Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reattempt using OSBotify installation token in actions #28291

Merged
merged 9 commits into from
Oct 2, 2023
25 changes: 22 additions & 3 deletions .github/actions/composite/setupGitForOSBotify/action.yml
Original file line number Diff line number Diff line change
@@ -1,11 +1,23 @@
name: 'Setup Git for OSBotify'
description: 'Setup Git for OSBotify'
name: "Setup Git for OSBotify"
description: "Setup Git for OSBotify"

inputs:
GPG_PASSPHRASE:
description: 'Passphrase used to decrypt GPG key'
description: "Passphrase used to decrypt GPG key"
required: true
OS_BOTIFY_APP_ID:
description: "Application ID for OS Botify"
required: true
OS_BOTIFY_PRIVATE_KEY:
description: "OS Botify's private key"
required: true

outputs:
# Do not try to use this for committing code. Use `secrets.OS_BOTIFY_COMMIT_TOKEN` instead
OS_BOTIFY_API_TOKEN:
description: Token to use for GitHub API interactions.
value: ${{ steps.generateToken.outputs.token }}

runs:
using: composite
steps:
Expand All @@ -29,3 +41,10 @@ runs:
shell: bash
if: runner.debug == '1'
run: echo "GIT_TRACE=true" >> "$GITHUB_ENV"

- name: Generate a token
id: generateToken
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
with:
app_id: ${{ inputs.OS_BOTIFY_APP_ID }}
private_key: ${{ inputs.OS_BOTIFY_PRIVATE_KEY }}
roryabraham marked this conversation as resolved.
Show resolved Hide resolved
6 changes: 4 additions & 2 deletions .github/workflows/cherryPick.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,12 +44,14 @@ jobs:
uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- name: Get previous app version
id: getPreviousVersion
uses: Expensify/App/.github/actions/javascript/getPreviousVersion@main
with:
SEMVER_LEVEL: 'PATCH'
SEMVER_LEVEL: "PATCH"

- name: Fetch history of relevant refs
run: |
Expand Down Expand Up @@ -119,7 +121,7 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}

- name: 'Announces a CP failure in the #announce Slack room'
- name: "Announces a CP failure in the #announce Slack room"
uses: 8398a7/action-slack@v3
if: ${{ failure() }}
with:
Expand Down
23 changes: 17 additions & 6 deletions .github/workflows/createNewVersion.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,18 @@ on:
LARGE_SECRET_PASSPHRASE:
description: Passphrase used to decrypt GPG key
required: true
OS_BOTIFY_TOKEN:
description: Token for the OSBotify user
required: true
SLACK_WEBHOOK:
description: Webhook used to comment in slack
required: true
OS_BOTIFY_COMMIT_TOKEN:
description: OSBotify personal access token, used to workaround committing to protected branch
required: true
OS_BOTIFY_APP_ID:
description: Application ID for OS Botify App
required: true
OS_BOTIFY_PRIVATE_KEY:
description: OSBotify private key
required: true

jobs:
validateActor:
Expand All @@ -43,7 +49,7 @@ jobs:
id: getUserPermissions
run: echo "PERMISSION=$(gh api /repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission | jq -r '.permission')" >> "$GITHUB_OUTPUT"
env:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_COMMIT_TOKEN }}

createNewVersion:
runs-on: macos-latest
Expand All @@ -65,18 +71,23 @@ jobs:
uses: actions/checkout@v3
with:
ref: main
token: ${{ secrets.OS_BOTIFY_TOKEN }}
# The OS_BOTIFY_COMMIT_TOKEN is a personal access token tied to osbotify
# This is a workaround to allow pushes to a protected branch
token: ${{ secrets.OS_BOTIFY_COMMIT_TOKEN }}

- name: Setup git for OSBotify
uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
id: setupGitForOSBotify
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- name: Generate version
id: bumpVersion
uses: Expensify/App/.github/actions/javascript/bumpVersion@main
with:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}
SEMVER_LEVEL: ${{ inputs.SEMVER_LEVEL }}

- name: Commit new version
Expand Down
28 changes: 19 additions & 9 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,16 +9,18 @@ jobs:
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/staging'
steps:
- uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
id: setupGitForOSBotify
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- name: Checkout staging branch
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
with:
ref: staging
token: ${{ secrets.OS_BOTIFY_TOKEN }}

- name: Setup git for OSBotify
uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
token: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}

- name: Tag version
run: git tag "$(npm run print-version --silent)"
Expand All @@ -30,11 +32,19 @@ jobs:
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/production'
steps:
- uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
id: setupGitForOSBotify
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- uses: actions/checkout@v3
- name: Checkout
uses: actions/checkout@v3
with:
ref: production
token: ${{ secrets.OS_BOTIFY_TOKEN }}
token: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}

- name: Setup git for OSBotify
uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
Expand All @@ -49,7 +59,7 @@ jobs:
uses: Expensify/App/.github/actions/javascript/getDeployPullRequestList@main
with:
TAG: ${{ env.PRODUCTION_VERSION }}
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}
IS_PRODUCTION_DEPLOY: true

- name: Generate Release Body
Expand All @@ -64,4 +74,4 @@ jobs:
tag_name: ${{ env.PRODUCTION_VERSION }}
body: ${{ steps.getReleaseBody.outputs.RELEASE_BODY }}
env:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}
20 changes: 16 additions & 4 deletions .github/workflows/finishReleaseCycle.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,13 @@ jobs:
outputs:
isValid: ${{ fromJSON(steps.isDeployer.outputs.IS_DEPLOYER) && !fromJSON(steps.checkDeployBlockers.outputs.HAS_DEPLOY_BLOCKERS) }}
steps:
- uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
id: setupGitForOSBotify
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- name: Validate actor is deployer
id: isDeployer
run: |
Expand All @@ -21,13 +28,13 @@ jobs:
echo "IS_DEPLOYER=false" >> "$GITHUB_OUTPUT"
fi
env:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}

- name: Reopen and comment on issue (not a team member)
if: ${{ !fromJSON(steps.isDeployer.outputs.IS_DEPLOYER) }}
uses: Expensify/App/.github/actions/javascript/reopenIssueWithComment@main
with:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}
ISSUE_NUMBER: ${{ github.event.issue.number }}
COMMENT: |
Sorry, only members of @Expensify/Mobile-Deployers can close deploy checklists.
Expand All @@ -38,14 +45,14 @@ jobs:
id: checkDeployBlockers
uses: Expensify/App/.github/actions/javascript/checkDeployBlockers@main
with:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}
ISSUE_NUMBER: ${{ github.event.issue.number }}

- name: Reopen and comment on issue (has blockers)
if: ${{ fromJSON(steps.isDeployer.outputs.IS_DEPLOYER) && fromJSON(steps.checkDeployBlockers.outputs.HAS_DEPLOY_BLOCKERS || 'false') }}
uses: Expensify/App/.github/actions/javascript/reopenIssueWithComment@main
with:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}
ISSUE_NUMBER: ${{ github.event.issue.number }}
COMMENT: |
This issue either has unchecked items or has not yet been marked with the `:shipit:` emoji of approval.
Expand All @@ -70,9 +77,12 @@ jobs:
token: ${{ secrets.OS_BOTIFY_TOKEN }}

- name: Setup Git for OSBotify
id: setupGitForOSBotify
uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- name: Update production branch
run: |
Expand Down Expand Up @@ -112,6 +122,8 @@ jobs:
uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- name: Update staging branch to trigger staging deploy
run: |
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/preDeploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,8 @@ jobs:
uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the APP_ID and INSTALLATION_ID really have to be secret? I don't know the answer, but if these could be just hard-coded in plain text it could make this PR a bit simpler

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the example, the APP_ID is marked secret, but not the installation ID. I'm not actually sure if it does need to be this way, so I just stuck with the example

https://github.com/tibdex/github-app-token/blob/main/README.md

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like we can actually get rid of the installation ID in the latest version of this so I'm going to update it now

OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- name: Update staging branch from main
run: |
Expand Down
Loading