diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 39f154820e..0712d3d036 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -312,8 +312,6 @@ jobs: needs: ["build-and-push-cli"] runs-on: ubuntu-latest if: github.repository == 'radius-project/radius' && startsWith(github.ref, 'refs/tags/v') - env: - GITHUB_TOKEN: ${{ secrets.GH_RAD_CI_BOT_PAT }} steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/devops-boards.yaml b/.github/workflows/devops-boards.yaml index f02ae3b67f..8446a32103 100644 --- a/.github/workflows/devops-boards.yaml +++ b/.github/workflows/devops-boards.yaml @@ -5,6 +5,9 @@ on: types: [opened, edited, deleted, closed, reopened, labeled, unlabeled, assigned] +env: + FUNCTIONAL_TEST_APP_ID: 425843 + concurrency: group: issue-${{ github.event.issue.number }} cancel-in-progress: false @@ -20,6 +23,12 @@ jobs: environment: name: issues steps: + - name: Get GitHub app token + uses: tibdex/github-app-token@v2 + id: get_installation_token + with: + app_id: ${{ env.FUNCTIONAL_TEST_APP_ID }} + private_key: ${{ secrets.FUNCTIONAL_TEST_APP_PRIVATE_KEY }} # Auth using Azure Service Principals was added as a part of v2.3 # reference: https://github.com/danhellem/github-actions-issue-to-work-item/pull/143 - name: Login to Azure @@ -38,7 +47,7 @@ jobs: uses: danhellem/github-actions-issue-to-work-item@v2.4 env: ado_token: ${{ env.ADO_TOKEN }} - github_token: '${{ secrets.GH_RAD_CI_BOT_PAT }}' + github_token: ${{ steps.get_installation_token.outputs.token }} ado_organization: 'azure-octo' ado_project: 'Incubations' ado_area_path: "Incubations\\Radius" diff --git a/.github/workflows/functional-test-cloud.yaml b/.github/workflows/functional-test-cloud.yaml index cd97500868..a9b2128544 100644 --- a/.github/workflows/functional-test-cloud.yaml +++ b/.github/workflows/functional-test-cloud.yaml @@ -191,7 +191,7 @@ jobs: if: github.event_name == 'repository_dispatch' uses: actions/github-script@v7 with: - github-token: ${{ secrets.GH_RAD_CI_BOT_PAT }} + github-token: ${{ steps.get_installation_token.outputs.token }} script: | const clientPayload = context.payload.client_payload; if (clientPayload && clientPayload.event_type === `de-functional-test`) { @@ -570,7 +570,7 @@ jobs: # AZURE_OIDC_ISSUER eval "export $(echo "${{ secrets.FUNCTEST_AZURE_OIDC_JSON }}" | jq -r 'to_entries | map("\(.key)=\(.value)") | @sh')" - AUTHKEY=$(echo -n "${{ github.actor }}:${{ secrets.GH_RAD_CI_BOT_PAT }}" | base64) + AUTHKEY=$(echo -n "${{ github.actor }}:${{ steps.get_installation_token.outputs.token }}" | base64) echo "{\"auths\":{\"ghcr.io\":{\"auth\":\"${AUTHKEY}\"}}}" > "./ghcr_secret.json" # Create KinD cluster with OIDC Issuer keys @@ -944,10 +944,16 @@ jobs: runs-on: ubuntu-latest if: failure() && github.event_name == 'schedule' && github.repository == 'radius-project/radius' steps: + - name: Get GitHub app token + uses: tibdex/github-app-token@v2 + id: get_installation_token + with: + app_id: ${{ env.FUNCTIONAL_TEST_APP_ID }} + private_key: ${{ secrets.FUNCTIONAL_TEST_APP_PRIVATE_KEY }} - name: Create failure issue for failing scheduled run uses: actions/github-script@v7 with: - github-token: ${{ secrets.GH_RAD_CI_BOT_PAT }} + github-token: ${{ steps.get_installation_token.outputs.token }} script: | github.rest.issues.create({ ...context.repo, diff --git a/.github/workflows/functional-test-noncloud.yaml b/.github/workflows/functional-test-noncloud.yaml index ce6b602e09..0ffda9892f 100644 --- a/.github/workflows/functional-test-noncloud.yaml +++ b/.github/workflows/functional-test-noncloud.yaml @@ -74,6 +74,8 @@ env: LOCAL_REGISTRY_PORT: "5000" # bicep-types ACR url for uploading Radius Bicep types BICEP_TYPES_REGISTRY: 'biceptypes.azurecr.io' + # The functional test GitHub app id + FUNCTIONAL_TEST_APP_ID: 425843 jobs: build: @@ -87,11 +89,17 @@ jobs: DE_IMAGE: ${{ steps.gen-id.outputs.DE_IMAGE }} DE_TAG: ${{ steps.gen-id.outputs.DE_TAG }} steps: + - name: Get GitHub app token + uses: tibdex/github-app-token@v2 + id: get_installation_token + with: + app_id: ${{ env.FUNCTIONAL_TEST_APP_ID }} + private_key: ${{ secrets.FUNCTIONAL_TEST_APP_PRIVATE_KEY }} - name: Set DE image and tag (repository_dispatch from de-functional-test) if: github.event_name == 'repository_dispatch' uses: actions/github-script@v7 with: - github-token: ${{ secrets.GH_RAD_CI_BOT_PAT }} + github-token: ${{ steps.get_installation_token.outputs.token }} script: | const clientPayload = context.payload.client_payload; if (clientPayload && clientPayload.event_type === `de-functional-test`) { @@ -478,10 +486,16 @@ jobs: runs-on: ubuntu-latest if: failure() && github.event_name == 'schedule' && github.repository == 'radius-project/radius' steps: + - name: Get GitHub app token + uses: tibdex/github-app-token@v2 + id: get_installation_token + with: + app_id: ${{ env.FUNCTIONAL_TEST_APP_ID }} + private_key: ${{ secrets.FUNCTIONAL_TEST_APP_PRIVATE_KEY }} - name: Create failure issue for failing scheduled run uses: actions/github-script@v7 with: - github-token: ${{ secrets.GH_RAD_CI_BOT_PAT }} + github-token: ${{ steps.get_installation_token.outputs.token }} script: | github.rest.issues.create({ ...context.repo, diff --git a/.github/workflows/long-running-azure.yaml b/.github/workflows/long-running-azure.yaml index c6a81067f1..1ca1921e68 100644 --- a/.github/workflows/long-running-azure.yaml +++ b/.github/workflows/long-running-azure.yaml @@ -324,7 +324,7 @@ jobs: with: repository: radius-project/samples ref: refs/heads/edge - token: ${{ secrets.GH_RAD_CI_BOT_PAT }} + token: ${{ steps.get_installation_token.outputs.token }} path: samples - name: Set up Go ${{ env.GOVER }} uses: actions/setup-go@v5 @@ -600,10 +600,16 @@ jobs: runs-on: ubuntu-latest if: failure() && github.repository == 'radius-project/radius' && github.event_name == 'schedule' steps: + - name: Get GitHub app token + uses: tibdex/github-app-token@v2 + id: get_installation_token + with: + app_id: ${{ env.FUNCTIONAL_TEST_APP_ID }} + private_key: ${{ secrets.FUNCTIONAL_TEST_APP_PRIVATE_KEY }} - name: Create failure issue for failing long running test run uses: actions/github-script@v7 with: - github-token: ${{ secrets.GH_RAD_CI_BOT_PAT }} + github-token: ${{ steps.get_installation_token.outputs.token }} script: | github.rest.issues.create({ ...context.repo, diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml index 50f5593cb3..71b5276626 100644 --- a/.github/workflows/publish-docs.yaml +++ b/.github/workflows/publish-docs.yaml @@ -18,6 +18,8 @@ on: pull_request: branches: - main +env: + FUNCTIONAL_TEST_APP_ID: 425843 jobs: reference-docs: name: Generate and PR reference documentation @@ -27,6 +29,12 @@ jobs: GOVER: "1.22.2" GOPRIVATE: github.com/radius-project steps: + - name: Get GitHub app token + uses: tibdex/github-app-token@v2 + id: get_installation_token + with: + app_id: ${{ env.FUNCTIONAL_TEST_APP_ID }} + private_key: ${{ secrets.FUNCTIONAL_TEST_APP_PRIVATE_KEY }} - name: Checkout radius repository uses: actions/checkout@v4 with: @@ -107,7 +115,7 @@ jobs: if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && github.event.inputs.open_pull_request == 'true') uses: peter-evans/create-pull-request@v7 with: - token: ${{ secrets.GH_RAD_CI_BOT_PAT }} + token: ${{ steps.get_installation_token.outputs.token }} path: docs add-paths: | *.md diff --git a/.github/workflows/purge-aws-test-resources.yaml b/.github/workflows/purge-aws-test-resources.yaml index 67e947eaae..5a93f7cce5 100644 --- a/.github/workflows/purge-aws-test-resources.yaml +++ b/.github/workflows/purge-aws-test-resources.yaml @@ -22,6 +22,7 @@ on: - cron: "0 7 * * 0-6" env: + FUNCTIONAL_TEST_APP_ID: 425843 AWS_REGION: us-west-2 AWS_RESOURCE_TYPES: "AWS::RDS::DBSubnetGroup,AWS::RDS::DBInstance,AWS::S3::Bucket,AWS::Logs::MetricFilter,AWS::Logs::LogGroup" # The current GitHub action link @@ -33,6 +34,12 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'radius-project/radius' steps: + - name: Get GitHub app token + uses: tibdex/github-app-token@v2 + id: get_installation_token + with: + app_id: ${{ env.FUNCTIONAL_TEST_APP_ID }} + private_key: ${{ secrets.FUNCTIONAL_TEST_APP_PRIVATE_KEY }} - name: Checkout the repository uses: actions/checkout@v4 - name: Configure AWS Credentials @@ -48,7 +55,7 @@ jobs: uses: actions/github-script@v7 if: failure() with: - github-token: ${{ secrets.GH_RAD_CI_BOT_PAT }} + github-token: ${{ steps.get_installation_token.outputs.token }} script: | github.rest.issues.create({ ...context.repo, diff --git a/.github/workflows/purge-azure-test-resources.yaml b/.github/workflows/purge-azure-test-resources.yaml index 5c6ac2ff51..d6d27f03b7 100644 --- a/.github/workflows/purge-azure-test-resources.yaml +++ b/.github/workflows/purge-azure-test-resources.yaml @@ -29,6 +29,8 @@ on: - cron: "30 0,12 * * *" env: + FUNCTIONAL_TEST_APP_ID: 425843 + AZURE_RG_DELETE_LIST_FILE: "az_rg_list.txt" # The valid resource time window in seconds to delete the test resources. 6 hours VALID_RESOURCE_WINDOW: 6*60*60 @@ -124,9 +126,15 @@ jobs: runs-on: ubuntu-latest if: ${{ failure() && github.event_name != 'workflow_dispatch' }} steps: + - name: Get GitHub app token + uses: tibdex/github-app-token@v2 + id: get_installation_token + with: + app_id: ${{ env.FUNCTIONAL_TEST_APP_ID }} + private_key: ${{ secrets.FUNCTIONAL_TEST_APP_PRIVATE_KEY }} - uses: actions/github-script@v7 with: - github-token: ${{ secrets.GH_RAD_CI_BOT_PAT }} + github-token: ${{ steps.get_installation_token.outputs.token }} script: | github.rest.issues.create({ ...context.repo, diff --git a/.github/workflows/purge-old-images.yaml b/.github/workflows/purge-old-images.yaml index 4efadc4fcf..26c42c8e76 100644 --- a/.github/workflows/purge-old-images.yaml +++ b/.github/workflows/purge-old-images.yaml @@ -14,6 +14,7 @@ on: env: ACTION_LINK: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" + FUNCTIONAL_TEST_APP_ID: 425843 jobs: purge_ghcr_dev: @@ -21,11 +22,17 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'radius-project/radius' steps: + - name: Get GitHub app token + uses: tibdex/github-app-token@v2 + id: get_installation_token + with: + app_id: ${{ env.FUNCTIONAL_TEST_APP_ID }} + private_key: ${{ secrets.FUNCTIONAL_TEST_APP_PRIVATE_KEY }} - name: Delete 'dev' containers older than a week uses: snok/container-retention-policy@v3.0.0 with: account: radius-project - token: ${{ secrets.GH_RAD_CI_BOT_PAT }} + token: ${{ steps.get_installation_token.outputs.token }} image-names: dev/* image-tags: "pr-*" cut-off: 1w @@ -36,9 +43,15 @@ jobs: runs-on: ubuntu-latest if: ${{ failure() && github.event_name != 'workflow_dispatch' }} steps: + - name: Get GitHub app token + uses: tibdex/github-app-token@v2 + id: get_installation_token + with: + app_id: ${{ env.FUNCTIONAL_TEST_APP_ID }} + private_key: ${{ secrets.FUNCTIONAL_TEST_APP_PRIVATE_KEY }} - uses: actions/github-script@v7 with: - github-token: ${{ secrets.GH_RAD_CI_BOT_PAT }} + github-token: ${{ steps.get_installation_token.outputs.token }} script: | github.rest.issues.create({ ...context.repo, diff --git a/.github/workflows/radius-bot.yaml b/.github/workflows/radius-bot.yaml index 6a93863367..6fc168fe1c 100644 --- a/.github/workflows/radius-bot.yaml +++ b/.github/workflows/radius-bot.yaml @@ -4,11 +4,20 @@ on: issue_comment: types: [created] +env: + FUNCTIONAL_TEST_APP_ID: 425843 + jobs: radius-bot: name: Run Radius Bot script runs-on: ubuntu-latest steps: + - name: Get GitHub app token + uses: tibdex/github-app-token@v2 + id: get_installation_token + with: + app_id: ${{ env.FUNCTIONAL_TEST_APP_ID }} + private_key: ${{ secrets.FUNCTIONAL_TEST_APP_PRIVATE_KEY }} - name: Checkout Repository uses: actions/checkout@v4 with: @@ -20,7 +29,7 @@ jobs: env: TEAM_SLUG: 'approvers-radius' with: - github-token: ${{ secrets.GH_RAD_CI_BOT_PAT }} + github-token: ${{ steps.get_installation_token.outputs.token }} script: | const script = require('./.github/scripts/radius-bot.js') await script({github, context}) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2551123987..4490b5d1c5 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -31,7 +31,7 @@ on: - 'versions.yaml' env: - GITHUB_TOKEN: ${{ secrets.GH_RAD_CI_BOT_PAT }} + FUNCTIONAL_TEST_APP_ID: 425843 jobs: generate_release_note: @@ -42,6 +42,12 @@ jobs: env: RELNOTE_FOUND: false steps: + - name: Get GitHub app token + uses: tibdex/github-app-token@v2 + id: get_installation_token + with: + app_id: ${{ env.FUNCTIONAL_TEST_APP_ID }} + private_key: ${{ secrets.FUNCTIONAL_TEST_APP_PRIVATE_KEY }} - name: Checkout radius-project/radius uses: actions/checkout@v4 - name: Get supported versions from versions.yaml @@ -58,7 +64,7 @@ jobs: uses: actions/github-script@v7 id: latest-release-tag with: - github-token: ${{ secrets.GH_RAD_CI_BOT_PAT }} + github-token: ${{ steps.get_installation_token.outputs.token }} result-encoding: string script: | const { data } = await github.rest.repos.getLatestRelease({ @@ -70,7 +76,7 @@ jobs: uses: actions/github-script@v7 id: generate-notes with: - github-token: ${{ secrets.GH_RAD_CI_BOT_PAT }} + github-token: ${{ steps.get_installation_token.outputs.token }} result-encoding: string script: | const { data } = await github.rest.repos.generateReleaseNotes({ @@ -124,40 +130,46 @@ jobs: if: github.repository == 'radius-project/radius' && github.event_name == 'push' runs-on: ubuntu-latest steps: + - name: Get GitHub app token + uses: tibdex/github-app-token@v2 + id: get_installation_token + with: + app_id: ${{ env.FUNCTIONAL_TEST_APP_ID }} + private_key: ${{ secrets.FUNCTIONAL_TEST_APP_PRIVATE_KEY }} - name: Checkout radius-project/radius@main uses: actions/checkout@v4 with: repository: radius-project/radius ref: main - token: ${{ secrets.GH_RAD_CI_BOT_PAT }} + token: ${{ steps.get_installation_token.outputs.token }} path: radius - name: Checkout radius-project/deployment-engine@main uses: actions/checkout@v4 with: repository: radius-project/deployment-engine ref: main - token: ${{ secrets.GH_RAD_CI_BOT_PAT }} + token: ${{ steps.get_installation_token.outputs.token }} path: deployment-engine - name: Checkout radius-project/recipes@main uses: actions/checkout@v4 with: repository: radius-project/recipes ref: main - token: ${{ secrets.GH_RAD_CI_BOT_PAT }} + token: ${{ steps.get_installation_token.outputs.token }} path: recipes - name: Checkout radius-project/dashboard@main uses: actions/checkout@v4 with: repository: radius-project/dashboard ref: main - token: ${{ secrets.GH_RAD_CI_BOT_PAT }} + token: ${{ steps.get_installation_token.outputs.token }} path: dashboard - name: Checkout radius-project/bicep-types-aws@main uses: actions/checkout@v4 with: repository: radius-project/bicep-types-aws ref: main - token: ${{ secrets.GH_RAD_CI_BOT_PAT }} + token: ${{ steps.get_installation_token.outputs.token }} path: bicep-types-aws - name: Set up GitHub credentials run: |