From df927192817a719bb8f80092fab31dfe35e1593b Mon Sep 17 00:00:00 2001 From: Phil Asmar Date: Fri, 29 Mar 2024 10:31:01 -0400 Subject: [PATCH] chore: update release workflows to use a PAT --- .github/workflows/create-release-pr.yml | 19 ++++++++++++++++++- .github/workflows/sync-main-dev.yml | 17 ++++++++++++++++- 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml index 6379c4d..02e2570 100644 --- a/.github/workflows/create-release-pr.yml +++ b/.github/workflows/create-release-pr.yml @@ -11,6 +11,9 @@ on: type: string required: false +permissions: + id-token: write + jobs: release-pr: name: Release PR @@ -20,11 +23,25 @@ jobs: INPUT_OVERRIDE_VERSION: ${{ github.event.inputs.OVERRIDE_VERSION }} steps: + # Assume an AWS Role that provides access to the Access Token + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 #v4 + with: + role-to-assume: ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_ROLE_ARN }} + aws-region: us-west-2 + # Retrieve the Access Token from Secrets Manager + - name: Retrieve secret from AWS Secrets Manager + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }} + parse-json-secrets: true # Checkout a full clone of the repo - name: Checkout uses: actions/checkout@v4 with: fetch-depth: '0' + token: ${{ env.AWS_SECRET_TOKEN }} # Install .NET8 which is needed for AutoVer - name: Setup .NET 8.0 uses: actions/setup-dotnet@v4 @@ -77,7 +94,7 @@ jobs: # Create the Release PR and label it - name: Create Pull Request env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ env.AWS_SECRET_TOKEN }} run: | pr_url="$(gh pr create --title "${{ steps.read-release-name.outputs.VERSION }}" --body "${{ steps.read-changelog.outputs.CHANGELOG }}" --base dev --head ${{ steps.create-release-branch.outputs.BRANCH }})" gh label create "Release PR" --description "A Release PR that includes versioning and changelog changes" -c "#FF0000" -f diff --git a/.github/workflows/sync-main-dev.yml b/.github/workflows/sync-main-dev.yml index 8048901..5d0235f 100644 --- a/.github/workflows/sync-main-dev.yml +++ b/.github/workflows/sync-main-dev.yml @@ -10,6 +10,7 @@ on: permissions: contents: write + id-token: write jobs: # This job will check if the PR was successfully merged, it's source branch is `releases/next-release` and target branch is `dev`. @@ -23,12 +24,26 @@ jobs: github.event.pull_request.base.ref == 'dev' runs-on: ubuntu-latest steps: + # Assume an AWS Role that provides access to the Access Token + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 #v4 + with: + role-to-assume: ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_ROLE_ARN }} + aws-region: us-west-2 + # Retrieve the Access Token from Secrets Manager + - name: Retrieve secret from AWS Secrets Manager + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }} + parse-json-secrets: true # Checkout a full clone of the repo - name: Checkout code uses: actions/checkout@v4 with: ref: dev fetch-depth: 0 + token: ${{ env.AWS_SECRET_TOKEN }} # Install .NET8 which is needed for AutoVer - name: Setup .NET 8.0 uses: actions/setup-dotnet@v4 @@ -70,7 +85,7 @@ jobs: # Create the GitHub Release - name: Create GitHub Release env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ env.AWS_SECRET_TOKEN }} run: | gh release create "${{ steps.read-tag-name.outputs.TAG }}" --title "${{ steps.read-release-name.outputs.VERSION }}" --notes "${{ steps.read-changelog.outputs.CHANGELOG }}" # Delete the `releases/next-release` branch