From d9e658072e51c0215b8d88a9070ee59845cfc30f Mon Sep 17 00:00:00 2001
From: Ben Hale <bhale@vmware.com>
Date: Tue, 3 Nov 2020 09:40:58 -0800
Subject: [PATCH] GitHub Token (#112)

Previously all of the workflows used secrets.GITHUB_TOKEN.  In the end the
de-privileged nature of this token proved to be too much and this change
migrates the workflows to use bot-specific token instead.

Signed-off-by: Ben Hale <bhale@vmware.com>
---
 .github/pipeline-descriptor.yml            | 2 ++
 .github/workflows/synchronize-labels.yml   | 2 +-
 .github/workflows/update-draft-release.yml | 2 +-
 .github/workflows/update-pipeline.yml      | 4 ++--
 4 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/.github/pipeline-descriptor.yml b/.github/pipeline-descriptor.yml
index 48cec55..432563f 100644
--- a/.github/pipeline-descriptor.yml
+++ b/.github/pipeline-descriptor.yml
@@ -1,3 +1,5 @@
+github_token: ${{ secrets.RIFF_GITHUB_TOKEN }}
+
 codeowners:
 - path:  "*"
   owner: "@projectriff/riff-dev"
diff --git a/.github/workflows/synchronize-labels.yml b/.github/workflows/synchronize-labels.yml
index 598e7ad..806452d 100644
--- a/.github/workflows/synchronize-labels.yml
+++ b/.github/workflows/synchronize-labels.yml
@@ -14,4 +14,4 @@ jobs:
             - uses: actions/checkout@v2
             - uses: micnncim/action-label-syncer@v1
               env:
-                GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                GITHUB_TOKEN: ${{ secrets.RIFF_GITHUB_TOKEN }}
diff --git a/.github/workflows/update-draft-release.yml b/.github/workflows/update-draft-release.yml
index a7ffc45..a18b5b4 100644
--- a/.github/workflows/update-draft-release.yml
+++ b/.github/workflows/update-draft-release.yml
@@ -12,4 +12,4 @@ jobs:
             - id: release-drafter
               uses: release-drafter/release-drafter@v5
               env:
-                GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                GITHUB_TOKEN: ${{ secrets.RIFF_GITHUB_TOKEN }}
diff --git a/.github/workflows/update-pipeline.yml b/.github/workflows/update-pipeline.yml
index 88bda42..6243014 100644
--- a/.github/workflows/update-pipeline.yml
+++ b/.github/workflows/update-pipeline.yml
@@ -56,7 +56,7 @@ jobs:
                 echo "::set-output name=release-notes::${RELEASE_NOTES//$'\n'/%0A}"
               env:
                 DESCRIPTOR: .github/pipeline-descriptor.yml
-                GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                GITHUB_TOKEN: ${{ secrets.RIFF_GITHUB_TOKEN }}
             - uses: peter-evans/create-pull-request@v3
               with:
                 body: |-
@@ -75,4 +75,4 @@ jobs:
                 labels: semver:patch, type:task
                 signoff: true
                 title: Bump pipeline from ${{ steps.pipeline.outputs.old-version }} to ${{ steps.pipeline.outputs.new-version }}
-                token: ${{ secrets.GITHUB_TOKEN }}
+                token: ${{ secrets.RIFF_GITHUB_TOKEN }}