From e5d4dcd3f5bb72ee92eb2f7208615416adc03416 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Thu, 16 Nov 2023 09:56:42 -0800 Subject: [PATCH 1/2] Replace PAT with GitHub App generated token in release workflows --- .github/workflows/update-release-status.yml | 16 ++++++++++++++-- .github/workflows/update-release.yml | 16 +++++++++++++++- .github/workflows/validate-release.yml | 19 +++++++++++++++---- 3 files changed, 44 insertions(+), 7 deletions(-) diff --git a/.github/workflows/update-release-status.yml b/.github/workflows/update-release-status.yml index c7d62e80a6..707b8d9e0e 100644 --- a/.github/workflows/update-release-status.yml +++ b/.github/workflows/update-release-status.yml @@ -134,11 +134,23 @@ jobs: echo "check-run-head-sha=$CHECK_RUN_HEAD_SHA" >> "$GITHUB_OUTPUT" + generate-token: + runs-on: ubuntu-latest + outputs: + token: ${{ steps.generate-token.outputs.token }} + steps: + - name: Generate token + id: generate-token + uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e + with: + app_id: ${{ vars.AUTOMATION_APP_ID }} + private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }} + update-release: - needs: validate-check-runs + needs: [validate-check-runs, generate-token] if: needs.validate-check-runs.outputs.status == 'completed' uses: ./.github/workflows/update-release.yml with: head-sha: ${{ needs.validate-check-runs.outputs.check-run-head-sha }} secrets: - RELEASE_ENGINEERING_TOKEN: ${{ secrets.RELEASE_ENGINEERING_TOKEN }} \ No newline at end of file + RELEASE_ENGINEERING_TOKEN: ${{ generate-token.outputs.token }} \ No newline at end of file diff --git a/.github/workflows/update-release.yml b/.github/workflows/update-release.yml index 9868b2f397..3cb0900ca4 100644 --- a/.github/workflows/update-release.yml +++ b/.github/workflows/update-release.yml @@ -23,8 +23,22 @@ env: HEAD_SHA: ${{ inputs.head-sha }} jobs: + + generate-token: + runs-on: ubuntu-latest + outputs: + token: ${{ steps.generate-token.outputs.token }} + steps: + - name: Generate token + id: generate-token + uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e + with: + app_id: ${{ vars.AUTOMATION_APP_ID }} + private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }} + update-release: name: "Update release" + needs: generate-token runs-on: ubuntu-22.04 steps: - name: Checkout @@ -43,7 +57,7 @@ jobs: - name: Update release assets env: GITHUB_TOKEN: ${{ github.token }} - RELEASE_ENGINEERING_TOKEN: ${{ secrets.RELEASE_ENGINEERING_TOKEN }} + RELEASE_ENGINEERING_TOKEN: ${{ generate-token.outputs.token }} run: | python scripts/release/update-release-assets.py \ --head-sha $HEAD_SHA \ diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml index b134f1eb13..7b6435dfa9 100644 --- a/.github/workflows/validate-release.yml +++ b/.github/workflows/validate-release.yml @@ -14,6 +14,17 @@ env: HEAD_SHA: ${{ github.event.pull_request.head.sha }} jobs: + generate-token: + runs-on: ubuntu-latest + outputs: + token: ${{ steps.generate-token.outputs.token }} + steps: + - name: Generate token + id: generate-token + uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e + with: + app_id: ${{ vars.AUTOMATION_APP_ID }} + private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }} pre-validate-performance: outputs: @@ -36,13 +47,13 @@ jobs: echo "check-run-id=$check_run_id" >> "$GITHUB_OUTPUT" validate-performance: - needs: pre-validate-performance + needs: [pre-validate-performance, generate-token] runs-on: ubuntu-22.04 steps: - name: Invoke performance test env: CHECK_RUN_ID: ${{ needs.pre-validate-performance.outputs.check-run-id }} - GH_TOKEN: ${{ secrets.RELEASE_ENGINEERING_TOKEN }} + GH_TOKEN: ${{ generate-token.outputs.token }} run: | jq -n \ --arg ref "$HEAD_SHA" \ @@ -97,13 +108,13 @@ jobs: echo "check-run-id=$check_run_id" >> "$GITHUB_OUTPUT" validate-compiler-compatibility: - needs: pre-validate-compiler-compatibility + needs: [pre-validate-compiler-compatibility, generate-token] runs-on: ubuntu-22.04 steps: - name: Invoke compiler compatibility test env: CHECK_RUN_ID: ${{ needs.pre-validate-compiler-compatibility.outputs.check-run-id }} - GITHUB_TOKEN: ${{ secrets.RELEASE_ENGINEERING_TOKEN }} + GITHUB_TOKEN: ${{ generate-token.outputs.token }} run: | jq -n \ --arg ref "$HEAD_SHA" \ From 171a83778234e2d96195d50755e7cc6db19d6ca3 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Thu, 16 Nov 2023 09:58:27 -0800 Subject: [PATCH 2/2] Format workflows --- .github/workflows/update-release-status.yml | 24 ++++++++-------- .github/workflows/update-release.yml | 21 +++++++------- .github/workflows/validate-release.yml | 31 +++++++++++---------- 3 files changed, 38 insertions(+), 38 deletions(-) diff --git a/.github/workflows/update-release-status.yml b/.github/workflows/update-release-status.yml index 707b8d9e0e..0f0587a355 100644 --- a/.github/workflows/update-release-status.yml +++ b/.github/workflows/update-release-status.yml @@ -135,22 +135,22 @@ jobs: echo "check-run-head-sha=$CHECK_RUN_HEAD_SHA" >> "$GITHUB_OUTPUT" generate-token: - runs-on: ubuntu-latest - outputs: - token: ${{ steps.generate-token.outputs.token }} - steps: - - name: Generate token - id: generate-token - uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e - with: - app_id: ${{ vars.AUTOMATION_APP_ID }} - private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }} + runs-on: ubuntu-latest + outputs: + token: ${{ steps.generate-token.outputs.token }} + steps: + - name: Generate token + id: generate-token + uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e + with: + app_id: ${{ vars.AUTOMATION_APP_ID }} + private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }} update-release: needs: [validate-check-runs, generate-token] if: needs.validate-check-runs.outputs.status == 'completed' uses: ./.github/workflows/update-release.yml with: - head-sha: ${{ needs.validate-check-runs.outputs.check-run-head-sha }} + head-sha: ${{ needs.validate-check-runs.outputs.check-run-head-sha }} secrets: - RELEASE_ENGINEERING_TOKEN: ${{ generate-token.outputs.token }} \ No newline at end of file + RELEASE_ENGINEERING_TOKEN: ${{ generate-token.outputs.token }} diff --git a/.github/workflows/update-release.yml b/.github/workflows/update-release.yml index 3cb0900ca4..f3541e0571 100644 --- a/.github/workflows/update-release.yml +++ b/.github/workflows/update-release.yml @@ -23,18 +23,17 @@ env: HEAD_SHA: ${{ inputs.head-sha }} jobs: - generate-token: - runs-on: ubuntu-latest - outputs: - token: ${{ steps.generate-token.outputs.token }} - steps: - - name: Generate token - id: generate-token - uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e - with: - app_id: ${{ vars.AUTOMATION_APP_ID }} - private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }} + runs-on: ubuntu-latest + outputs: + token: ${{ steps.generate-token.outputs.token }} + steps: + - name: Generate token + id: generate-token + uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e + with: + app_id: ${{ vars.AUTOMATION_APP_ID }} + private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }} update-release: name: "Update release" diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml index 7b6435dfa9..4a11c2790e 100644 --- a/.github/workflows/validate-release.yml +++ b/.github/workflows/validate-release.yml @@ -15,16 +15,16 @@ env: jobs: generate-token: - runs-on: ubuntu-latest - outputs: - token: ${{ steps.generate-token.outputs.token }} - steps: - - name: Generate token - id: generate-token - uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e - with: - app_id: ${{ vars.AUTOMATION_APP_ID }} - private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }} + runs-on: ubuntu-latest + outputs: + token: ${{ steps.generate-token.outputs.token }} + steps: + - name: Generate token + id: generate-token + uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e + with: + app_id: ${{ vars.AUTOMATION_APP_ID }} + private_key: ${{ secrets.AUTOMATION_PRIVATE_KEY }} pre-validate-performance: outputs: @@ -72,8 +72,8 @@ jobs: steps: - name: Fail check run status env: - CHECK_RUN_ID: ${{ needs.pre-validate-performance.outputs.check-run-id }} - GITHUB_TOKEN: ${{ github.token }} + CHECK_RUN_ID: ${{ needs.pre-validate-performance.outputs.check-run-id }} + GITHUB_TOKEN: ${{ github.token }} run: | jq -n \ --arg status "completed" \ @@ -127,14 +127,15 @@ jobs: --ref rvermeulen/release-process on-failure-validate-compiler-compatibility-dispatch: - needs: [pre-validate-compiler-compatibility, validate-compiler-compatibility] + needs: + [pre-validate-compiler-compatibility, validate-compiler-compatibility] if: failure() runs-on: ubuntu-22.04 steps: - name: Fail check run status env: - CHECK_RUN_ID: ${{ needs.pre-validate-compiler-compatibility.outputs.check-run-id }} - GITHUB_TOKEN: ${{ github.token }} + CHECK_RUN_ID: ${{ needs.pre-validate-compiler-compatibility.outputs.check-run-id }} + GITHUB_TOKEN: ${{ github.token }} run: | jq -n \ --arg status "completed" \