Skip to content

Commit

Permalink
Merge pull request hashicorp#32868 from hashicorp/m-app-token-fix
Browse files Browse the repository at this point in the history 
Workflows: Token generation as a step rather than a job
  • Loading branch information
@justinretzolk
justinretzolk authored Aug 4, 2023
2 parents 65106e2 + 73e15a2 commit c6ccb75
Show file tree
Hide file tree
Showing 2 changed files with 72 additions and 32 deletions.
48 changes: 32 additions & 16 deletions .github/workflows/issues.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,42 +20,43 @@ jobs:
# https://docs.github.com/en/actions/learn-github-actions/expressions#example
username: ${{ github.event.action == 'assigned' && github.event.assignee.login || github.event.issue.user.login }}

generate_token:
name: 'Generate Token'
automation_labeler:
name: 'Automation Labeler'
needs: community_check
runs-on: ubuntu-latest
outputs:
token: ${{ steps.generate.outputs.token }}
env:
ISSUE_URL: ${{ github.event.issue.html_url }}
steps:
- name: 'Generate'
id: generate
- name: 'Generate Token'
id: token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
with:
app_id: ${{ secrets.APP_ID }}
installation_id: ${{ secrets.INSTALLATION_ID }}
private_key: ${{ secrets.APP_PEM }}

automation_labeler:
name: 'Automation Labeler'
needs: [community_check, generate_token]
runs-on: ubuntu-latest
env:
GH_TOKEN: ${{ needs.generate_token.outputs.token }}
ISSUE_URL: ${{ github.event.issue.html_url }}
steps:
- name: 'Add needs-triage for non-maintainer'
if: github.event.action == 'opened' && needs.community_check.outputs.maintainer == 'false'
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
run: gh issue edit ${{ env.ISSUE_URL }} --add-label needs-triage

- name: 'Add prioritized when assigned to maintainers'
if: github.event.action == 'assigned' && needs.community_check.outputs.maintainer == 'true'
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
run: gh issue edit ${{ env.ISSUE_URL }} --add-label prioritized

- name: 'Add prioritized to regressions'
if: github.event.label.name == 'regression'
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
run: gh issue edit ${{ env.ISSUE_URL }} --add-label prioritized

- name: 'Remove unnecessary labels on closure'
if: github.event.action == 'closed'
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
run: gh issue edit ${{ env.ISSUE_URL }} --remove-label needs-triage,waiting-response

service_labeler:
Expand All @@ -74,37 +75,52 @@ jobs:
add_to_project:
name: 'Add to Project'
runs-on: ubuntu-latest
needs: [community_check, generate_token]
needs: community_check
env:
GH_TOKEN: ${{ needs.generate_token.outputs.token }}
# Some gh project calls take the project's ID, some take the project's number
PROJECT_ID: "PVT_kwDOAAuecM4AF-7h"
PROJECT_NUMBER: "196"
STATUS_FIELD_ID: "PVTSSF_lADOAAuecM4AF-7hzgDcsQA"
VIEW_FIELD_ID: "PVTSSF_lADOAAuecM4AF-7hzgMRB34"
ITEM_URL: ${{ github.event.issue.html_url }}
steps:
- name: 'Generate Token'
id: token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
with:
app_id: ${{ secrets.APP_ID }}
installation_id: ${{ secrets.INSTALLATION_ID }}
private_key: ${{ secrets.APP_PEM }}

- name: 'Maintainer Issues'
if: github.event.action == 'opened' && needs.community_check.outputs.maintainer == 'true'
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
run: |
PROJECT_ITEM_ID=$(gh project item-add ${{ env.PROJECT_NUMBER }} --owner "hashicorp" --url ${{ env.ITEM_URL }} --format json | jq '.id')
gh project item-edit --id "$PROJECT_ITEM_ID" --project-id ${{ env.PROJECT_ID }} --field-id ${{ env.VIEW_FIELD_ID }} --single-select-option-id ${{ vars.team_project_view_working_board }}
- name: 'Assigned to Maintainer'
if: github.event.action == 'assigned' && needs.community_check.outputs.maintainer == 'true'
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
run: |
PROJECT_ITEM_ID=$(gh project item-add ${{ env.PROJECT_NUMBER }} --owner "hashicorp" --url ${{ env.ITEM_URL }} --format json | jq '.id')
gh project item-edit --id "$PROJECT_ITEM_ID" --project-id ${{ env.PROJECT_ID }} --field-id ${{ env.STATUS_FIELD_ID }} --single-select-option-id ${{ vars.team_project_status_in_progress }}
gh project item-edit --id "$PROJECT_ITEM_ID" --project-id ${{ env.PROJECT_ID }} --field-id ${{ env.VIEW_FIELD_ID }} --single-select-option-id ${{ vars.team_project_view_working_board }}
- name: 'Labeled Prioritized or Regression'
if: contains(fromJSON('["prioritized", "regression"]'), github.event.label.name)
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
run: |
PROJECT_ITEM_ID=$(gh project item-add ${{ env.PROJECT_NUMBER }} --owner "hashicorp" --url ${{ env.ITEM_URL }} --format json | jq '.id')
gh project item-edit --id "$PROJECT_ITEM_ID" --project-id ${{ env.PROJECT_ID }} --field-id ${{ env.VIEW_FIELD_ID }} --single-select-option-id ${{ vars.team_project_view_working_board }}
- name: 'Labeled Engineering Initiative'
if: github.event.label.name == 'engineering-initiative'
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
run: |
PROJECT_ITEM_ID=$(gh project item-add ${{ env.PROJECT_NUMBER }} --owner "hashicorp" --url ${{ env.ITEM_URL }} --format json | jq '.id')
gh project item-edit --id "$PROJECT_ITEM_ID" --project-id ${{ env.PROJECT_ID }} --field-id ${{ env.VIEW_FIELD_ID }} --single-select-option-id ${{ vars.team_project_view_engineering_initiative }}
Expand Down
56 changes: 40 additions & 16 deletions .github/workflows/pull_request_target.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,52 +21,57 @@ jobs:
# https://docs.github.com/en/actions/learn-github-actions/expressions#example
username: ${{ github.event.action == 'assigned' && github.event.assignee.login || github.event.pull_request.user.login }}

generate_token:
name: 'Generate Token'
labeler:
name: 'Automation Labeler'
needs: community_check
runs-on: ubuntu-latest
outputs:
token: ${{ steps.generate.outputs.token }}
env:
PR_URL: ${{ github.event.pull_request.html_url }}
steps:
- name: 'Generate'
id: generate
- name: 'Generate Token'
id: token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
with:
app_id: ${{ secrets.APP_ID }}
installation_id: ${{ secrets.INSTALLATION_ID }}
private_key: ${{ secrets.APP_PEM }}

labeler:
name: 'Automation Labeler'
needs: [community_check, generate_token]
runs-on: ubuntu-latest
env:
GH_TOKEN: ${{ needs.generate_token.outputs.token }}
PR_URL: ${{ github.event.pull_request.html_url }}
steps:
- name: 'Add needs-triage for non-maintainers'
if: github.event.action == 'opened' && needs.community_check.outputs.maintainer == 'false'
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
run: gh pr edit ${{ env.PR_URL }} --add-label needs-triage

- name: 'Add prioritized to pull requests authored by or assigned to maintainers'
# This conditional is basically an exact copy of an example provided by GitHub:
# https://docs.github.com/en/actions/learn-github-actions/expressions#example-matching-an-array-of-strings
if: contains(fromJSON('["opened", "assigned"]'), github.event.action) && needs.community_check.outputs.maintainer == 'true'
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
run: gh pr edit ${{ env.PR_URL }} --add-label prioritized

- name: 'Add partner to partner pull requests'
if: github.event.action == 'opened' && needs.community_check.outputs.partner == 'true'
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
run: gh pr edit ${{ env.PR_URL }} --add-label partner

- name: 'Add external-maintainer to external maintainer pull requests'
if: github.event.action == 'opened' && needs.community_check.outputs.core_contributor == 'true'
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
run: gh pr edit ${{ env.PR_URL }} --add-label external-maintainer

- name: 'Add prioritized to regressions'
if: github.event.label.name == 'regression'
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
run: gh pr edit ${{ env.PR_URL }} --add-label prioritized

- name: 'Remove unnecessary labels on closure'
if: github.event.action == 'closed'
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
run: gh pr edit ${{ env.PR_URL }} --remove-label needs-triage,waiting-response

service_labeler:
Expand Down Expand Up @@ -106,18 +111,27 @@ jobs:
add_to_project:
name: 'Add to Project'
runs-on: ubuntu-latest
needs: [community_check, generate_token]
needs: community_check
env:
GH_TOKEN: ${{ needs.generate_token.outputs.token }}
# Some gh project calls take the project's ID, some take the project's number
PROJECT_ID: "PVT_kwDOAAuecM4AF-7h"
PROJECT_NUMBER: "196"
STATUS_FIELD_ID: "PVTSSF_lADOAAuecM4AF-7hzgDcsQA"
VIEW_FIELD_ID: "PVTSSF_lADOAAuecM4AF-7hzgMRB34"
ITEM_URL: ${{ github.event.pull_request.html_url }}
steps:
- name: 'Generate Token'
id: token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
with:
app_id: ${{ secrets.APP_ID }}
installation_id: ${{ secrets.INSTALLATION_ID }}
private_key: ${{ secrets.APP_PEM }}

- name: 'Maintainer Pull Requests'
if: github.event.action == 'opened' && needs.community_check.outputs.maintainer == 'true'
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
run: |
# In order to update the item's Status field, we need to capture the project item id from the output
PROJECT_ITEM_ID=$(gh project item-add ${{ env.PROJECT_NUMBER }} --owner "hashicorp" --url ${{ env.ITEM_URL }} --format json | jq '.id')
Expand All @@ -126,31 +140,41 @@ jobs:
- name: 'Assigned to Maintainers'
if: github.event.action == 'assigned' && needs.community_check.outputs.maintainer == 'true'
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
run: |
PROJECT_ITEM_ID=$(gh project item-add ${{ env.PROJECT_NUMBER }} --owner "hashicorp" --url ${{ env.ITEM_URL }} --format json | jq '.id')
gh project item-edit --id "$PROJECT_ITEM_ID" --project-id ${{ env.PROJECT_ID }} --field-id ${{ env.STATUS_FIELD_ID }} --single-select-option-id ${{ vars.team_project_status_in_progress }}
gh project item-edit --id "$PROJECT_ITEM_ID" --project-id ${{ env.PROJECT_ID }} --field-id ${{ env.VIEW_FIELD_ID }} --single-select-option-id ${{ vars.team_project_view_working_board }}
- name: 'Partner Pull Requests'
if: github.event.label.name == 'partner'
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
run: |
PROJECT_ITEM_ID=$(gh project item-add ${{ env.PROJECT_NUMBER }} --owner "hashicorp" --url ${{ env.ITEM_URL }} --format json | jq '.id')
gh project item-edit --id "$PROJECT_ITEM_ID" --project-id ${{ env.PROJECT_ID }} --field-id ${{ env.VIEW_FIELD_ID }} --single-select-option-id ${{ vars.team_project_view_partner_contribution }}
- name: 'External Maintainer Pull Requests'
if: github.event.label.name == 'external-maintainer'
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
run: |
PROJECT_ITEM_ID=$(gh project item-add ${{ env.PROJECT_NUMBER }} --owner "hashicorp" --url ${{ env.ITEM_URL }} --format json | jq '.id')
gh project item-edit --id "$PROJECT_ITEM_ID" --project-id ${{ env.PROJECT_ID }} --field-id ${{ env.VIEW_FIELD_ID }} --single-select-option-id ${{ vars.team_project_view_external_maintainer }}
- name: 'Labeled Prioritized or Regression'
if: contains(fromJSON('["prioritized", "regression"]'), github.event.label.name)
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
run: |
PROJECT_ITEM_ID=$(gh project item-add ${{ env.PROJECT_NUMBER }} --owner "hashicorp" --url ${{ env.ITEM_URL }} --format json | jq '.id')
gh project item-edit --id "$PROJECT_ITEM_ID" --project-id ${{ env.PROJECT_ID }} --field-id ${{ env.VIEW_FIELD_ID }} --single-select-option-id ${{ vars.team_project_view_working_board }}
- name: 'Labeled Engineering Initiative'
if: github.event.label.name == 'engineering-initiative'
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
run: |
PROJECT_ITEM_ID=$(gh project item-add ${{ env.PROJECT_NUMBER }} --owner "hashicorp" --url ${{ env.ITEM_URL }} --format json | jq '.id')
gh project item-edit --id "$PROJECT_ITEM_ID" --project-id ${{ env.PROJECT_ID }} --field-id ${{ env.VIEW_FIELD_ID }} --single-select-option-id ${{ vars.team_project_view_engineering_initiative }}
Expand Down

0 comments on commit c6ccb75

Please sign in to comment.