ci: use GitHub Actions token instead of `chatops`/`release_notes` secrets

It seems more secure to use the controlled & limited token than an ambient secret.
2021-05-16 11:37:21 +03:00 · 2021-05-16 11:37:21 +03:00 · 864a2bc0a3
parent 6bc6ec323a
commit 864a2bc0a3
5 changed files with 13 additions and 12 deletions
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -204,7 +204,7 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    permissions:
-      contents: read
+      contents: write

    needs: [build]

@ -236,7 +236,7 @@ jobs:

    - name: Publish GitHub release notes
      env:
-        GH_RELEASE_NOTES_TOKEN: ${{ secrets.release_notes }}
+        GH_RELEASE_NOTES_TOKEN: ${{ github.token }}
      run: |
        sudo apt-get install pandoc
        tox -e publish-gh-release-notes
--- a/.github/workflows/prepare-release-pr.yml
+++ b/.github/workflows/prepare-release-pr.yml
@ -19,7 +19,8 @@ jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
-      contents: read
+      contents: write
+      pull-requests: write

    steps:
    - uses: actions/checkout@v2
@ -40,9 +41,9 @@ jobs:
    - name: Prepare release PR (minor/patch release)
      if: github.event.inputs.major == 'no'
      run: |
-        tox -e prepare-release-pr -- ${{ github.event.inputs.branch }} ${{ secrets.chatops }}
+        tox -e prepare-release-pr -- ${{ github.event.inputs.branch }} ${{ github.token }}

    - name: Prepare release PR (major release)
      if: github.event.inputs.major == 'yes'
      run: |
-        tox -e prepare-release-pr -- ${{ github.event.inputs.branch }} ${{ secrets.chatops }} --major
+        tox -e prepare-release-pr -- ${{ github.event.inputs.branch }} ${{ github.token }} --major
--- a/.github/workflows/release-on-comment.yml
+++ b/.github/workflows/release-on-comment.yml
@ -14,7 +14,8 @@ jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
-      contents: read
+      contents: write
+      issues: write

    if: (github.event.comment && startsWith(github.event.comment.body, '@pytestbot please')) || (github.event.issue && !github.event.comment && startsWith(github.event.issue.body, '@pytestbot please'))

@ -36,4 +37,4 @@ jobs:

    - name: Prepare release
      run: |
-        tox -e release-on-comment -- $GITHUB_EVENT_PATH ${{ secrets.chatops }}
+        tox -e release-on-comment -- $GITHUB_EVENT_PATH ${{ github.token }}
--- a/scripts/prepare-release-pr.py
+++ b/scripts/prepare-release-pr.py
@ -9,9 +9,8 @@ The appropriate version will be obtained based on the given branch automatically

 After that, it will create a release using the `release` tox environment, and push a new PR.

-**Secret**: currently the secret is defined in the @pytestbot account,
-which the core maintainers have access to. There we created a new secret named `chatops`
-with write access to the repository.
+**Token**: currently the token from the GitHub Actions is used, pushed with
+`pytest bot <pytestbot@gmail.com>` commit author.
 """
 import argparse
 import re
--- a/scripts/release-on-comment.py
+++ b/scripts/release-on-comment.py
@ -23,8 +23,8 @@ Then the appropriate version will be obtained based on the given branch name:

 After that, it will create a release using the `release` tox environment, and push a new PR.

-**Secret**: currently the secret is defined in the @pytestbot account, which the core maintainers
-have access to. There we created a new secret named `chatops` with write access to the repository.
+**Token**: currently the token from the GitHub Actions is used, pushed with
+`pytest bot <pytestbot@gmail.com>` commit author.
 """
 import argparse
 import json