chore(operator): fix CI to use new Github app instead of PAT

grafana · Oct 1, 2024 · 73691c4 · 73691c4
1 parent 11b92ee
commit 73691c4
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 5 deletions.
diff --git a/.github/workflows/operator-publish-operator-hub.yml b/.github/workflows/operator-publish-operator-hub.yml
@@ -4,14 +4,27 @@ on:
     types: [published]
 
 jobs:
+  getGithubToken:
+    runs-on: ubuntu-latest
+    outputs:
+      token: ${{ steps.get_github_app_token.outputs.token }}
+    steps:
+      - id: "get_github_app_token"
+        name: "get github token"
+        uses: "actions/create-github-app-token@v1"
+        with:
+          app-id: "${{ secrets.APP_ID }}"
+          owner: "${{ github.repository_owner }}"
+          private-key: "${{ secrets.APP_PRIVATE_KEY }}"
+
   operator-hub-prod-release:
     if: startsWith(github.event.release.tag_name, 'operator/')
     uses: ./.github/workflows/operator-reusable-hub-release.yml
     with:
       org: redhat-openshift-ecosystem
       repo: community-operators-prod
     secrets:
-      GRAFANABOT_GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+      GRAFANABOT_GITHUB_TOKEN: ${{ needs.getGithubToken.outputs.token }}
 
   operator-hub-community-release:
     if: startsWith(github.event.release.tag_name, 'operator/')
@@ -20,4 +33,4 @@ jobs:
       org: k8s-operatorhub
       repo: community-operators
     secrets:
-      GRAFANABOT_GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+      GRAFANABOT_GITHUB_TOKEN: ${{ needs.getGithubToken.outputs.token }}
diff --git a/.github/workflows/operator-release-please.yml b/.github/workflows/operator-release-please.yml
@@ -12,18 +12,30 @@ permissions:
   pull-requests: write
 
 jobs:
+  getGithubToken:
+    runs-on: ubuntu-latest
+    outputs:
+      token: ${{ steps.get_github_app_token.outputs.token }}
+    steps:
+      - id: "get_github_app_token"
+        name: "get github token"
+        uses: "actions/create-github-app-token@v1"
+        with:
+          app-id: "${{ secrets.APP_ID }}"
+          owner: "${{ github.repository_owner }}"
+          private-key: "${{ secrets.APP_PRIVATE_KEY }}"
   releasePlease:
     runs-on: ubuntu-latest
     outputs:
       release_created: ${{ steps.release.outputs.operator--release_created }}
       release_name: ${{ steps.release.outputs.operator--tag_name }}
     steps:
-      - uses: google-github-actions/release-please-action@v4
+      - uses: googleapis/release-please-action@v4
         id: release
         with:
           path: operator
           config-file: operator/release-please-config.json
-          token: ${{ secrets.GH_TOKEN }}
+          token: ${{ needs.getGithubToken.outputs.token }}
   publishRelease:
     needs:
     - "releasePlease"
@@ -36,7 +48,7 @@ jobs:
           path: "release"
       - name: "publish release"
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          GH_TOKEN: ${{ needs.getGithubToken.outputs.token }}
         working-directory: "release"
         run: |
           gh release edit "${{ needs.releasePlease.outputs.release_name }}" --draft=false --latest=false