ci: use GitHub Actions token instead of `chatops`/`release_notes` secrets

It seems more secure to use the controlled & limited token than an
ambient secret.
This commit is contained in:
Ran Benita 2021-05-16 11:37:21 +03:00
parent 6bc6ec323a
commit 864a2bc0a3
5 changed files with 13 additions and 12 deletions

View File

@ -204,7 +204,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 30 timeout-minutes: 30
permissions: permissions:
contents: read contents: write
needs: [build] needs: [build]
@ -236,7 +236,7 @@ jobs:
- name: Publish GitHub release notes - name: Publish GitHub release notes
env: env:
GH_RELEASE_NOTES_TOKEN: ${{ secrets.release_notes }} GH_RELEASE_NOTES_TOKEN: ${{ github.token }}
run: | run: |
sudo apt-get install pandoc sudo apt-get install pandoc
tox -e publish-gh-release-notes tox -e publish-gh-release-notes

View File

@ -19,7 +19,8 @@ jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: write
pull-requests: write
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
@ -40,9 +41,9 @@ jobs:
- name: Prepare release PR (minor/patch release) - name: Prepare release PR (minor/patch release)
if: github.event.inputs.major == 'no' if: github.event.inputs.major == 'no'
run: | run: |
tox -e prepare-release-pr -- ${{ github.event.inputs.branch }} ${{ secrets.chatops }} tox -e prepare-release-pr -- ${{ github.event.inputs.branch }} ${{ github.token }}
- name: Prepare release PR (major release) - name: Prepare release PR (major release)
if: github.event.inputs.major == 'yes' if: github.event.inputs.major == 'yes'
run: | run: |
tox -e prepare-release-pr -- ${{ github.event.inputs.branch }} ${{ secrets.chatops }} --major tox -e prepare-release-pr -- ${{ github.event.inputs.branch }} ${{ github.token }} --major

View File

@ -14,7 +14,8 @@ jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: write
issues: write
if: (github.event.comment && startsWith(github.event.comment.body, '@pytestbot please')) || (github.event.issue && !github.event.comment && startsWith(github.event.issue.body, '@pytestbot please')) if: (github.event.comment && startsWith(github.event.comment.body, '@pytestbot please')) || (github.event.issue && !github.event.comment && startsWith(github.event.issue.body, '@pytestbot please'))
@ -36,4 +37,4 @@ jobs:
- name: Prepare release - name: Prepare release
run: | run: |
tox -e release-on-comment -- $GITHUB_EVENT_PATH ${{ secrets.chatops }} tox -e release-on-comment -- $GITHUB_EVENT_PATH ${{ github.token }}

View File

@ -9,9 +9,8 @@ The appropriate version will be obtained based on the given branch automatically
After that, it will create a release using the `release` tox environment, and push a new PR. After that, it will create a release using the `release` tox environment, and push a new PR.
**Secret**: currently the secret is defined in the @pytestbot account, **Token**: currently the token from the GitHub Actions is used, pushed with
which the core maintainers have access to. There we created a new secret named `chatops` `pytest bot <pytestbot@gmail.com>` commit author.
with write access to the repository.
""" """
import argparse import argparse
import re import re

View File

@ -23,8 +23,8 @@ Then the appropriate version will be obtained based on the given branch name:
After that, it will create a release using the `release` tox environment, and push a new PR. After that, it will create a release using the `release` tox environment, and push a new PR.
**Secret**: currently the secret is defined in the @pytestbot account, which the core maintainers **Token**: currently the token from the GitHub Actions is used, pushed with
have access to. There we created a new secret named `chatops` with write access to the repository. `pytest bot <pytestbot@gmail.com>` commit author.
""" """
import argparse import argparse
import json import json