Chore: use github app for issue commands workflow (#93304)

* Chore: use github app for issue commands workflow * use it in issue-opened too * update comments and permissions * use issue app for triager token * add spaces * add config as requirement * only run main if it has secrets * Check for repository name, * remove config work * get secrets after sleep
2025-02-25 18:55:37 -06:00 · 2024-09-17 12:32:58 +02:00 · 2024-09-17 12:32:58 +02:00 · 43cad93e62
commit 43cad93e62
parent aee9458d98
2 changed files with 78 additions and 35 deletions
--- a/.github/workflows/commands.yml
+++ b/.github/workflows/commands.yml
@ -1,11 +1,21 @@
 name: Run commands when issues are labeled or comments added
+
+# important: this workflow uses a github app that is strictly limited
+# to issues. If you want to change the triggers for this workflow,
+# please review if the permissions are still sufficient.
 on:
  issues:
    types: [labeled, unlabeled]
  issue_comment:
    types: [created]
+
 concurrency:
  group: issue-commands-${{ github.event.issue.number }}
+
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
  config:
    runs-on: "ubuntu-latest"
@ -16,7 +26,7 @@ jobs:
        id: check
        shell: bash
        run: |
-          if [ -n "${{ (secrets.GRAFANA_MISC_STATS_API_KEY != '' && secrets.ISSUE_COMMANDS_TOKEN != '') || '' }}" ]; then
+          if [ "${{ github.repository }}" == "grafana/grafana" ] && [ -n "${{ secrets.GRAFANA_MISC_STATS_API_KEY }}" ]; then
            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
          fi

@ -25,17 +35,34 @@ jobs:
    if: needs.config.outputs.has-secrets
    runs-on: ubuntu-latest
    steps:
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
+          repo_secrets: |
+            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
+            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem
+
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ env.GH_APP_ID }}
+          private_key: ${{ env.GH_APP_PEM }}
+
      - name: Checkout Actions
        uses: actions/checkout@v4
        with:
          repository: "grafana/grafana-github-actions"
          path: ./actions
          ref: main
+
      - name: Install Actions
        run: npm install --production --prefix ./actions
      - name: Run Commands
        uses: ./actions/commands
        with:
          metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
-          token: ${{secrets.ISSUE_COMMANDS_TOKEN}}
+          token: ${{ steps.generate_token.outputs.token }}
          configPath: commands
--- a/.github/workflows/issue-opened.yml
+++ b/.github/workflows/issue-opened.yml
@ -1,7 +1,12 @@
 name: Run commands when issues are opened
+
+# important: this workflow uses a github app that is strictly limited
+# to issues. If you want to change the triggers for this workflow,
+# please review if the permissions are still sufficient.
 on:
  issues:
    types: [opened]
+
 concurrency:
  group: issue-opened-${{ github.event.issue.number }}

@ -12,59 +17,70 @@ permissions:
 jobs:
  main:
    runs-on: ubuntu-latest
+    if: github.repository == 'grafana/grafana'
    steps:
+
      - name: Checkout Actions
        uses: actions/checkout@v4
        with:
          repository: "grafana/grafana-github-actions"
          path: ./actions
          ref: main
+
      - name: Install Actions
        run: npm install --production --prefix ./actions
+
      # give issue-openers a chance to add labels after submit
      - name: Sleep for 2 minutes
        run: sleep 2m
        shell: bash
-      - name: Run Commands
-        uses: ./actions/commands
-        with:
-          metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
-          token: ${{secrets.ISSUE_COMMANDS_TOKEN}}
-          configPath: "issue-opened"
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' &&
-                        secrets.GRAFANA_DELIVERY_BOT_APP_PEM != ''
-                        ) || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-  auto-triage:
-    needs: [main, config]
-    if: needs.config.outputs.has-secrets && (github.event.issue.author_association == 'NONE' || github.event.issue.author_association == 'FIRST_TIMER' || github.event.issue.author_association == 'FIRST_TIME_CONTRIBUTOR')
-    runs-on: ubuntu-latest
-    steps:
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}

      - name: "Get vault secrets"
        id: vault-secrets
        uses: grafana/shared-workflows/actions/get-vault-secrets@main
        with:
-          # Secrets placed in the ci/repo/grafana/<repo>/<path> path in Vault
+          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
+          repo_secrets: |
+            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
+            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem
+
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ env.GH_APP_ID }}
+          private_key: ${{ env.GH_APP_PEM }}
+
+      - name: Run Commands
+        uses: ./actions/commands
+        with:
+          metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
+          token: ${{ steps.generate_token.outputs.token }}
+          configPath: "issue-opened"
+
+  auto-triage:
+    needs: [main]
+    if: github.repository == 'grafana/grafana' && (github.event.issue.author_association == 'NONE' || github.event.issue.author_association == 'FIRST_TIMER' || github.event.issue.author_association == 'FIRST_TIME_CONTRIBUTOR')
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_triager path in Vault
          repo_secrets: |
            AUTOTRIAGER_OPENAI_API_KEY=plugins_platform_issue_triager:AUTOTRIAGER_OPENAI_API_KEY
            AUTOTRIAGER_SLACK_WEBHOOK_URL=plugins_platform_issue_triager:AUTOTRIAGER_SLACK_WEBHOOK_URL
+            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
+            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem
+
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ env.GH_APP_ID }}
+          private_key: ${{ env.GH_APP_PEM }}

      - name: Checkout auto-triager repository
        uses: actions/checkout@v4
@ -89,7 +105,7 @@ jobs:
          echo ${{ steps.auto_triage.outputs.triage_labels }}

      - name: "Send Slack notification"
-        if : ${{ steps.auto_triage.outputs.triage_labels != '' }}
+        if: ${{ steps.auto_triage.outputs.triage_labels != '' }}
        uses: slackapi/slack-github-action@v1.27.0
        with:
          payload: >