOT_ACCESS_TOKEN is the PAT, that we SHOULD to get rid of. The GITHUB_TOKEN IS fine, as it's managed by GitHub, isn't it?

.github/workflows/grafanabot_reviewer.yml
Comment on lines 43 to -27
gh pr review $PR_URL \
--approve -b "**I'm approving** this pull request, since it is a helm release."
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GH_BOT_ACCESS_TOKEN}}
Copy link
Contributor

@narqo narqo Feb 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BTW, today this doesn't work, because grafanabot (the principal of GH_BOT_ACCESS_TOKEN) is trying to approve its own PR 🤖

Do you happen to know if, after we update to a GH app, this will use different principals for opening a PR, and an auto-approval?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@narqo narqo narqo left review comments

@dimitarvdimitrov dimitarvdimitrov dimitarvdimitrov left review comments

@pracucci pracucci pracucci approved these changes

@aknuds1 aknuds1 Awaiting requested review from aknuds1

Assignees

@armandgrillet armandgrillet

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@armandgrillet @narqo @pracucci @dimitarvdimitrov