Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use new GitHub app in workflows instead of token #10650

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Use new GitHub app in workflows instead of token #10650

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7a0b7ea
Use new GitHub app in workflows instead of token
armandgrillet Feb 14, 2025
5d97440
Use secret in prod Vault
armandgrillet Feb 14, 2025
ec1ebab
Revert "Use secret in prod Vault"
armandgrillet Feb 14, 2025
cbc928a
Look for secrets in dev Vault
armandgrillet Feb 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 28 additions & 4 deletions .github/workflows/compare-helm-with-jsonnet.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
goversion:
runs-on: ubuntu-latest
needs: prepare
container:
container:
image: ${{ needs.prepare.outputs.build_image }}
steps:
- uses: actions/checkout@v4
Expand All @@ -46,30 +46,52 @@ jobs:
with:
go-version: ${{ needs.goversion.outputs.version }}
- uses: helm/[email protected]

# Retrieve GitHub App Credentials from Vault
- name: Retrieve GitHub App Credentials from Vault
id: get-secrets
uses: grafana/shared-workflows/actions/[email protected]
with:
repo_secrets: |
APP_ID=mimir-github-bot:app_id
PRIVATE_KEY=mimir-github-bot:private_key

# Generate GitHub App Token
- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ steps.get-secrets.outputs.APP_ID }}
private-key: ${{ steps.get-secrets.outputs.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}

- name: Download yq
uses: dsaltares/[email protected]
with:
repo: 'mikefarah/yq'
version: 'tags/v4.30.6'
file: 'yq_linux_amd64'
target: 'bin/yq'
token: ${{ secrets.GITHUB_TOKEN }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For this one, and other similar cases below, do we have any problems with GITHUB_TOKEN, actually? This one is a short-lived token, auto generated by GitHub, only for the life-time of the action's execution (ref GitHub docs).

That is, GH_BOT_ACCESS_TOKEN is the PAT, that we SHOULD to get rid of. The GITHUB_TOKEN IS fine, as it's managed by GitHub, isn't it?

token: ${{ steps.app-token.outputs.token }}

- name: Download tk
uses: dsaltares/[email protected]
with:
repo: 'grafana/tanka'
version: 'tags/v0.22.1'
file: 'tk-linux-amd64'
target: 'bin/tk'
token: ${{ secrets.GITHUB_TOKEN }}
token: ${{ steps.app-token.outputs.token }}

- name: Download jb
uses: dsaltares/[email protected]
with:
repo: 'jsonnet-bundler/jsonnet-bundler'
version: 'tags/v0.5.1'
file: 'jb-linux-amd64'
target: 'bin/jb'
token: ${{ secrets.GITHUB_TOKEN }}
token: ${{ steps.app-token.outputs.token }}

- name: Configure dependencies
run: |
set -e
Expand All @@ -78,11 +100,13 @@ jobs:
chmod +x $PWD/bin/jb
echo $PWD/bin >> $GITHUB_PATH
set +e

- name: Make dependencies
run: |
# Make dependencies first to have their output in another step
make operations/helm/charts/mimir-distributed/charts
make build-jsonnet-tests

- name: Compare manifests
id: compare-manifests
run: |
Expand Down
28 changes: 23 additions & 5 deletions .github/workflows/generate-docs-helm-tests-renovate-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
cancel-in-progress: true

jobs:
jobs:
prepare:
if: github.event.pull_request.user.login == 'renovate[bot]'
runs-on: ubuntu-latest
Expand All @@ -31,30 +31,48 @@ jobs:
container:
image: ${{ needs.prepare.outputs.build_image }}
steps:
# Retrieve GitHub App Credentials from Vault
- name: Retrieve GitHub App Credentials from Vault
id: get-secrets
uses: grafana/shared-workflows/actions/[email protected]
with:
repo_secrets: |
APP_ID=mimir-github-bot:app_id
PRIVATE_KEY=mimir-github-bot:private_key

# Generate GitHub App Token
- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ steps.get-secrets.outputs.APP_ID }}
private-key: ${{ steps.get-secrets.outputs.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}

- name: Checkout Repository
uses: actions/checkout@v4
with:
token: ${{ secrets.GH_BOT_ACCESS_TOKEN }}
token: ${{ steps.app-token.outputs.token }}

- name: Run Git Config
run: |
git config --global --add safe.directory '*'
git config --global user.email "${{ github.event.pull_request.user.login }}@users.noreply.github.com"
git config --global user.name "${{ github.event.pull_request.user.login }}"

- name: Install the gh cli
uses: ksivamuthu/actions-setup-gh-cli@v2

- name: Checkout Pull Request Branch
run: gh pr checkout ${{ github.event.pull_request.number }}
env:
GITHUB_TOKEN: ${{ secrets.GH_BOT_ACCESS_TOKEN }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

- name: Run make targets
id: update
run: |
make BUILD_IN_CONTAINER=false doc build-helm-tests

- name: Check Updates
id: check_updates
run: |
Expand Down
29 changes: 24 additions & 5 deletions .github/workflows/grafanabot_reviewer.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
name: Auto-review Grafanabot PRs

on: pull_request_target

permissions:
Expand All @@ -10,8 +11,26 @@ jobs:
runs-on: ubuntu-latest

if: ${{ github.event.pull_request.user.login == 'grafanabot' }}

steps:
# Retrieve GitHub App Credentials from Vault for mimir-github-bot
- name: Retrieve GitHub App Credentials from Vault
id: get-secrets
uses: grafana/shared-workflows/actions/[email protected]
with:
repo_secrets: |
APP_ID=mimir-github-bot:app_id
PRIVATE_KEY=mimir-github-bot:private_key

# Generate GitHub App Token for PR approval and auto-merge
- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ steps.get-secrets.outputs.APP_ID }}
private-key: ${{ steps.get-secrets.outputs.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}

- name: Checkout Repository
uses: actions/checkout@v4

Expand All @@ -23,14 +42,14 @@ jobs:
gh pr review $PR_URL \
--approve -b "**I'm approving** this pull request, since it is a helm release."
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GH_BOT_ACCESS_TOKEN}}
Comment on lines 43 to -27
Copy link
Contributor

@narqo narqo Feb 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BTW, today this doesn't work, because grafanabot (the principal of GH_BOT_ACCESS_TOKEN) is trying to approve its own PR 🤖

Do you happen to know if, after we update to a GH app, this will use different principals for opening a PR, and an auto-approval?

PR_URL: ${{ github.event.pull_request.html_url }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

- name: Manual review is required
if: steps.auto-merge.conclusion != 'success'
run: |
gh pr comment $PR_URL --body "**This PR from grafanabot requires manual review.**"

env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
PR_URL: ${{ github.event.pull_request.html_url }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
26 changes: 22 additions & 4 deletions .github/workflows/push-mimir-build-image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,28 @@ jobs:
- name: Checkout Repository
uses: actions/checkout@v4

# Retrieve GitHub App Credentials from Vault
- name: Retrieve GitHub App Credentials from Vault
id: get-secrets
uses: grafana/shared-workflows/actions/[email protected]
with:
repo_secrets: |
APP_ID=mimir-github-bot:app_id
PRIVATE_KEY=mimir-github-bot:private_key

# Generate GitHub App Token
- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ steps.get-secrets.outputs.APP_ID }}
private-key: ${{ steps.get-secrets.outputs.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}

- name: Checkout Pull Request Branch
run: gh pr checkout ${{ github.event.pull_request.number }}
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

- name: Setup QEMU
uses: docker/setup-qemu-action@v3
Expand Down Expand Up @@ -76,7 +94,7 @@ jobs:

- name: Add Comment to the PR
id: notification
run: |
run: |
if [ ${{ steps.check_build.outputs.build }} == 'true' ]; then
gh pr comment $PR_NUMBER --body "**Building new version of mimir-build-image**. After image is built and pushed to Docker Hub, \
a new commit will automatically be added to this PR with new image version \`$IMAGE:$TAG\`. This can take up to 1 hour."
Expand All @@ -86,7 +104,7 @@ jobs:
fi
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
TAG: ${{ steps.compute_hash.outputs.tag }}
IMAGE: ${{ steps.prepare.outputs.image }}

Expand Down Expand Up @@ -126,6 +144,6 @@ jobs:
git push origin HEAD
fi
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
TAG: ${{ steps.compute_hash.outputs.tag }}
MAIN_TAG: ${{ steps.prepare.outputs.main_image_tag }}
25 changes: 23 additions & 2 deletions .github/workflows/test-build-deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,8 +112,28 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v4

- name: Run Git Config
run: git config --global --add safe.directory '*'

# Retrieve GitHub App Credentials from Vault for mimir-github-bot
- name: Retrieve GitHub App Credentials from Vault
id: get-secrets
uses: grafana/shared-workflows/actions/[email protected]
with:
repo_secrets: |
APP_ID=mimir-github-bot:app_id
PRIVATE_KEY=mimir-github-bot:private_key

# Generate GitHub App Token for PR approval and auto-merge
- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ steps.get-secrets.outputs.APP_ID }}
private-key: ${{ steps.get-secrets.outputs.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}

- name: Run doc-validator tool (mimir)
run: >
doc-validator
Expand All @@ -127,7 +147,8 @@ jobs:
--name=doc-validator
--reporter=github-pr-review
env:
REVIEWDOG_GITHUB_API_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
REVIEWDOG_GITHUB_API_TOKEN: "${{ steps.app-token.outputs.token }}"

- name: Run doc-validator tool (helm-charts)
run: >
doc-validator
Expand All @@ -140,7 +161,7 @@ jobs:
--name=doc-validator
--reporter=github-pr-review
env:
REVIEWDOG_GITHUB_API_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
REVIEWDOG_GITHUB_API_TOKEN: "${{ steps.app-token.outputs.token }}"

lint-jsonnet:
runs-on: ubuntu-latest
Expand Down
Loading