fix(gha): reduce the amount of 1pass calls due to rate limiting

joryirving · Jan 17, 2025 · 714d2e3 · 714d2e3
1 parent cf44793
commit 714d2e3
Show file tree

Hide file tree

Showing 12 changed files with 42 additions and 144 deletions.
diff --git a/.github/workflows/bulk-merge-prs.yaml b/.github/workflows/bulk-merge-prs.yaml
@@ -19,22 +19,12 @@
       name: Bulk Merge PRs
       runs-on: ubuntu-latest
       steps:
-        - name: Get Secrets
-          uses: 1password/load-secrets-action@v2
-          with:
-            export-env: true
-          env:
-            OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.ONEPASS_SA_TOKEN }}
-            BOT_APP_ID: op://Kubernetes/github-bot/BOT_APP_ID
-            BOT_APP_PRIVATE_KEY: op://Kubernetes/github-bot/BOT_APP_PRIVATE_KEY
-            BOT_USERNAME: op://Kubernetes/github-bot/BOT_USERNAME
-
         - name: Generate Token
           uses: actions/create-github-app-token@v1
           id: app-token
           with:
-            app-id: ${{ env.BOT_APP_ID }}
-            private-key: ${{ env.BOT_APP_PRIVATE_KEY }}
+            app-id: ${{ secrets.BOT_APP_ID }}
+            private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
 
         - name: Checkout
           uses: actions/checkout@v4

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
@@ -17,27 +17,13 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       matrix: ${{ steps.changed-clusters.outputs.all_changed_and_modified_files }}
-      github-token: ${{ steps.app-token.outputs.token }}
     steps:
-      - name: Configure 1Password
-        uses: 1password/load-secrets-action/configure@v2
-        with:
-          service-account-token: ${{ secrets.ONEPASS_SA_TOKEN }}
-
-      - name: Get Secrets
-        uses: 1password/load-secrets-action@v2
-        with:
-          export-env: true
-        env:
-          BOT_APP_ID: op://Kubernetes/github-bot/BOT_APP_ID
-          BOT_APP_PRIVATE_KEY: op://Kubernetes/github-bot/BOT_APP_PRIVATE_KEY
-
       - name: Generate Token
         uses: actions/create-github-app-token@v1
         id: app-token
         with:
-          app-id: ${{ env.BOT_APP_ID }}
-          private-key: ${{ env.BOT_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
 
       - name: Checkout Default Branch
         uses: actions/checkout@v4
@@ -70,19 +56,24 @@ jobs:
         resources: ["helmrelease", "kustomization"]
       max-parallel: 4
       fail-fast: false
-    env:
-      GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
     steps:
+      - name: Generate Token
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
+
       - name: Checkout Pull Request Branch
         uses: actions/checkout@v4
         with:
-          token: ${{ env.GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
           path: pull
 
       - name: Checkout Default Branch
         uses: actions/checkout@v4
         with:
-          token: ${{ env.GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
           ref: ${{ github.event.repository.default_branch }}
           path: default
 

diff --git a/.github/workflows/helm-repository-sync.yaml b/.github/workflows/helm-repository-sync.yaml
@@ -35,16 +35,14 @@ jobs:
         with:
           export-env: true
         env:
-          BOT_APP_ID: op://Kubernetes/github-bot/BOT_APP_ID
-          BOT_APP_PRIVATE_KEY: op://Kubernetes/github-bot/BOT_APP_PRIVATE_KEY
           KUBECONFIG_BASE64: op://Kubernetes/kubernetes/KUBECONFIG_BASE64
 
       - name: Generate Token
         uses: actions/create-github-app-token@v1
         id: app-token
         with:
-          app-id: ${{ env.BOT_APP_ID }}
-          private-key: ${{ env.BOT_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
 
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/kustomization-sync.yaml b/.github/workflows/kustomization-sync.yaml
@@ -26,16 +26,14 @@ jobs:
         with:
           export-env: true
         env:
-          BOT_APP_ID: op://Kubernetes/github-bot/BOT_APP_ID
-          BOT_APP_PRIVATE_KEY: op://Kubernetes/github-bot/BOT_APP_PRIVATE_KEY
           KUBECONFIG_BASE64: op://Kubernetes/kubernetes/KUBECONFIG_BASE64
 
       - name: Generate Token
         uses: actions/create-github-app-token@v1
         id: app-token
         with:
-          app-id: ${{ env.BOT_APP_ID }}
-          private-key: ${{ env.BOT_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
 
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml
@@ -15,25 +15,12 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - name: Configure 1password
-        uses: 1password/load-secrets-action/configure@v2
-        with:
-          service-account-token: ${{ secrets.ONEPASS_SA_TOKEN }}
-
-      - name: Get Secrets
-        uses: 1password/load-secrets-action@v2
-        with:
-          export-env: true
-        env:
-          BOT_APP_ID: op://Kubernetes/github-bot/BOT_APP_ID
-          BOT_APP_PRIVATE_KEY: op://Kubernetes/github-bot/BOT_APP_PRIVATE_KEY
-
       - name: Generate Token
         uses: actions/create-github-app-token@v1
         id: app-token
         with:
-          app-id: ${{ env.BOT_APP_ID }}
-          private-key: ${{ env.BOT_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
 
       - name: Labeler
         uses: actions/labeler@v5

diff --git a/.github/workflows/lychee.yaml b/.github/workflows/lychee.yaml
@@ -19,25 +19,12 @@ jobs:
     name: Lychee
     runs-on: ubuntu-latest
     steps:
-      - name: Configure 1password
-        uses: 1password/load-secrets-action/configure@v2
-        with:
-          service-account-token: ${{ secrets.ONEPASS_SA_TOKEN }}
-
-      - name: Get Secrets
-        uses: 1password/load-secrets-action@v2
-        with:
-          export-env: true
-        env:
-          BOT_APP_ID: op://Kubernetes/github-bot/BOT_APP_ID
-          BOT_APP_PRIVATE_KEY: op://Kubernetes/github-bot/BOT_APP_PRIVATE_KEY
-
       - name: Generate Token
         uses: actions/create-github-app-token@v1
         id: app-token
         with:
-          app-id: ${{ env.BOT_APP_ID }}
-          private-key: ${{ env.BOT_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
 
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/nas-restart.yaml b/.github/workflows/nas-restart.yaml
@@ -24,16 +24,14 @@
           with:
             export-env: true
           env:
-            BOT_APP_ID: op://Kubernetes/github-bot/BOT_APP_ID
-            BOT_APP_PRIVATE_KEY: op://Kubernetes/github-bot/BOT_APP_PRIVATE_KEY
             KUBECONFIG: op://Kubernetes/kubernetes/KUBECONFIG_BASE64
 
         - name: Generate Token
           uses: actions/create-github-app-token@v1
           id: app-token
           with:
-            app-id: ${{ env.BOT_APP_ID }}
-            private-key: ${{ env.BOT_APP_PRIVATE_KEY }}
+            app-id: ${{ secrets.BOT_APP_ID }}
+            private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
 
         - name: Checkout
           uses: actions/checkout@v4

diff --git a/.github/workflows/pre-pull-images.yaml b/.github/workflows/pre-pull-images.yaml
@@ -23,27 +23,13 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       matrix: ${{ steps.changed-clusters.outputs.all_changed_and_modified_files }}
-      github-token: ${{ steps.app-token.outputs.token }}
     steps:
-      - name: Configure 1password
-        uses: 1password/load-secrets-action/configure@v2
-        with:
-          service-account-token: ${{ secrets.ONEPASS_SA_TOKEN }}
-
-      - name: Get Secrets
-        uses: 1password/load-secrets-action@v2
-        with:
-          export-env: true
-        env:
-          BOT_APP_ID: op://Kubernetes/github-bot/BOT_APP_ID
-          BOT_APP_PRIVATE_KEY: op://Kubernetes/github-bot/BOT_APP_PRIVATE_KEY
-
       - name: Generate Token
         uses: actions/create-github-app-token@v1
         id: app-token
         with:
-          app-id: ${{ env.BOT_APP_ID }}
-          private-key: ${{ env.BOT_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
 
       - name: Checkout
         uses: actions/checkout@v4
@@ -77,11 +63,17 @@ jobs:
       default: ${{ steps.extract-images.outputs.default }}
       pull: ${{ steps.extract-images.outputs.pull }}
     steps:
+      - name: Generate Token
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
 
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          token: ${{ env.GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
           ref: "${{ matrix.branches == 'default' && github.event.repository.default_branch || '' }}"
 
       - name: Gather Images

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -12,25 +12,12 @@ jobs:
     name: Release
     runs-on: ubuntu-latest
     steps:
-      - name: Configure 1password
-        uses: 1password/load-secrets-action/configure@v2
-        with:
-          service-account-token: ${{ secrets.ONEPASS_SA_TOKEN }}
-
-      - name: Get Secrets
-        uses: 1password/load-secrets-action@v2
-        with:
-          export-env: true
-        env:
-          BOT_APP_ID: op://Kubernetes/github-bot/BOT_APP_ID
-          BOT_APP_PRIVATE_KEY: op://Kubernetes/github-bot/BOT_APP_PRIVATE_KEY
-
       - name: Generate Token
         uses: actions/create-github-app-token@v1
         id: app-token
         with:
-          app-id: ${{ env.BOT_APP_ID }}
-          private-key: ${{ env.BOT_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
 
       - name: Get Previous Release Tag and Determine Next Tag
         id: determine-next-tag

diff --git a/.github/workflows/schemas.yaml b/.github/workflows/schemas.yaml
@@ -32,8 +32,6 @@ jobs:
         with:
           export-env: true
         env:
-          BOT_APP_ID: op://Kubernetes/github-bot/BOT_APP_ID
-          BOT_APP_PRIVATE_KEY: op://Kubernetes/github-bot/BOT_APP_PRIVATE_KEY
           KUBECONFIG_BASE64: op://Kubernetes/kubernetes/KUBECONFIG_BASE64
           CLOUDFLARE_API_TOKEN: op://Kubernetes/cloudflare/CLOUDFLARE_API_TOKEN_GHA
           CLOUDFLARE_ACCOUNT_ID: op://Kubernetes/cloudflare/CLOUDFLARE_ACCOUNT_TAG
@@ -42,8 +40,8 @@ jobs:
         uses: actions/create-github-app-token@v1
         id: app-token
         with:
-          app-id: ${{ env.BOT_APP_ID }}
-          private-key: ${{ env.BOT_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
 
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/terraform-diff.yaml b/.github/workflows/terraform-diff.yaml
@@ -19,25 +19,12 @@ jobs:
     outputs:
       matrix: ${{ steps.changed-terraform.outputs.all_changed_and_modified_files }}
     steps:
-      - name: Configure 1password
-        uses: 1password/load-secrets-action/configure@v2
-        with:
-          service-account-token: ${{ secrets.ONEPASS_SA_TOKEN }}
-
-      - name: Get Secrets
-        uses: 1password/load-secrets-action@v2
-        with:
-          export-env: true
-        env:
-          BOT_APP_ID: op://Kubernetes/github-bot/BOT_APP_ID
-          BOT_APP_PRIVATE_KEY: op://Kubernetes/github-bot/BOT_APP_PRIVATE_KEY
-
       - name: Generate Token
         uses: actions/create-github-app-token@v1
         id: app-token
         with:
-          app-id: ${{ env.BOT_APP_ID }}
-          private-key: ${{ env.BOT_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
 
       - name: Checkout
         uses: actions/checkout@v4
@@ -76,17 +63,15 @@ jobs:
         with:
           export-env: true
         env:
-          BOT_APP_ID: op://Kubernetes/github-bot/BOT_APP_ID
-          BOT_APP_PRIVATE_KEY: op://Kubernetes/github-bot/BOT_APP_PRIVATE_KEY
           MINIO_ACCESS_KEY: op://Kubernetes/minio/MINIO_ACCESS_KEY
           MINIO_SECRET_KEY: op://Kubernetes/minio/MINIO_SECRET_KEY
 
       - name: Generate Token
         uses: actions/create-github-app-token@v1
         id: app-token
         with:
-          app-id: ${{ env.BOT_APP_ID }}
-          private-key: ${{ env.BOT_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
 
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/terraform-publish.yaml b/.github/workflows/terraform-publish.yaml
@@ -16,25 +16,12 @@ jobs:
       contents: read
       packages: write
     steps:
-      - name: Configure 1password
-        uses: 1password/load-secrets-action/configure@v2
-        with:
-          service-account-token: ${{ secrets.ONEPASS_SA_TOKEN }}
-
-      - name: Get Secrets
-        uses: 1password/load-secrets-action@v2
-        with:
-          export-env: true
-        env:
-          BOT_APP_ID: op://Kubernetes/github-bot/BOT_APP_ID
-          BOT_APP_PRIVATE_KEY: op://Kubernetes/github-bot/BOT_APP_PRIVATE_KEY
-
       - name: Generate Token
         uses: actions/create-github-app-token@v1
         id: app-token
         with:
-          app-id: ${{ env.BOT_APP_ID }}
-          private-key: ${{ env.BOT_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
 
       - name: Checkout
         uses: actions/checkout@v4