ci: updates GH credential strategy in the python-push.yml (#1726)

* ci: updates python-push.yml to use a GitHub app for commit work Signed-off-by: Jennifer Power <[email protected]> * fix: removes extra ">" character Signed-off-by: Jennifer Power <[email protected]> --------- Signed-off-by: Jennifer Power <[email protected]>
oscal-compass · Oct 21, 2024 · c69511a · c69511a
1 parent 5e15a03
commit c69511a
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 8 deletions.
diff --git a/.github/workflows/python-push.yml b/.github/workflows/python-push.yml
@@ -9,6 +9,8 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   set-versions:
     runs-on: ubuntu-latest
@@ -110,11 +112,16 @@ jobs:
       url: https://pypi.org/p/compliance-trestle
     if: github.ref == 'refs/heads/main' && github.repository == 'oscal-compass/compliance-trestle'
     steps:
+    - uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        app-id: ${{ secrets.APP_ID }}
+        private-key: ${{ secrets.PRIVATE_KEY }}
     - uses: actions/checkout@v4
       with:
         submodules: true
         fetch-depth: 0
-        token: ${{ secrets.ADMIN_PAT }} 
+        token: ${{ steps.app-token.outputs.token }}
     - name: Set up Python ${{ needs.set-versions.outputs.max }}
       uses: actions/setup-python@v5
       with:
@@ -128,7 +135,7 @@ jobs:
       id: release
       uses: python-semantic-release/[email protected]
       with:
-        github_token: ${{ secrets.ADMIN_PAT }}
+        github_token: ${{ steps.app-token.outputs.token }}
 
     - name: Publish package distributions to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
@@ -140,7 +147,7 @@ jobs:
       uses: python-semantic-release/[email protected]
       if: steps.release.outputs.released == 'true'
       with:
-        github_token: ${{ secrets.ADMIN_PAT }}
+        github_token: ${{ steps.app-token.outputs.token }}
 
   deploy-docs:
     runs-on: ubuntu-latest
@@ -151,11 +158,16 @@ jobs:
     # Temporary hack: allow develop as well as master to deploy docs.
     if: github.ref == 'refs/heads/main'
     steps:
+    - uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        app-id: ${{ secrets.APP_ID }}
+        private-key: ${{ secrets.PRIVATE_KEY }}
     - uses: actions/checkout@v4
       with:
         submodules: true
         fetch-depth: 0
-        token: ${{ secrets.ADMIN_PAT }} 
+        token: ${{ steps.app-token.outputs.token }}
     - name: Set up Python ${{ needs.set-versions.outputs.max }}
       uses: actions/setup-python@v5
       # This is deliberately not using a custom credential as it relies on native github actions token to have push rights.
@@ -178,16 +190,31 @@ jobs:
       cancel-in-progress: true
     if: github.ref == 'refs/heads/main'
     steps:
+    - uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        app-id: ${{ secrets.APP_ID }}
+        private-key: ${{ secrets.PRIVATE_KEY }}
     - uses: actions/checkout@v4
       with:
         submodules: true
         ref: main
         fetch-depth: 0
-        token: ${{ secrets.ADMIN_PAT }}
+        token: ${{ steps.app-token.outputs.token }}
+    - name: Get GitHub App User ID
+      id: get-user-id
+      run: echo "user-id=$(gh api "/users/${{ env.SLUG }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+      env:
+        GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        SLUG: ${{ steps.app-token.outputs.app-slug }}
     - name: Configure Git
       run: |
-        git config user.name "Vikas Agarwal"
-        git config user.email "<>"
+        git config --global user.name '${{ env.SLUG }}[bot]'
+        git config --global user.email '${{ env.ID }}+${{ env.SLUG }}[bot]@users.noreply.github.com'
+      env:
+        SLUG: ${{ steps.app-token.outputs.app-slug }}
+        ID: ${{ steps.get-user-id.outputs.user-id }}
+      # https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
     - name: Merge Main to Develop
       run: |
         git checkout develop

diff --git a/docs/contributing/github_actions_setup.md b/docs/contributing/github_actions_setup.md
@@ -5,7 +5,7 @@ The variables are documented here such that trestle can be setup on a fork etc.
 
 ## Secrets
 
-- `ADMIN_PAT`: Github PAT with sufficient write access to merge content into `develop` and commit to `gh-pages` and `main`
+- `APP_ID` and `PRIVATE_KEY`: GitHub App information with sufficient write access to merge content into `develop` and commit to `gh-pages` and `main`
 
 - `SONAR_TOKEN`: Token to sonarcloud with rights to the appropriate project.