diff --git a/.github/workflows/backport-command.yml b/.github/workflows/backport-command.yml index aac81e7279ec..e02c7456a80b 100644 --- a/.github/workflows/backport-command.yml +++ b/.github/workflows/backport-command.yml @@ -25,11 +25,25 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 + + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }} + aws-region: us-west-2 + + - name: get secrets from aws sm + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + ,sdlc/prod/github/actions_bot_token + parse-json-secrets: true - name: Get type of backport (issue or PR) env: - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} CLIENT_PAYLOAD: ${{ toJson(github.event.client_payload) }} id: get_backport_type run: $SCRIPT_DIR/get_backport_type.sh @@ -39,7 +53,7 @@ jobs: uses: peter-evans/create-or-update-comment@v1 if: failure() with: - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} repository: ${{ github.event.client_payload.github.payload.repository.full_name }} comment-id: ${{ github.event.client_payload.github.payload.comment.id }} reaction-type: "-1" @@ -48,7 +62,7 @@ jobs: if: failure() env: COMMENTED_ON: ${{ steps.get_backport_type.outputs.commented_on }} - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} run: $SCRIPT_DIR/post_error.sh shell: bash @@ -62,11 +76,11 @@ jobs: BACKPORT_BRANCH: ${{ needs.backport-type.outputs.backport_branch }} steps: - name: checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Get user env: - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} id: user run: | username=$(gh api user --jq .login) @@ -82,7 +96,7 @@ jobs: - name: Discover and create milestone env: - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} TARGET_MILESTONE: ${{ needs.backport-type.outputs.target_milestone }} id: create_milestone run: $SCRIPT_DIR/create_milestone.sh @@ -91,7 +105,7 @@ jobs: - name: Create issue if: needs.backport-type.outputs.commented_on == 'issue' env: - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} TARGET_MILESTONE: ${{ steps.create_milestone.outputs.milestone }} ORIG_TITLE: ${{ github.event.client_payload.github.payload.issue.title }} ORIG_LABELS: ${{ toJson(github.event.client_payload.github.payload.issue.labels) }} @@ -111,23 +125,23 @@ jobs: if: needs.backport-type.outputs.commented_on == 'pr' env: BACKPORT_PR_NUMBER: ${{ github.event.client_payload.pull_request.number }} - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} id: backport_commits run: | backport_commits=$(gh api "repos/$TARGET_FULL_REPO/pulls/$BACKPORT_PR_NUMBER/commits" --jq .[].sha | paste -s -d ' ' -) echo ::set-output name=backport_commits::$backport_commits - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 if: needs.backport-type.outputs.commented_on == 'pr' with: repository: ${{ steps.user.outputs.username }}/${{ steps.user.outputs.repo }} - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} path: ./fork - name: Backport commits and get details if: needs.backport-type.outputs.commented_on == 'pr' env: - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} ORIG_TITLE: ${{ github.event.client_payload.github.payload.issue.title }} BACKPORT_COMMITS: ${{ steps.backport_commits.outputs.backport_commits }} IS_MERGED: ${{ github.event.client_payload.pull_request.merged }} @@ -142,7 +156,7 @@ jobs: - name: Create pull request if: needs.backport-type.outputs.commented_on == 'pr' env: - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} TARGET_MILESTONE: ${{ steps.create_milestone.outputs.milestone }} ORIG_TITLE: ${{ github.event.client_payload.github.payload.issue.title }} ORIG_REVIEWERS: ${{ steps.reviewers.outputs.reviewers }} @@ -158,7 +172,7 @@ jobs: - name: Add reaction uses: peter-evans/create-or-update-comment@v1 with: - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} repository: ${{ github.event.client_payload.github.payload.repository.full_name }} comment-id: ${{ github.event.client_payload.github.payload.comment.id }} reaction-type: hooray @@ -167,7 +181,7 @@ jobs: uses: peter-evans/create-or-update-comment@v1 if: failure() with: - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} repository: ${{ github.event.client_payload.github.payload.repository.full_name }} comment-id: ${{ github.event.client_payload.github.payload.comment.id }} reaction-type: "-1" @@ -176,14 +190,14 @@ jobs: if: failure() env: COMMENTED_ON: ${{ needs.backport-type.outputs.commented_on }} - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} run: $SCRIPT_DIR/post_error.sh shell: bash - name: Create Issue On Error if: failure() env: - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} TARGET_MILESTONE: ${{ steps.create_milestone.outputs.milestone }} ORIG_TITLE: ${{ github.event.client_payload.github.payload.issue.title }} ORIG_LABELS: ${{ toJson(github.event.client_payload.github.payload.issue.labels) }} diff --git a/.github/workflows/backport-on-merge.yml b/.github/workflows/backport-on-merge.yml index 05ead7ab61bb..c00d35963ce4 100644 --- a/.github/workflows/backport-on-merge.yml +++ b/.github/workflows/backport-on-merge.yml @@ -17,7 +17,7 @@ jobs: steps: - name: checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Find the PR associated with this push, if there is one. - uses: jwalton/gh-find-current-pr@v1 @@ -29,10 +29,21 @@ jobs: if: success() && steps.findPr.outputs.number env: PR: ${{ steps.findPr.outputs.pr }} - + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }} + aws-region: us-west-2 + - name: get secrets from aws sm + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + ,sdlc/prod/github/actions_bot_token + parse-json-secrets: true - name: Backport On Merge env: - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} id: extract_required_backports_from_pr_body run: $SCRIPT_DIR/backport_on_merge.sh shell: bash diff --git a/.github/workflows/buildkite-slash-commands.yml b/.github/workflows/buildkite-slash-commands.yml index 223f06f3128f..45abe7e52dff 100644 --- a/.github/workflows/buildkite-slash-commands.yml +++ b/.github/workflows/buildkite-slash-commands.yml @@ -10,23 +10,38 @@ jobs: run-build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }} + aws-region: us-west-2 + + - name: get secrets from aws sm + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + ,sdlc/prod/github/actions_bot_token + ,sdlc/prod/github/buildkite_token + parse-json-secrets: true + + - uses: actions/checkout@v4 with: repository: redpanda-data/sparse-checkout - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} path: sparse-checkout - uses: ./sparse-checkout with: repository: redpanda-data/vtools - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} patterns: actions path: ghca - name: Buildkite slash command action uses: ./ghca/actions/buildkite-slash-commands with: - buildkite_token: ${{ secrets.BUILDKITE_TOKEN }} + buildkite_token: ${{ env.BUILDKITE_TOKEN }} buildkite_org: redpanda buildkite_pipeline: redpanda command: ${{ github.event.client_payload.slash_command.command }} @@ -34,7 +49,7 @@ jobs: - name: Success reaction uses: peter-evans/create-or-update-comment@v2 with: - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} repository: ${{ github.event.client_payload.github.payload.repository.full_name }} comment-id: ${{ github.event.client_payload.github.payload.comment.id }} reaction-type: hooray @@ -43,5 +58,5 @@ jobs: if: failure() uses: ./ghca/actions/slash-command-error with: - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} body: ${{ env.ERROR_MSG }} diff --git a/.github/workflows/cloud-installpack-bk-trigger.yml b/.github/workflows/cloud-installpack-bk-trigger.yml index 8881338dbdab..a81b60a78b51 100644 --- a/.github/workflows/cloud-installpack-bk-trigger.yml +++ b/.github/workflows/cloud-installpack-bk-trigger.yml @@ -8,23 +8,38 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }} + aws-region: us-west-2 + + - name: get secrets from aws sm + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + ,sdlc/prod/github/actions_bot_token + ,sdlc/prod/github/buildkite_token + parse-json-secrets: true + + - uses: actions/checkout@v4 with: repository: redpanda-data/sparse-checkout - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} path: sparse-checkout - uses: ./sparse-checkout with: repository: redpanda-data/vtools - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} patterns: actions path: ghca - name: Trigger Versions Bump Buildkite Job uses: ./ghca/actions/buildkite-pipeline-trigger with: - buildkite_token: ${{ secrets.BUILDKITE_TOKEN }} + buildkite_token: ${{ env.BUILDKITE_TOKEN }} buildkite_org: redpanda buildkite_pipeline: ${{ vars.CLOUD_PIPELINE }} commit: HEAD diff --git a/.github/workflows/kics-iac.yml b/.github/workflows/kics-iac.yml deleted file mode 100644 index 55eaabd200c1..000000000000 --- a/.github/workflows/kics-iac.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: kics scanning -on: - push: - branches: dev -jobs: - kics: - runs-on: ubuntu-latest - env: - AWS_ACCESS_KEY_ID: ${{ secrets.VULN_REPORTS_AWS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.VULN_REPORTS_AWS_SECRET_ACCESS_KEY }} - VULN_REPORTS_AWS_BUCKET: ${{ secrets.VULN_REPORTS_AWS_BUCKET }} - AWS_EC2_METADATA_DISABLED: true - steps: - - uses: actions/checkout@v2 - - name: run kics Scan - uses: checkmarx/kics-github-action@v1.6.3 - with: - path: . - ignore_on_exit: results - output_path: res/ - exclude_paths: tests/,src/go/k8s/tests/,src/go/rpk/pkg/testfs/,src/go/k8s/config/ - - name: display kics results - run: | - cat res/results.json - - name: upload scan results - run: | - set -eu - KEY="`date +%Y`/`date +%m`/`date +%d`/${GITHUB_REPOSITORY#*/}_${GITHUB_REF#refs/heads/}_kics_`date +%s`.json" - echo "[i] writing to s3 object '$KEY'" - aws s3 cp res/results.json s3://$VULN_REPORTS_AWS_BUCKET/$KEY diff --git a/.github/workflows/old-backports.yml b/.github/workflows/old-backports.yml deleted file mode 100644 index f1929f208f29..000000000000 --- a/.github/workflows/old-backports.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: old-backports -on: - schedule: - - cron: '*/10 * * * *' -jobs: - alert-on-abandoned-backports: - outputs: - OUTPUT: ${{ steps.get-output.outputs.OUTPUT }} - runs-on: ubuntu-latest - - steps: - - name: Get output - id: get-output - run: | - echo OUTPUT=$(gh search issues --label "kind/backport" --state open --repo "redpanda-data/redpanda" --updated "<`date --date="15 days ago" +"%Y"-"%m"-"%d"`" --sort updated --order asc --limit 15 --json "assignees,updatedAt,url" --jq '.[] | "@" + (.assignees[] | {login} | .login), .url, .updatedAt,"----"') >>"$GITHUB_OUTPUT" - shell: bash - - - name: "Post to a test channel (temporary)" - id: send-slack-message - uses: slackapi/slack-github-action@v1.24.0 - with: - channel-id: "C05DHDW4VCL" - slack-message: "Test: ${{ steps.get-output.outputs.OUTPUT }}" - env: - SLACK_BOT_TOKEN: ${{ secrets.VBOTBUILDOVICH_SLACK_BOT_TOKEN }} diff --git a/.github/workflows/packages-created.yml b/.github/workflows/packages-created.yml deleted file mode 100644 index 7d933822722b..000000000000 --- a/.github/workflows/packages-created.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: package_creation_handler -on: - repository_dispatch: - types: [packages-created] - -jobs: - package_creation_handler: - runs-on: ubuntu-20.04 - - steps: - - name: Notify PR - uses: peter-evans/create-or-update-comment@v1 - with: - token: ${{ secrets.VTOOLS_GITHUB_API_TOKEN }} - issue-number: ${{ github.event.client_payload.pr_number }} - body: | - Packages created for ${{ github.event.client_payload.ref }} - Tests requiring them can now be run. Try: - `/chaos-test` or `/ducktape` - if: ${{ github.event.client_payload.pr_number }} diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml index 00c36f0af66f..1b8741fa0816 100644 --- a/.github/workflows/pr-labeler.yml +++ b/.github/workflows/pr-labeler.yml @@ -11,6 +11,6 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/labeler@v4 + - uses: actions/labeler@v5 with: repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/promote.yml b/.github/workflows/promote.yml index 44e909adcd13..bdb2e2b2c909 100644 --- a/.github/workflows/promote.yml +++ b/.github/workflows/promote.yml @@ -7,10 +7,22 @@ jobs: trigger-promote: runs-on: ubuntu-latest steps: + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }} + aws-region: us-west-2 + - name: get secrets from aws sm + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + ,sdlc/prod/github/buildkite_token + parse-json-secrets: true - name: trigger redpanda promote pipeline uses: "buildkite/trigger-pipeline-action@v2.0.0" with: - buildkite_api_access_token: ${{ secrets.BUILDKITE_TOKEN }} + buildkite_api_access_token: ${{ env.BUILDKITE_TOKEN }} pipeline: "redpanda/redpanda" branch: dev message: ":github: Promote redpanda packages" diff --git a/.github/workflows/render-draft-release-notes.yml b/.github/workflows/render-draft-release-notes.yml deleted file mode 100644 index 4d7ea20148b1..000000000000 --- a/.github/workflows/render-draft-release-notes.yml +++ /dev/null @@ -1,48 +0,0 @@ -name: Render Draft Release Notes -on: - push: - branches: [ dev, 'v[0-9]+.[0-9]+.x' ] -jobs: - render: - runs-on: ubuntu-latest - steps: - - name: Curl rpchangelog - run: | - mkdir -v -p rpchangelog - curl -s -S -f -L -o rpchangelog/requirements.txt https://vectorized-public.s3.us-west-2.amazonaws.com/rpchangelog/requirements.txt - curl -s -S -f -L -o rpchangelog/rpchangelog.py https://vectorized-public.s3.us-west-2.amazonaws.com/rpchangelog/rpchangelog.py - chmod +x rpchangelog/rpchangelog.py - - uses: actions/setup-python@v4 - with: - python-version: '3.10' - cache: 'pip' - - run: pip3 install -r ./rpchangelog/requirements.txt - - name: Render draft release notes to job summary - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - if [[ $GITHUB_REF_NAME == 'dev' ]]; then - PREVIOUS_TAG_NAME=$(gh -R "$GITHUB_REPOSITORY_OWNER/redpanda" release list --exclude-drafts -L 1 | tail -1 | cut -f1) - YEAR_VER=$(echo "$PREVIOUS_TAG_NAME" | cut -d. -f1) - FEATURE_VER=$(echo "$PREVIOUS_TAG_NAME" | cut -d. -f2) - TAG_NAME="$YEAR_VER.$((FEATURE_VER+1)).1" - else - # e.g. GITHUB_REF_NAME=v22.3.x - SEARCH_PATTERN=${GITHUB_REF_NAME::-1} - PREVIOUS_TAG_NAME=$(gh -R "$GITHUB_REPOSITORY_OWNER/redpanda" release list --exclude-drafts | grep "$SEARCH_PATTERN" | head -1 | cut -f1) - YEAR_VER=$(echo "$PREVIOUS_TAG_NAME" | cut -d. -f1) - FEATURE_VER=$(echo "$PREVIOUS_TAG_NAME" | cut -d. -f2) - PATCH_VER=$(echo "$PREVIOUS_TAG_NAME" | cut -d. -f3) - TAG_NAME="$YEAR_VER.$FEATURE_VER.$((PATCH_VER+1))" - fi - ./rpchangelog/rpchangelog.py --log-level=DEBUG --github-owner="$GITHUB_REPOSITORY_OWNER" rel "$TAG_NAME" "$GITHUB_REF_NAME" "$PREVIOUS_TAG_NAME" >> "$GITHUB_STEP_SUMMARY" - LINK_TO_SUMMARY="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" - FINAL_MSG="View rendered draft release notes in the job summary: $LINK_TO_SUMMARY" - if grep -q '## Unclear' "$GITHUB_STEP_SUMMARY"; then - echo '❌ Release Notes Unclear' - echo $FINAL_MSG - exit 1 - else - echo '✔ Release Notes Clear' - echo $FINAL_MSG - fi diff --git a/.github/workflows/rp-storage-tool-checks.yml b/.github/workflows/rp-storage-tool-checks.yml index 87e9a4c0b67f..c96dd5f6a162 100644 --- a/.github/workflows/rp-storage-tool-checks.yml +++ b/.github/workflows/rp-storage-tool-checks.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout sources - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Install stable toolchain uses: actions-rs/toolchain@v1 with: @@ -48,7 +48,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout sources - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Install stable toolchain uses: actions-rs/toolchain@v1 diff --git a/.github/workflows/slack-messages.yml b/.github/workflows/slack-messages.yml deleted file mode 100644 index 3a4ed5c20df6..000000000000 --- a/.github/workflows/slack-messages.yml +++ /dev/null @@ -1,41 +0,0 @@ -name: Release Slack Message -on: - release: - types: [published] - -env: - MESSAGE: "Redpanda release ${{ github.event.release.tag_name }} has been published: ${{ github.event.release.html_url }}" - -jobs: - post-slack-message: - name: Post Slack Message - runs-on: ubuntu-latest - steps: - - - name: "Post to internal #releases channel" - id: internal_releases - uses: slackapi/slack-github-action@v1.18.0 - with: - channel-id: ${{ secrets.INTERNAL_RELEASES_SLACK_CHANNEL }} - slack-message: ${{ env.MESSAGE }} - env: - SLACK_BOT_TOKEN: ${{ secrets.VBOTBUILDOVICH_SLACK_BOT_TOKEN }} - - - name: "Post to internal #general channel" - id: internal_general - uses: slackapi/slack-github-action@v1.18.0 - with: - channel-id: ${{ secrets.INTERNAL_GENERAL_SLACK_CHANNEL }} - slack-message: ${{ env.MESSAGE }} - env: - SLACK_BOT_TOKEN: ${{ secrets.VBOTBUILDOVICH_SLACK_BOT_TOKEN }} - - - name: "Post to community #releases channel" - id: community_releases - uses: slackapi/slack-github-action@v1.18.0 - with: - channel-id: C034RDJLC31 - slack-message: ${{ env.MESSAGE }} - env: - SLACK_BOT_TOKEN: ${{ secrets.BUILDERBOT_COMMUNITY_SLACK_BOT_TOKEN }} - diff --git a/.github/workflows/slash-commands.yml b/.github/workflows/slash-commands.yml index cb34e2d12a19..72019ce02ac3 100644 --- a/.github/workflows/slash-commands.yml +++ b/.github/workflows/slash-commands.yml @@ -6,10 +6,22 @@ jobs: slashCommandDispatch: runs-on: ubuntu-latest steps: + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }} + aws-region: us-west-2 + - name: get secrets from aws sm + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + ,sdlc/prod/github/actions_bot_token + parse-json-secrets: true - name: Slash Command Dispatch uses: peter-evans/slash-command-dispatch@v2 with: - token: ${{ secrets.ACTIONS_BOT_TOKEN }} + token: ${{ env.ACTIONS_BOT_TOKEN }} permission: read issue-type: both commands: |