Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: use GitHub app for ephemeral tokens #3801

Merged
merged 3 commits into from
Sep 24, 2024

Conversation

v1v
Copy link
Member

@v1v v1v commented Sep 17, 2024

What does this PR do?

Use the GitHub app to generate the required ephemeral tokens with the least permissive principle.

Why

  • Finer-grained tokens with Service Machine accounts are required to rotate the secrets manually.
  • GitHub app to generate temporary tokens is the advanced approach to avoid the above
  • Document what the GH workflow requires to run in terms of access
  • GitHub Token with Permissions does not trigger GitHub builds

Implementation details

Use tibdex/github-app-token with the required permissions and the repository scope
Remove the permissions configuration in the GH workflow.
Configure git checkout with the ephemeral token
Configure the GH_TOKEN with the ephemeral token

Checklist

  • This is an enhancement of existing features, or a new feature in existing plugins
    • I have updated CHANGELOG.asciidoc
    • I have added tests that prove my fix is effective or that my feature works
    • Added an API method or config option? Document in which version this will be introduced
    • I have made corresponding changes to the documentation
  • This is a bugfix
  • This is a new plugin
    • I have updated CHANGELOG.asciidoc
    • My code follows the style guidelines of this project
    • I have made corresponding changes to the documentation
    • I have added tests that prove my fix is effective or that my feature works
    • New and existing unit tests pass locally with my changes
    • I have updated supported-technologies.asciidoc
    • Added an API method or config option? Document in which version this will be introduced
    • Added an instrumentation plugin? Describe how you made sure that old, non-supported versions are not instrumented by accident.
  • This is something else

@v1v v1v requested review from a team September 17, 2024 10:20
@v1v v1v self-assigned this Sep 17, 2024
reakaleek
reakaleek previously approved these changes Sep 17, 2024
.github/workflows/pre-post-release.yml Outdated Show resolved Hide resolved
.github/workflows/release-step-3.yml Outdated Show resolved Hide resolved
Copy link
Member

@SylvainJuge SylvainJuge left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, do we have a way to test this before next release ?

@v1v
Copy link
Member Author

v1v commented Sep 24, 2024

LGTM, do we have a way to test this before next release ?

I tested the GH app was doing what's expected, generating the tokens in other different places. I cannot think of a way to test this in isolation in dry-run mode since it will not utilise the token.

I guess the pre-release step should help to know if things are ok - can we run that step after merging this PR to confirm things work as expected?

@v1v v1v merged commit fcf64c6 into elastic:main Sep 24, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants