From babebf16bc32253e1b22ae8cc16367447c62cee6 Mon Sep 17 00:00:00 2001 From: Jennifer Power Date: Tue, 15 Oct 2024 17:22:14 -0400 Subject: [PATCH 1/2] ci: updates python-push.yml to use a GitHub app for commit work Signed-off-by: Jennifer Power --- .github/workflows/python-push.yml | 41 +++++++++++++++++++---- docs/contributing/github_actions_setup.md | 2 +- 2 files changed, 35 insertions(+), 8 deletions(-) diff --git a/.github/workflows/python-push.yml b/.github/workflows/python-push.yml index c2d353e10..bb22eca28 100644 --- a/.github/workflows/python-push.yml +++ b/.github/workflows/python-push.yml @@ -9,6 +9,8 @@ on: branches: - main +permissions: {} + jobs: set-versions: runs-on: ubuntu-latest @@ -110,11 +112,16 @@ jobs: url: https://pypi.org/p/compliance-trestle if: github.ref == 'refs/heads/main' && github.repository == 'oscal-compass/compliance-trestle' steps: + - uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.PRIVATE_KEY }} - uses: actions/checkout@v4 with: submodules: true fetch-depth: 0 - token: ${{ secrets.ADMIN_PAT }} + token: ${{ steps.app-token.outputs.token }} - name: Set up Python ${{ needs.set-versions.outputs.max }} uses: actions/setup-python@v5 with: @@ -128,7 +135,7 @@ jobs: id: release uses: python-semantic-release/python-semantic-release@v9.8.8 with: - github_token: ${{ secrets.ADMIN_PAT }} + github_token: ${{ steps.app-token.outputs.token }} - name: Publish package distributions to PyPI uses: pypa/gh-action-pypi-publish@release/v1 @@ -140,7 +147,7 @@ jobs: uses: python-semantic-release/upload-to-gh-release@v9.8.8 if: steps.release.outputs.released == 'true' with: - github_token: ${{ secrets.ADMIN_PAT }} + github_token: ${{ steps.app-token.outputs.token }} deploy-docs: runs-on: ubuntu-latest @@ -151,11 +158,16 @@ jobs: # Temporary hack: allow develop as well as master to deploy docs. if: github.ref == 'refs/heads/main' steps: + - uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.PRIVATE_KEY }} - uses: actions/checkout@v4 with: submodules: true fetch-depth: 0 - token: ${{ secrets.ADMIN_PAT }} + token: ${{ steps.app-token.outputs.token }} - name: Set up Python ${{ needs.set-versions.outputs.max }} uses: actions/setup-python@v5 # This is deliberately not using a custom credential as it relies on native github actions token to have push rights. @@ -178,16 +190,31 @@ jobs: cancel-in-progress: true if: github.ref == 'refs/heads/main' steps: + - uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.PRIVATE_KEY }} - uses: actions/checkout@v4 with: submodules: true ref: main fetch-depth: 0 - token: ${{ secrets.ADMIN_PAT }} + token: ${{ steps.app-token.outputs.token }} + - name: Get GitHub App User ID + id: get-user-id + run: echo "user-id=$(gh api "/users/${{ env.SLUG }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" + env: + GH_TOKEN: ${{ steps.app-token.outputs.token }} + SLUG: ${{ steps.app-token.outputs.app-slug }} - name: Configure Git run: | - git config user.name "Vikas Agarwal" - git config user.email "<>" + git config --global user.name '${{ env.SLUG }}[bot]' + git config --global user.email '${{ env.ID }}+${{ env.SLUG }}[bot]@users.noreply.github.com>' + env: + SLUG: ${{ steps.app-token.outputs.app-slug }} + ID: ${{ steps.get-user-id.outputs.user-id }} + # https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - name: Merge Main to Develop run: | git checkout develop diff --git a/docs/contributing/github_actions_setup.md b/docs/contributing/github_actions_setup.md index 8cf0bbb8f..b3136f69f 100644 --- a/docs/contributing/github_actions_setup.md +++ b/docs/contributing/github_actions_setup.md @@ -5,7 +5,7 @@ The variables are documented here such that trestle can be setup on a fork etc. ## Secrets -- `ADMIN_PAT`: Github PAT with sufficient write access to merge content into `develop` and commit to `gh-pages` and `main` +- `APP_ID` and `PRIVATE_KEY`: GitHub App information with sufficient write access to merge content into `develop` and commit to `gh-pages` and `main` - `SONAR_TOKEN`: Token to sonarcloud with rights to the appropriate project. From 384b1daf7edd3a2e7d2079b04072c16d5903e512 Mon Sep 17 00:00:00 2001 From: Jennifer Power Date: Tue, 15 Oct 2024 17:28:48 -0400 Subject: [PATCH 2/2] fix: removes extra ">" character Signed-off-by: Jennifer Power --- .github/workflows/python-push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/python-push.yml b/.github/workflows/python-push.yml index bb22eca28..4a4c28540 100644 --- a/.github/workflows/python-push.yml +++ b/.github/workflows/python-push.yml @@ -210,7 +210,7 @@ jobs: - name: Configure Git run: | git config --global user.name '${{ env.SLUG }}[bot]' - git config --global user.email '${{ env.ID }}+${{ env.SLUG }}[bot]@users.noreply.github.com>' + git config --global user.email '${{ env.ID }}+${{ env.SLUG }}[bot]@users.noreply.github.com' env: SLUG: ${{ steps.app-token.outputs.app-slug }} ID: ${{ steps.get-user-id.outputs.user-id }}