Skip to content

Commit

Permalink
fix: leverage github app secrets in helm release workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
marcsanmi committed Oct 17, 2024
1 parent e696502 commit acde21b
Showing 1 changed file with 14 additions and 1 deletion.
15 changes: 14 additions & 1 deletion .github/workflows/helm-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,18 @@ on:
- main
- "release-[0-9]+.[0-9]+"

# NOTE: We need to store GH_RELEASES_APP_ID and GH_RELEASES_APP_PRIVATE_KEY as repository secrets
# (even though we already store them in Vault) due to limitations in how secrets can be
# accessed and passed between different parts of a GitHub Actions workflow.
#
# The grafana/helm-charts/.github/workflows/update-helm-repo.yaml is a reusable workflow,
# not a composite action. This means we can't run steps to retrieve secrets from Vault
# before calling this workflow within the same job.
#
# While we have access to the grafana/shared-workflows/actions/get-vault-secrets@main action,
# environment variables set by this action in one job are not accessible in other jobs or
# in reusable workflows called from this workflow.

jobs:
call-update-helm-repo:
uses: grafana/helm-charts/.github/workflows/update-helm-repo.yaml@main
Expand All @@ -14,4 +26,5 @@ jobs:
cr_configfile: operations/pyroscope/helm/cr.yaml
ct_configfile: operations/pyroscope/helm/ct.yaml
secrets:
helm_repo_token: ${{ secrets.GH_BOT_ACCESS_TOKEN }}
github_app_id: ${{ secrets.GH_RELEASES_APP_ID }}
github_app_pem: ${{ secrets.GH_RELEASES_APP_PRIVATE_KEY }}

0 comments on commit acde21b

Please sign in to comment.