ci: use GitHub Actions token instead of `chatops`/`release_notes` secrets
It seems more secure to use the controlled & limited token than an ambient secret.
This commit is contained in:
parent
6bc6ec323a
commit
864a2bc0a3
|
@ -204,7 +204,7 @@ jobs:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
timeout-minutes: 30
|
timeout-minutes: 30
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: write
|
||||||
|
|
||||||
needs: [build]
|
needs: [build]
|
||||||
|
|
||||||
|
@ -236,7 +236,7 @@ jobs:
|
||||||
|
|
||||||
- name: Publish GitHub release notes
|
- name: Publish GitHub release notes
|
||||||
env:
|
env:
|
||||||
GH_RELEASE_NOTES_TOKEN: ${{ secrets.release_notes }}
|
GH_RELEASE_NOTES_TOKEN: ${{ github.token }}
|
||||||
run: |
|
run: |
|
||||||
sudo apt-get install pandoc
|
sudo apt-get install pandoc
|
||||||
tox -e publish-gh-release-notes
|
tox -e publish-gh-release-notes
|
||||||
|
|
|
@ -19,7 +19,8 @@ jobs:
|
||||||
build:
|
build:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: write
|
||||||
|
pull-requests: write
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v2
|
- uses: actions/checkout@v2
|
||||||
|
@ -40,9 +41,9 @@ jobs:
|
||||||
- name: Prepare release PR (minor/patch release)
|
- name: Prepare release PR (minor/patch release)
|
||||||
if: github.event.inputs.major == 'no'
|
if: github.event.inputs.major == 'no'
|
||||||
run: |
|
run: |
|
||||||
tox -e prepare-release-pr -- ${{ github.event.inputs.branch }} ${{ secrets.chatops }}
|
tox -e prepare-release-pr -- ${{ github.event.inputs.branch }} ${{ github.token }}
|
||||||
|
|
||||||
- name: Prepare release PR (major release)
|
- name: Prepare release PR (major release)
|
||||||
if: github.event.inputs.major == 'yes'
|
if: github.event.inputs.major == 'yes'
|
||||||
run: |
|
run: |
|
||||||
tox -e prepare-release-pr -- ${{ github.event.inputs.branch }} ${{ secrets.chatops }} --major
|
tox -e prepare-release-pr -- ${{ github.event.inputs.branch }} ${{ github.token }} --major
|
||||||
|
|
|
@ -14,7 +14,8 @@ jobs:
|
||||||
build:
|
build:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: write
|
||||||
|
issues: write
|
||||||
|
|
||||||
if: (github.event.comment && startsWith(github.event.comment.body, '@pytestbot please')) || (github.event.issue && !github.event.comment && startsWith(github.event.issue.body, '@pytestbot please'))
|
if: (github.event.comment && startsWith(github.event.comment.body, '@pytestbot please')) || (github.event.issue && !github.event.comment && startsWith(github.event.issue.body, '@pytestbot please'))
|
||||||
|
|
||||||
|
@ -36,4 +37,4 @@ jobs:
|
||||||
|
|
||||||
- name: Prepare release
|
- name: Prepare release
|
||||||
run: |
|
run: |
|
||||||
tox -e release-on-comment -- $GITHUB_EVENT_PATH ${{ secrets.chatops }}
|
tox -e release-on-comment -- $GITHUB_EVENT_PATH ${{ github.token }}
|
||||||
|
|
|
@ -9,9 +9,8 @@ The appropriate version will be obtained based on the given branch automatically
|
||||||
|
|
||||||
After that, it will create a release using the `release` tox environment, and push a new PR.
|
After that, it will create a release using the `release` tox environment, and push a new PR.
|
||||||
|
|
||||||
**Secret**: currently the secret is defined in the @pytestbot account,
|
**Token**: currently the token from the GitHub Actions is used, pushed with
|
||||||
which the core maintainers have access to. There we created a new secret named `chatops`
|
`pytest bot <pytestbot@gmail.com>` commit author.
|
||||||
with write access to the repository.
|
|
||||||
"""
|
"""
|
||||||
import argparse
|
import argparse
|
||||||
import re
|
import re
|
||||||
|
|
|
@ -23,8 +23,8 @@ Then the appropriate version will be obtained based on the given branch name:
|
||||||
|
|
||||||
After that, it will create a release using the `release` tox environment, and push a new PR.
|
After that, it will create a release using the `release` tox environment, and push a new PR.
|
||||||
|
|
||||||
**Secret**: currently the secret is defined in the @pytestbot account, which the core maintainers
|
**Token**: currently the token from the GitHub Actions is used, pushed with
|
||||||
have access to. There we created a new secret named `chatops` with write access to the repository.
|
`pytest bot <pytestbot@gmail.com>` commit author.
|
||||||
"""
|
"""
|
||||||
import argparse
|
import argparse
|
||||||
import json
|
import json
|
||||||
|
|
Loading…
Reference in New Issue