Skip to content

Commit

Permalink
ci: use Github App token to authenticate (#621)
Browse files Browse the repository at this point in the history
This uses the new Ansible Documentation Bot Github app to authenticate with
the Github API instead of the limited token built in to Github Actions.
The app token allows creating automatic dependency update PRs that
trigger CI properly.
A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY
secrets.

Fixes: #382
  • Loading branch information
gotmax23 authored Oct 17, 2023
1 parent 96d5929 commit 1efa06b
Show file tree
Hide file tree
Showing 5 changed files with 36 additions and 16 deletions.
9 changes: 8 additions & 1 deletion .github/workflows/labeler.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,20 @@ permissions:
jobs:
label_prs:
runs-on: ubuntu-latest
environment: github-bot
name: "Label Issue/PR"
steps:
- name: Print event information
env:
event_json: "${{ toJSON(github.event) }}"
run: |
echo "${event_json}"
- name: Generate temp GITHUB_TOKEN
id: create_token
uses: tibdex/github-app-token@v2
with:
app_id: ${{ secrets.BOT_APP_ID }}
private_key: ${{ secrets.BOT_APP_KEY }}
- name: Checkout parent repository
uses: actions/checkout@v4
- name: Install Python 3.11
Expand All @@ -56,6 +63,6 @@ jobs:
if: "github.event.pull_request || inputs.type == 'pr'"
env:
event_json: "${{ toJSON(github.event) }}"
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ steps.create_token.outputs.token }}
run:
./venv/bin/python hacking/pr_labeler/label.py pr ${{ github.event.number || inputs.number }}
6 changes: 2 additions & 4 deletions .github/workflows/pip-compile-dev.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,6 @@ name: "Refresh dev dependencies"
- ".github/workflows/pip-compile-dev.yml"
- "tests/*.in"

permissions:
pull-requests: write
contents: write

jobs:
refresh:
name: "Refresh dev dependencies"
Expand All @@ -41,3 +37,5 @@ jobs:
'pip-compile-3.10(static)'
'pip-compile-3.10(spelling)'
reset-branch: "${{ inputs.reset-branch || false }}"
secrets: inherit
environment: github-bot
6 changes: 2 additions & 4 deletions .github/workflows/pip-compile-docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,6 @@ name: "Refresh docs build dependencies"
- ".github/workflows/pip-compile-docs.yml"
- "tests/*.in"

permissions:
pull-requests: write
contents: write

jobs:
refresh:
name: "Refresh docs build dependencies"
Expand All @@ -37,3 +33,5 @@ jobs:
pr-branch: "${{ inputs.pr-branch || 'pip-compile/devel/docs' }}"
nox-args: "-e 'pip-compile-3.10(requirements)' 'pip-compile-3.10(requirements-relaxed)'"
reset-branch: "${{ inputs.reset-branch || false }}"
secrets: inherit
environment: github-bot
17 changes: 10 additions & 7 deletions .github/workflows/reusable-pip-compile.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,19 +54,23 @@ name: "Refresh pinned dependencies"
type: boolean
default: false

permissions:
pull-requests: write
contents: write

jobs:
refresh:
runs-on: ubuntu-latest
environment: github-bot
steps:
- name: Generate temp GITHUB_TOKEN
id: create_token
uses: tibdex/github-app-token@v2
with:
app_id: ${{ secrets.BOT_APP_ID }}
private_key: ${{ secrets.BOT_APP_KEY }}
- name: Check out repo
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: "${{ inputs.base-branch }}"
token: "${{ steps.create_token.outputs.token }}"
- name: Fetch required contents of ansible-core
run: |
python docs/bin/clone-core.py
Expand All @@ -76,8 +80,7 @@ jobs:
python-versions: "3.9"
- name: Set up git committer
run: |
git config user.name "Github Actions"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
hacking/get_bot_user.sh "ansible-documentation-bot" "Ansible Documentation Bot"
- name: "Use a branch named ${{ inputs.pr-branch }}"
id: branch
run: |
Expand All @@ -99,7 +102,7 @@ jobs:
nox ${{ inputs.nox-args }}
- name: Push new dependency versions and create a PR
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
GITHUB_TOKEN: ${{ steps.create_token.outputs.token }}
run: |
set -x
git diff || :
Expand Down
14 changes: 14 additions & 0 deletions hacking/get_bot_user.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
#!/usr/bin/bash -x

# Set Github committer to a bot user

set -euo pipefail

bot="${1}"
name="${2-${1}}"
path="https://api.github.com/users/${bot}%5Bbot%5D"
user_id="$(curl -sS "${path}" | jq -r .id)"
GIT="${GIT:-git}"

${GIT} config user.name "${name}"
${GIT} config user.email "${user_id}+${bot}@users.noreply.github.com"

0 comments on commit 1efa06b

Please sign in to comment.