Update grafanabot_reviewer.yml to use app token (#10809)

* Update grafanabot_reviewer.yml to use app token * Remove if condition to test workflow * Changed to 'on: pull_request' due to limitations with GitHub app tokens * Further testing * Revert "Further testing" This reverts commit c496584. * Revert "Remove if condition to test workflow" This reverts commit a6f566b. * Use the app token at the right place
grafana · Mar 5, 2025 · c543778 · c543778
1 parent 98e26f4
commit c543778
Showing 1 changed file with 21 additions and 4 deletions.
diff --git a/.github/workflows/grafanabot_reviewer.yml b/.github/workflows/grafanabot_reviewer.yml
@@ -1,20 +1,37 @@
 name: Auto-review Grafanabot PRs
-on: pull_request_target
+on: pull_request
 
 permissions:
   pull-requests: write
   contents: write
+  id-token: write
 
 jobs:
   dependabot-reviewer:
     runs-on: ubuntu-latest
 
     if: ${{ github.event.pull_request.user.login == 'grafanabot' }}
-    
+
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4
 
+      - name: Retrieve GitHub App Credentials from Vault
+        id: get-secrets
+        uses: grafana/shared-workflows/actions/[email protected]
+        with:
+          repo_secrets: |
+            APP_ID=mimir-github-bot:app_id
+            PRIVATE_KEY=mimir-github-bot:private_key
+
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ env.APP_ID }}
+          private-key: ${{ env.PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+
       - name: Approve and auto-merge
         id: auto-merge
         if: contains(github.event.pull_request.head.ref, 'helm-chart-weekly-')
@@ -24,7 +41,7 @@ jobs:
           --approve -b "**I'm approving** this pull request, since it is a helm release."
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GH_BOT_ACCESS_TOKEN}}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
 
       - name: Manual review is required
         if: steps.auto-merge.conclusion != 'success'
@@ -33,4 +50,4 @@ jobs:
 
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}