Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[NoQA] Reattempt using OSBotify installation token #29325

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 53 additions & 0 deletions .github/actions/composite/setupGitForOSBotifyApp/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# This is a duplicate for setupGitForOSBotify except we are using a Github App now for Github Authentication.
# GitHub Apps have higher rate limits. The reason this is being duplicated is because the existing action is still in use
# in open PRs/branches that aren't up to date with main and it ends up breaking action workflows as a result.
name: "Setup Git for OSBotify"
description: "Setup Git for OSBotify"

inputs:
GPG_PASSPHRASE:
description: "Passphrase used to decrypt GPG key"
required: true
OS_BOTIFY_APP_ID:
description: "Application ID for OS Botify"
required: true
OS_BOTIFY_PRIVATE_KEY:
description: "OS Botify's private key"
required: true

outputs:
# Do not try to use this for committing code. Use `secrets.OS_BOTIFY_COMMIT_TOKEN` instead
OS_BOTIFY_API_TOKEN:
description: Token to use for GitHub API interactions.
value: ${{ steps.generateToken.outputs.token }}

runs:
using: composite
steps:
- name: Decrypt OSBotify GPG key
run: cd .github/workflows && gpg --quiet --batch --yes --decrypt --passphrase=${{ inputs.GPG_PASSPHRASE }} --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg
shell: bash

- name: Import OSBotify GPG Key
shell: bash
run: cd .github/workflows && gpg --import OSBotify-private-key.asc

- name: Set up git for OSBotify
shell: bash
run: |
git config user.signingkey 367811D53E34168C
git config commit.gpgsign true
git config user.name OSBotify
git config user.email infra+osbotify@expensify.com

- name: Enable debug logs for git
shell: bash
if: runner.debug == '1'
run: echo "GIT_TRACE=true" >> "$GITHUB_ENV"

- name: Generate a token
id: generateToken
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
with:
app_id: ${{ inputs.OS_BOTIFY_APP_ID }}
private_key: ${{ inputs.OS_BOTIFY_PRIVATE_KEY }}
8 changes: 5 additions & 3 deletions .github/workflows/cherryPick.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,15 +41,17 @@ jobs:
token: ${{ secrets.OS_BOTIFY_TOKEN }}

- name: Set up git for OSBotify
uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
uses: ./.github/actions/composite/setupGitForOSBotifyApp
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- name: Get previous app version
id: getPreviousVersion
uses: Expensify/App/.github/actions/javascript/getPreviousVersion@main
with:
SEMVER_LEVEL: 'PATCH'
SEMVER_LEVEL: "PATCH"

- name: Fetch history of relevant refs
run: |
Expand Down Expand Up @@ -119,7 +121,7 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}

- name: 'Announces a CP failure in the #announce Slack room'
- name: "Announces a CP failure in the #announce Slack room"
uses: 8398a7/action-slack@v3
if: ${{ failure() }}
with:
Expand Down
25 changes: 18 additions & 7 deletions .github/workflows/createNewVersion.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,18 @@ on:
LARGE_SECRET_PASSPHRASE:
description: Passphrase used to decrypt GPG key
required: true
OS_BOTIFY_TOKEN:
description: Token for the OSBotify user
required: true
SLACK_WEBHOOK:
description: Webhook used to comment in slack
required: true
OS_BOTIFY_COMMIT_TOKEN:
description: OSBotify personal access token, used to workaround committing to protected branch
required: true
OS_BOTIFY_APP_ID:
description: Application ID for OS Botify App
required: true
OS_BOTIFY_PRIVATE_KEY:
description: OSBotify private key
required: true

jobs:
validateActor:
Expand All @@ -43,7 +49,7 @@ jobs:
id: getUserPermissions
run: echo "PERMISSION=$(gh api /repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission | jq -r '.permission')" >> "$GITHUB_OUTPUT"
env:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_COMMIT_TOKEN }}

createNewVersion:
runs-on: macos-latest
Expand All @@ -65,18 +71,23 @@ jobs:
uses: actions/checkout@v3
with:
ref: main
token: ${{ secrets.OS_BOTIFY_TOKEN }}
# The OS_BOTIFY_COMMIT_TOKEN is a personal access token tied to osbotify
# This is a workaround to allow pushes to a protected branch
token: ${{ secrets.OS_BOTIFY_COMMIT_TOKEN }}

- name: Setup git for OSBotify
uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
uses: ./.github/actions/composite/setupGitForOSBotifyApp
id: setupGitForOSBotify
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- name: Generate version
id: bumpVersion
uses: Expensify/App/.github/actions/javascript/bumpVersion@main
with:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}
SEMVER_LEVEL: ${{ inputs.SEMVER_LEVEL }}

- name: Commit new version
Expand Down
33 changes: 19 additions & 14 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,16 +9,18 @@ jobs:
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/staging'
steps:
- uses: ./.github/actions/composite/setupGitForOSBotifyApp
id: setupGitForOSBotify
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- name: Checkout staging branch
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
with:
ref: staging
token: ${{ secrets.OS_BOTIFY_TOKEN }}

- name: Setup git for OSBotify
uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
token: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}

- name: Tag version
run: git tag "$(npm run print-version --silent)"
Expand All @@ -30,16 +32,19 @@ jobs:
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/production'
steps:
- uses: ./.github/actions/composite/setupGitForOSBotifyApp
id: setupGitForOSBotify
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- uses: actions/checkout@v3
- name: Checkout
uses: actions/checkout@v3
with:
ref: production
token: ${{ secrets.OS_BOTIFY_TOKEN }}

- name: Setup git for OSBotify
uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
token: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}

- name: Get current app version
run: echo "PRODUCTION_VERSION=$(npm run print-version --silent)" >> "$GITHUB_ENV"
Expand All @@ -49,7 +54,7 @@ jobs:
uses: Expensify/App/.github/actions/javascript/getDeployPullRequestList@main
with:
TAG: ${{ env.PRODUCTION_VERSION }}
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}
IS_PRODUCTION_DEPLOY: true

- name: Generate Release Body
Expand All @@ -64,4 +69,4 @@ jobs:
tag_name: ${{ env.PRODUCTION_VERSION }}
body: ${{ steps.getReleaseBody.outputs.RELEASE_BODY }}
env:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}
24 changes: 18 additions & 6 deletions .github/workflows/finishReleaseCycle.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,13 @@ jobs:
outputs:
isValid: ${{ fromJSON(steps.isDeployer.outputs.IS_DEPLOYER) && !fromJSON(steps.checkDeployBlockers.outputs.HAS_DEPLOY_BLOCKERS) }}
steps:
- uses: ./.github/actions/composite/setupGitForOSBotifyApp
id: setupGitForOSBotify
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- name: Validate actor is deployer
id: isDeployer
run: |
Expand All @@ -21,13 +28,13 @@ jobs:
echo "IS_DEPLOYER=false" >> "$GITHUB_OUTPUT"
fi
env:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}

- name: Reopen and comment on issue (not a team member)
if: ${{ !fromJSON(steps.isDeployer.outputs.IS_DEPLOYER) }}
uses: Expensify/App/.github/actions/javascript/reopenIssueWithComment@main
with:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}
ISSUE_NUMBER: ${{ github.event.issue.number }}
COMMENT: |
Sorry, only members of @Expensify/Mobile-Deployers can close deploy checklists.
Expand All @@ -38,14 +45,14 @@ jobs:
id: checkDeployBlockers
uses: Expensify/App/.github/actions/javascript/checkDeployBlockers@main
with:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}
ISSUE_NUMBER: ${{ github.event.issue.number }}

- name: Reopen and comment on issue (has blockers)
if: ${{ fromJSON(steps.isDeployer.outputs.IS_DEPLOYER) && fromJSON(steps.checkDeployBlockers.outputs.HAS_DEPLOY_BLOCKERS || 'false') }}
uses: Expensify/App/.github/actions/javascript/reopenIssueWithComment@main
with:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}
ISSUE_NUMBER: ${{ github.event.issue.number }}
COMMENT: |
This issue either has unchecked items or has not yet been marked with the `:shipit:` emoji of approval.
Expand All @@ -70,9 +77,12 @@ jobs:
token: ${{ secrets.OS_BOTIFY_TOKEN }}

- name: Setup Git for OSBotify
uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
id: setupGitForOSBotify
uses: ./.github/actions/composite/setupGitForOSBotifyApp
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- name: Update production branch
run: |
Expand Down Expand Up @@ -109,9 +119,11 @@ jobs:
token: ${{ secrets.OS_BOTIFY_TOKEN }}

- name: Setup Git for OSBotify
uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
uses: ./.github/actions/composite/setupGitForOSBotifyApp
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- name: Update staging branch to trigger staging deploy
run: |
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/preDeploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -92,9 +92,11 @@ jobs:
token: ${{ secrets.OS_BOTIFY_TOKEN }}

- name: Setup Git for OSBotify
uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
uses: ./.github/actions/composite/setupGitForOSBotifyApp
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- name: Update staging branch from main
run: |
Expand Down
Loading