Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use installation token for OS Botify #23760

Merged
merged 27 commits into from
Aug 2, 2023
Merged

Use installation token for OS Botify #23760

Show file tree
Hide file tree
Changes from 14 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
9bb8753
Add action for OS BOTIFY github app
justinpersaud Jul 25, 2023
bc8625b
use latest commit
justinpersaud Jul 25, 2023
6d19bfa
add installation id
justinpersaud Jul 25, 2023
747b8bb
Use installation token instead of OS_BOTIFY_TOKEN
justinpersaud Jul 27, 2023
d519aef
Merge branch 'main' of github.com:Expensify/App into jpersaud_osbotif…
justinpersaud Jul 27, 2023
d7453b0
fix brackets
justinpersaud Jul 27, 2023
aebdca4
update revision
justinpersaud Jul 27, 2023
5876741
comment out permission check temporarily
justinpersaud Jul 27, 2023
a8aef1f
add token to other steps
justinpersaud Jul 27, 2023
6a31248
move token gen to new job, add output
justinpersaud Jul 27, 2023
37c53f3
disable slack announce for now
justinpersaud Jul 27, 2023
6d61ee7
add requirement for token job
justinpersaud Jul 27, 2023
b716195
move token generation into same job
justinpersaud Jul 27, 2023
2c09f65
remove unused job
justinpersaud Jul 27, 2023
217eefd
move token to setupGitForOSBotify
justinpersaud Jul 27, 2023
4e58b80
change order of steps
justinpersaud Jul 27, 2023
3e9cf1d
use action token for repo checkout
justinpersaud Jul 27, 2023
5e8cb85
use osbotify PAT for push
justinpersaud Jul 28, 2023
02f9de4
run -> with
justinpersaud Jul 28, 2023
b9ef7de
move the botify token to the checkout action
justinpersaud Jul 28, 2023
5cdde7e
rename tokens
justinpersaud Jul 28, 2023
53979b7
switch tokens
justinpersaud Jul 28, 2023
299318d
fix linting errors
justinpersaud Jul 28, 2023
5b155ee
restore validateActor
justinpersaud Jul 31, 2023
82bb61c
re-enable slack notificaitons
justinpersaud Jul 31, 2023
66bb752
Update .github/actions/composite/setupGitForOSBotify/action.yml
justinpersaud Aug 1, 2023
c20e7ac
Merge branch 'main' of github.com:Expensify/App into jpersaud_osbotif…
justinpersaud Aug 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/actions/composite/setupGitForOSBotify/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
name: 'Setup Git for OSBotify'
description: 'Setup Git for OSBotify'
name: "Setup Git for OSBotify"
description: "Setup Git for OSBotify"

inputs:
GPG_PASSPHRASE:
description: 'Passphrase used to decrypt GPG key'
description: "Passphrase used to decrypt GPG key"
required: true

runs:
Expand Down
33 changes: 20 additions & 13 deletions .github/workflows/createNewVersion.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,6 @@ on:
LARGE_SECRET_PASSPHRASE:
description: Passphrase used to decrypt GPG key
required: true
OS_BOTIFY_TOKEN:
description: Token for the OSBotify user
required: true
SLACK_WEBHOOK:
description: Webhook used to comment in slack
required: true
Expand All @@ -37,33 +34,43 @@ jobs:
validateActor:
runs-on: ubuntu-latest
outputs:
# TODO: fix this so we check if admin is true, as well as push
# https://docs.github.com/en/rest/apps/installations?apiVersion=2022-11-28#list-repositories-accessible-to-the-user-access-token
HAS_WRITE_ACCESS: ${{ contains(fromJSON('["write", "admin"]'), steps.getUserPermissions.outputs.PERMISSION) }}
steps:
- name: Get user permissions
id: getUserPermissions
run: echo "PERMISSION=$(gh api /repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission | jq -r '.permission')" >> "$GITHUB_OUTPUT"
run: echo "PERMISSION=$(gh api /users/installations/${{ secrets.OS_BOTIFY_INSTALLATION_ID }}/repositories | jq -r '.repositories[].permissions')" >> "$GITHUB_OUTPUT"
env:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}

createNewVersion:
runs-on: macos-latest
needs: validateActor
if: ${{ fromJSON(needs.validateActor.outputs.HAS_WRITE_ACCESS) }}
# if: ${{ fromJSON(needs.validateActor.outputs.HAS_WRITE_ACCESS) }}

outputs:
NEW_VERSION: ${{ steps.bumpVersion.outputs.NEW_VERSION }}

steps:
- name: Generate a token
id: generate_token
uses: tibdex/github-app-token@021a2405c7f990db57f5eae5397423dcc554159c
with:
app_id: ${{ secrets.OS_BOTIFY_APP_ID }}
private_key: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}
installation_id: ${{ secrets.OS_BOTIFY_INSTALLATION_ID }}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@roryabraham this is just a draft while I work through this but what are your thoughts about having the token generation be in this step as opposed to an independent job? I was having some trouble figuring out how to securely pass the output of the token into another job because github actions redacts/blanks it out due to it being a sensitive value. If it's in the same job, I can reference it via ${{ steps.generate_token.outputs.token }}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So recall that setupGitForOSBotify is an action not a worklow, so it's always going to be scoped to just a single job (and by extension a single runner). So we shouldn't need or want to pass tokens between runners.

Does that answer your question?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sort of. Are you suggesting we move this step into setupGitForOSBotify then? And if we do that, how do we use that token in these next steps instead of the under the hood GITHUB_TOKEN the jobs use?

The part I think I'm missing is how we access an output from one action outside of it in another step?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I think I figured it out and got a little further. Long story short, order of operations matters here because we're flipping between the action token used in the job and the new token for OS Botify

https://github.com/Expensify/App/actions/runs/5686198797/job/15412567692

I think I'm getting this next error because I need to allow OS Botify App to override our branch protections and push to main.


- uses: softprops/turnstyle@ca99add00ff0c9cbc697d22631d2992f377e5bd5
with:
poll-interval-seconds: 10
env:
GITHUB_TOKEN: ${{ github.token }}
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}

- uses: actions/checkout@v3
with:
ref: main
token: ${{ secrets.OS_BOTIFY_TOKEN }}
token: ${{ steps.generate_token.outputs.token }}

- uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
with:
Expand All @@ -73,7 +80,7 @@ jobs:
id: bumpVersion
uses: Expensify/App/.github/actions/javascript/bumpVersion@main
with:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
SEMVER_LEVEL: ${{ inputs.SEMVER_LEVEL }}

- name: Commit new version
Expand All @@ -89,7 +96,7 @@ jobs:
- name: Update main branch
run: git push origin main

- if: ${{ failure() }}
uses: Expensify/App/.github/actions/composite/announceFailedWorkflowInSlack@main
with:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
# - if: ${{ failure() }}
# uses: Expensify/App/.github/actions/composite/announceFailedWorkflowInSlack@main
# with:
# SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
Loading