From 1efa06b8a68880f63fac0910d5171bfa8e7eeb2f Mon Sep 17 00:00:00 2001 From: Maxwell G Date: Tue, 17 Oct 2023 14:35:41 -0500 Subject: [PATCH] ci: use Github App token to authenticate (#621) This uses the new Ansible Documentation Bot Github app to authenticate with the Github API instead of the limited token built in to Github Actions. The app token allows creating automatic dependency update PRs that trigger CI properly. A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY secrets. Fixes: https://github.com/ansible/ansible-documentation/issues/382 --- .github/workflows/labeler.yml | 9 ++++++++- .github/workflows/pip-compile-dev.yml | 6 ++---- .github/workflows/pip-compile-docs.yml | 6 ++---- .github/workflows/reusable-pip-compile.yml | 17 ++++++++++------- hacking/get_bot_user.sh | 14 ++++++++++++++ 5 files changed, 36 insertions(+), 16 deletions(-) create mode 100755 hacking/get_bot_user.sh diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 2c09379cf3b..a8abec2a423 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -28,6 +28,7 @@ permissions: jobs: label_prs: runs-on: ubuntu-latest + environment: github-bot name: "Label Issue/PR" steps: - name: Print event information @@ -35,6 +36,12 @@ jobs: event_json: "${{ toJSON(github.event) }}" run: | echo "${event_json}" + - name: Generate temp GITHUB_TOKEN + id: create_token + uses: tibdex/github-app-token@v2 + with: + app_id: ${{ secrets.BOT_APP_ID }} + private_key: ${{ secrets.BOT_APP_KEY }} - name: Checkout parent repository uses: actions/checkout@v4 - name: Install Python 3.11 @@ -56,6 +63,6 @@ jobs: if: "github.event.pull_request || inputs.type == 'pr'" env: event_json: "${{ toJSON(github.event) }}" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.create_token.outputs.token }} run: ./venv/bin/python hacking/pr_labeler/label.py pr ${{ github.event.number || inputs.number }} diff --git a/.github/workflows/pip-compile-dev.yml b/.github/workflows/pip-compile-dev.yml index 5931b4f4481..5f5fd19329e 100644 --- a/.github/workflows/pip-compile-dev.yml +++ b/.github/workflows/pip-compile-dev.yml @@ -23,10 +23,6 @@ name: "Refresh dev dependencies" - ".github/workflows/pip-compile-dev.yml" - "tests/*.in" -permissions: - pull-requests: write - contents: write - jobs: refresh: name: "Refresh dev dependencies" @@ -41,3 +37,5 @@ jobs: 'pip-compile-3.10(static)' 'pip-compile-3.10(spelling)' reset-branch: "${{ inputs.reset-branch || false }}" + secrets: inherit + environment: github-bot diff --git a/.github/workflows/pip-compile-docs.yml b/.github/workflows/pip-compile-docs.yml index 00585e79422..456dc723f93 100644 --- a/.github/workflows/pip-compile-docs.yml +++ b/.github/workflows/pip-compile-docs.yml @@ -23,10 +23,6 @@ name: "Refresh docs build dependencies" - ".github/workflows/pip-compile-docs.yml" - "tests/*.in" -permissions: - pull-requests: write - contents: write - jobs: refresh: name: "Refresh docs build dependencies" @@ -37,3 +33,5 @@ jobs: pr-branch: "${{ inputs.pr-branch || 'pip-compile/devel/docs' }}" nox-args: "-e 'pip-compile-3.10(requirements)' 'pip-compile-3.10(requirements-relaxed)'" reset-branch: "${{ inputs.reset-branch || false }}" + secrets: inherit + environment: github-bot diff --git a/.github/workflows/reusable-pip-compile.yml b/.github/workflows/reusable-pip-compile.yml index 88e9dd8fd07..1d08d2f725f 100644 --- a/.github/workflows/reusable-pip-compile.yml +++ b/.github/workflows/reusable-pip-compile.yml @@ -54,19 +54,23 @@ name: "Refresh pinned dependencies" type: boolean default: false -permissions: - pull-requests: write - contents: write - jobs: refresh: runs-on: ubuntu-latest + environment: github-bot steps: + - name: Generate temp GITHUB_TOKEN + id: create_token + uses: tibdex/github-app-token@v2 + with: + app_id: ${{ secrets.BOT_APP_ID }} + private_key: ${{ secrets.BOT_APP_KEY }} - name: Check out repo uses: actions/checkout@v4 with: fetch-depth: 0 ref: "${{ inputs.base-branch }}" + token: "${{ steps.create_token.outputs.token }}" - name: Fetch required contents of ansible-core run: | python docs/bin/clone-core.py @@ -76,8 +80,7 @@ jobs: python-versions: "3.9" - name: Set up git committer run: | - git config user.name "Github Actions" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + hacking/get_bot_user.sh "ansible-documentation-bot" "Ansible Documentation Bot" - name: "Use a branch named ${{ inputs.pr-branch }}" id: branch run: | @@ -99,7 +102,7 @@ jobs: nox ${{ inputs.nox-args }} - name: Push new dependency versions and create a PR env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + GITHUB_TOKEN: ${{ steps.create_token.outputs.token }} run: | set -x git diff || : diff --git a/hacking/get_bot_user.sh b/hacking/get_bot_user.sh new file mode 100755 index 00000000000..3052958deb6 --- /dev/null +++ b/hacking/get_bot_user.sh @@ -0,0 +1,14 @@ +#!/usr/bin/bash -x + +# Set Github committer to a bot user + +set -euo pipefail + +bot="${1}" +name="${2-${1}}" +path="https://api.github.com/users/${bot}%5Bbot%5D" +user_id="$(curl -sS "${path}" | jq -r .id)" +GIT="${GIT:-git}" + +${GIT} config user.name "${name}" +${GIT} config user.email "${user_id}+${bot}@users.noreply.github.com"