Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: update release workflows to use a PAT #121

Merged
merged 1 commit into from
Apr 2, 2024
Merged

chore: update release workflows to use a PAT #121

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 18 additions & 1 deletion .github/workflows/create-release-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ on:
type: string
required: false

permissions:
id-token: write

jobs:
release-pr:
name: Release PR
Expand All @@ -20,11 +23,25 @@ jobs:
INPUT_OVERRIDE_VERSION: ${{ github.event.inputs.OVERRIDE_VERSION }}

steps:
# Assume an AWS Role that provides access to the Access Token
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 #v4
with:
role-to-assume: ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_ROLE_ARN }}
aws-region: us-west-2
# Retrieve the Access Token from Secrets Manager
- name: Retrieve secret from AWS Secrets Manager
uses: aws-actions/aws-secretsmanager-get-secrets@v2
with:
secret-ids: |
AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }}
parse-json-secrets: true
# Checkout a full clone of the repo
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: '0'
token: ${{ env.AWS_SECRET_TOKEN }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might just be for my understanding, but is this the same as AWS_SECRET on line 37? The names don't match?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. The github action that fetches the secret from secret manager creates environment variables that have "AWS_SECRET" as a prefix. Since the actual secret is in json format with the key being "token". The resulting environment variable becomes "AWS_SECRET_TOKEN".

# Install .NET8 which is needed for AutoVer
- name: Setup .NET 8.0
uses: actions/setup-dotnet@v4
Expand Down Expand Up @@ -77,7 +94,7 @@ jobs:
# Create the Release PR and label it
- name: Create Pull Request
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ env.AWS_SECRET_TOKEN }}
run: |
pr_url="$(gh pr create --title "${{ steps.read-release-name.outputs.VERSION }}" --body "${{ steps.read-changelog.outputs.CHANGELOG }}" --base dev --head ${{ steps.create-release-branch.outputs.BRANCH }})"
gh label create "Release PR" --description "A Release PR that includes versioning and changelog changes" -c "#FF0000" -f
Expand Down
17 changes: 16 additions & 1 deletion .github/workflows/sync-main-dev.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ on:

permissions:
contents: write
id-token: write

jobs:
# This job will check if the PR was successfully merged, it's source branch is `releases/next-release` and target branch is `dev`.
Expand All @@ -23,12 +24,26 @@ jobs:
github.event.pull_request.base.ref == 'dev'
runs-on: ubuntu-latest
steps:
# Assume an AWS Role that provides access to the Access Token
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 #v4
with:
role-to-assume: ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_ROLE_ARN }}
aws-region: us-west-2
# Retrieve the Access Token from Secrets Manager
- name: Retrieve secret from AWS Secrets Manager
uses: aws-actions/aws-secretsmanager-get-secrets@v2
with:
secret-ids: |
AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }}
parse-json-secrets: true
# Checkout a full clone of the repo
- name: Checkout code
uses: actions/checkout@v4
with:
ref: dev
fetch-depth: 0
token: ${{ env.AWS_SECRET_TOKEN }}
# Install .NET8 which is needed for AutoVer
- name: Setup .NET 8.0
uses: actions/setup-dotnet@v4
Expand Down Expand Up @@ -70,7 +85,7 @@ jobs:
# Create the GitHub Release
- name: Create GitHub Release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ env.AWS_SECRET_TOKEN }}
run: |
gh release create "${{ steps.read-tag-name.outputs.TAG }}" --title "${{ steps.read-release-name.outputs.VERSION }}" --notes "${{ steps.read-changelog.outputs.CHANGELOG }}"
# Delete the `releases/next-release` branch
Expand Down
Loading