Use the app token in helm-weekly-release-pr.yml (#10819)

* Use the app token in helm-weekly-release-pr.yml * Update .github/workflows/helm-weekly-release-pr.yaml Co-authored-by: Arve Knudsen <[email protected]> * Update .github/workflows/helm-weekly-release-pr.yaml Co-authored-by: Arve Knudsen <[email protected]> --------- Co-authored-by: Arve Knudsen <[email protected]>
grafana · Mar 6, 2025 · f83f20b · f83f20b
1 parent 339171c
commit f83f20b
Showing 1 changed file with 22 additions and 1 deletion.
diff --git a/.github/workflows/helm-weekly-release-pr.yaml b/.github/workflows/helm-weekly-release-pr.yaml
@@ -6,21 +6,42 @@ on:
 
   workflow_dispatch: # for manual testing
 
+# These permissions are needed to assume roles from Github's OIDC.
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   weekly-release-pr:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: imjasonh/[email protected]
 
+      - name: Retrieve GitHub App credentials from Vault
+        id: get-secrets
+        uses: grafana/shared-workflows/actions/[email protected]
+        with:
+          repo_secrets: |
+            APP_ID=mimir-github-bot:app_id
+            PRIVATE_KEY=mimir-github-bot:private_key
+
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ env.APP_ID }}
+          private-key: ${{ env.PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+
       - name: Update/regenerate files
         id: update
         run: bash .github/workflows/scripts/helm-weekly-release.sh
 
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v5
         with:
-          token: ${{ secrets.GH_BOT_ACCESS_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
           title: Release mimir-distributed Helm chart ${{ steps.update.outputs.new_chart_version }}
           body: Automated PR created by [helm-weekly-release-pr.yaml](https://github.com/grafana/mimir/blob/main/.github/workflows/helm-weekly-release-pr.yaml)
           commit-message: Update mimir-distributed chart to ${{ steps.update.outputs.new_chart_version }}