Skip to content

Commit

Permalink
ci: authenticate with secret github token in release workflows
Browse files Browse the repository at this point in the history
Currently, the release workflows attempt to pull github authentication
from 1password.
However, this workflow is only intended for use in non-public SxT
workflows.
Since we do not need access to private SxT information to perform these
releases, using the secret github token should suffice for now.
  • Loading branch information
tlovell-sxt committed Nov 22, 2024
1 parent c00bec7 commit a7eaa89
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 22 deletions.
3 changes: 2 additions & 1 deletion .github/workflows/preview-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
with:
token: ${{ secrets.GH_TOKEN }}
ref: ${{ github.head_ref }}
# Make sure the value of GITHUB_TOKEN will not be persisted in repo's config
persist-credentials: false
Expand All @@ -29,7 +30,7 @@ jobs:
id: conventional-changelog
uses: TriPSs/conventional-changelog-action@v5
with:
github-token: ${{ steps.app-token.outputs.token }}
github-token: ${{ secrets.GH_TOKEN }}
skip-git-pull: true
skip-version-file: true
git-push: false
Expand Down
26 changes: 5 additions & 21 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,27 +11,11 @@ jobs:
runs-on: ubuntu-latest

steps:
- name: Load Secrets
uses: 1password/load-secrets-action@v1
with:
export-env: true
env:
OP_CONNECT_HOST: ${{ secrets.OP_CONNECT_HOST }}
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
GITHUB_APP_ID: op://op-github-devops/cosmic-agent-labs/app-id
GITHUB_PRIVATE_KEY: op://op-github-devops/cosmic-agent-labs/private-key

- name: Create GitHub App Token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ env.GITHUB_APP_ID }}
private-key: ${{ env.GITHUB_PRIVATE_KEY }}

- name: Checkout
uses: actions/checkout@v4
with:
token: ${{ steps.app-token.outputs.token }}
token: ${{ secrets.GH_TOKEN }}
ref: ${{ github.head_ref }}
# Make sure the value of GITHUB_TOKEN will not be persisted in repo's config
persist-credentials: false
Expand All @@ -43,7 +27,7 @@ jobs:
id: conventional-changelog
uses: TriPSs/conventional-changelog-action@v5
with:
github-token: ${{ steps.app-token.outputs.token }}
github-token: ${{ secrets.GH_TOKEN }}
skip-git-pull: true
skip-version-file: true
git-push: false
Expand All @@ -53,13 +37,13 @@ jobs:
uses: ad-m/github-push-action@master
id: push
with:
github_token: ${{ steps.app-token.outputs.token }}
github_token: ${{ secrets.GH_TOKEN }}
branch: ${{ github.ref }}

- name: Create Release
uses: ncipollo/release-action@v1
with:
tag: ${{ steps.conventional-changelog.outputs.tag }}
body: ${{ steps.conventional-changelog.outputs.changelog }}
token: ${{ steps.app-token.outputs.token }}
makeLatest: true
token: ${{ secrets.GH_TOKEN }}
makeLatest: true

0 comments on commit a7eaa89

Please sign in to comment.