Skip to content

Commit 6067d13

Browse files
7onn7onn
committed
ci(secrets): Use GH App instead of PAT CU-86c5w81vz (#67)
1 parent f810700 commit 6067d13

2 files changed

Lines changed: 14 additions & 6 deletions

File tree

.github/workflows/deploy.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,11 +5,10 @@ on:
55
branches:
66
- production
77
- main
8-
-
98
jobs:
109
deploy-py-server-argo:
1110
name: Deploy PY server Argo
1211
uses: ./.github/workflows/helpers-deploy-argo.yaml
1312
secrets:
14-
GH_PAT: ${{ secrets.GH_PAT }}
13+
KITTL_CI_APP_PRIVATE_KEY: ${{ secrets.KITTL_CI_APP_PRIVATE_KEY }}
1514
ECR_ROLE_ARN: ${{ github.ref == 'refs/heads/production' && secrets.PRODUCTION_ECR_ROLE_ARN || secrets.STAGING_ECR_ROLE_ARN }}

.github/workflows/helpers-deploy-argo.yaml

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,8 @@ name: helpers-deploy-argo
66
on:
77
workflow_call:
88
secrets:
9-
GH_PAT:
10-
description: "The GitHub Personal Access Token to use for checking out the helm-config repository"
9+
KITTL_CI_APP_PRIVATE_KEY:
10+
description: "The Kittl-CICD GitHub App private key to use for generating a short-living token"
1111
required: true
1212
ECR_ROLE_ARN:
1313
description: "The ECR role ARN"
@@ -36,13 +36,22 @@ jobs:
3636
steps:
3737
- name: Checkout repository
3838
uses: actions/checkout@v4
39+
- name: Generate token
40+
id: generate-token
41+
uses: actions/create-github-app-token@v2
42+
with:
43+
app-id: ${{ vars.KITTL_CI_APP_ID }}
44+
private-key: ${{ secrets.KITTL_CI_APP_PRIVATE_KEY }}
45+
owner: ${{ github.repository_owner }}
46+
repositories: |
47+
development-applications-config
3948
- name: Checkout helm config Repository
4049
uses: actions/checkout@v4
4150
with:
4251
repository: Kittl/development-applications-config
4352
ref: main
4453
path: helm-config
45-
token: ${{ secrets.GH_PAT }}
54+
token: ${{ steps.generate-token.outputs.token }}
4655
persist-credentials: false
4756
- name: Update Image Version in the related HelmChart values.yaml
4857
uses: fjogeleit/yaml-update-action@v0.14.0
@@ -54,5 +63,5 @@ jobs:
5463
branch: main
5564
createPR: false
5665
message: 'Update Image Version to ${{ needs.build-docker-image.outputs.image-tag }}'
57-
token: ${{ secrets.GH_PAT }}
66+
token: ${{ steps.generate-token.outputs.token }}
5867
workDir: helm-config

0 commit comments

Comments
 (0)