From 864a2bc0a3180efa76de0e9b1ee28b81c6f437bb Mon Sep 17 00:00:00 2001 From: Ran Benita Date: Sun, 16 May 2021 11:37:21 +0300 Subject: [PATCH] ci: use GitHub Actions token instead of `chatops`/`release_notes` secrets It seems more secure to use the controlled & limited token than an ambient secret. --- .github/workflows/main.yml | 4 ++-- .github/workflows/prepare-release-pr.yml | 7 ++++--- .github/workflows/release-on-comment.yml | 5 +++-- scripts/prepare-release-pr.py | 5 ++--- scripts/release-on-comment.py | 4 ++-- 5 files changed, 13 insertions(+), 12 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4c390b452..c58a50ff0 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -204,7 +204,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 permissions: - contents: read + contents: write needs: [build] @@ -236,7 +236,7 @@ jobs: - name: Publish GitHub release notes env: - GH_RELEASE_NOTES_TOKEN: ${{ secrets.release_notes }} + GH_RELEASE_NOTES_TOKEN: ${{ github.token }} run: | sudo apt-get install pandoc tox -e publish-gh-release-notes diff --git a/.github/workflows/prepare-release-pr.yml b/.github/workflows/prepare-release-pr.yml index 7a610638a..91977f5b2 100644 --- a/.github/workflows/prepare-release-pr.yml +++ b/.github/workflows/prepare-release-pr.yml @@ -19,7 +19,8 @@ jobs: build: runs-on: ubuntu-latest permissions: - contents: read + contents: write + pull-requests: write steps: - uses: actions/checkout@v2 @@ -40,9 +41,9 @@ jobs: - name: Prepare release PR (minor/patch release) if: github.event.inputs.major == 'no' run: | - tox -e prepare-release-pr -- ${{ github.event.inputs.branch }} ${{ secrets.chatops }} + tox -e prepare-release-pr -- ${{ github.event.inputs.branch }} ${{ github.token }} - name: Prepare release PR (major release) if: github.event.inputs.major == 'yes' run: | - tox -e prepare-release-pr -- ${{ github.event.inputs.branch }} ${{ secrets.chatops }} --major + tox -e prepare-release-pr -- ${{ github.event.inputs.branch }} ${{ github.token }} --major diff --git a/.github/workflows/release-on-comment.yml b/.github/workflows/release-on-comment.yml index cca908aa6..32d221552 100644 --- a/.github/workflows/release-on-comment.yml +++ b/.github/workflows/release-on-comment.yml @@ -14,7 +14,8 @@ jobs: build: runs-on: ubuntu-latest permissions: - contents: read + contents: write + issues: write if: (github.event.comment && startsWith(github.event.comment.body, '@pytestbot please')) || (github.event.issue && !github.event.comment && startsWith(github.event.issue.body, '@pytestbot please')) @@ -36,4 +37,4 @@ jobs: - name: Prepare release run: | - tox -e release-on-comment -- $GITHUB_EVENT_PATH ${{ secrets.chatops }} + tox -e release-on-comment -- $GITHUB_EVENT_PATH ${{ github.token }} diff --git a/scripts/prepare-release-pr.py b/scripts/prepare-release-pr.py index 5ba174f23..ca5ed411a 100644 --- a/scripts/prepare-release-pr.py +++ b/scripts/prepare-release-pr.py @@ -9,9 +9,8 @@ The appropriate version will be obtained based on the given branch automatically After that, it will create a release using the `release` tox environment, and push a new PR. -**Secret**: currently the secret is defined in the @pytestbot account, -which the core maintainers have access to. There we created a new secret named `chatops` -with write access to the repository. +**Token**: currently the token from the GitHub Actions is used, pushed with +`pytest bot ` commit author. """ import argparse import re diff --git a/scripts/release-on-comment.py b/scripts/release-on-comment.py index f33def3ef..d5996aa40 100644 --- a/scripts/release-on-comment.py +++ b/scripts/release-on-comment.py @@ -23,8 +23,8 @@ Then the appropriate version will be obtained based on the given branch name: After that, it will create a release using the `release` tox environment, and push a new PR. -**Secret**: currently the secret is defined in the @pytestbot account, which the core maintainers -have access to. There we created a new secret named `chatops` with write access to the repository. +**Token**: currently the token from the GitHub Actions is used, pushed with +`pytest bot ` commit author. """ import argparse import json