From 38db581740e2ecc0677d64f4e582d5d33ab63422 Mon Sep 17 00:00:00 2001 From: Dinesh-Kantamneni Date: Thu, 4 Jun 2026 12:02:55 -0700 Subject: [PATCH] switching personal pat token to service pat token --- .github/workflows/draft-release.yml | 20 +++++++++++++++++++- .github/workflows/publish-artifacts.yml | 20 +++++++++++++++++--- .github/workflows/quality-checks.yml | 23 ++++++++++++++++++++--- 3 files changed, 56 insertions(+), 7 deletions(-) diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml index 8bb8186..0825d58 100644 --- a/.github/workflows/draft-release.yml +++ b/.github/workflows/draft-release.yml @@ -12,13 +12,31 @@ on: branches: - release/** +permissions: + id-token: write # Required for OIDC + contents: read + jobs: # Generate new release notes update_release_draft: runs-on: ubuntu-latest steps: + - name: Configure AWS Credentials via OIDC + uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: arn:aws:iam::730335206644:role/delegatedadmin/developer/qppa-github-actions-role-1 + aws-region: us-east-1 + - name: Retrieve GitHub service account token from secops account + id: get-token + run: | + SECRET_VALUE=$(aws secretsmanager get-secret-value \ + --secret-id "arn:aws:secretsmanager:us-east-1:863249929524:secret:qpp/qppa/github/token/automation-bhLO2e" \ + --query SecretString \ + --output text | jq -r ".GITHUB_TOKEN") + echo "::add-mask::$SECRET_VALUE" + echo "GITHUB_TOKEN=$SECRET_VALUE" >> $GITHUB_OUTPUT - name: Checkout Codebase uses: actions/checkout@v2 with: @@ -41,4 +59,4 @@ jobs: version: v${{ steps.package-version.outputs.current-version }} tag: v${{ steps.package-version.outputs.current-version }} env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.get-token.outputs.GITHUB_TOKEN }} diff --git a/.github/workflows/publish-artifacts.yml b/.github/workflows/publish-artifacts.yml index ffb414b..f5df6e0 100644 --- a/.github/workflows/publish-artifacts.yml +++ b/.github/workflows/publish-artifacts.yml @@ -9,7 +9,7 @@ on: workflow_dispatch: release: types: [ published ] - + permissions: id-token: write # Required for OIDC contents: read @@ -18,6 +18,21 @@ jobs: publish-npm: runs-on: ubuntu-latest steps: + - name: Configure AWS Credentials via OIDC + uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: arn:aws:iam::730335206644:role/delegatedadmin/developer/qppa-github-actions-role-1 + aws-region: us-east-1 + + - name: Retrieve GitHub service account token from secops account + id: get-token + run: | + SECRET_VALUE=$(aws secretsmanager get-secret-value \ + --secret-id "arn:aws:secretsmanager:us-east-1:863249929524:secret:qpp/qppa/github/token/automation-bhLO2e" \ + --query SecretString \ + --output text | jq -r ".GITHUB_TOKEN") + echo "::add-mask::$SECRET_VALUE" + echo "GITHUB_TOKEN=$SECRET_VALUE" >> $GITHUB_OUTPUT - uses: actions/checkout@v6 - uses: actions/setup-node@v6 @@ -45,11 +60,10 @@ jobs: id: pr uses: peter-evans/create-pull-request@45c510e1f68ba052e3cd911f661a799cfb9ba3a3 #v3.6.0 with: - token: ${{ secrets.GH_USER_TOKEN }} + token: ${{ steps.get-token.outputs.GITHUB_TOKEN }} commit-message: Backfill ${{ github.event.release.repository.default_branch }} with release tag ${{ github.event.release.tag_name }} title: Backfill master - ${{github.event.release.tag_name}} branch: feature/merge_release_${{github.event.release.tag_name}} base: ${{ github.event.release.repository.default_branch}} body: | Auto generated pull request to backfill `${{ github.event.release.tag_name }} into ${{ github.event.release.repository.default_branch }}`. - diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 02119eb..77d5f39 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -10,12 +10,30 @@ on: types: - completed +permissions: + id-token: write # Required for OIDC + contents: read + jobs: perform-quality-checks: runs-on: ubuntu-latest if: ${{ github.event.workflow_run.event == 'pull_request' }} steps: + - name: Configure AWS Credentials via OIDC + uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: arn:aws:iam::730335206644:role/delegatedadmin/developer/qppa-github-actions-role-1 + aws-region: us-east-1 + - name: Retrieve GitHub service account token from secops account + id: get-token + run: | + SECRET_VALUE=$(aws secretsmanager get-secret-value \ + --secret-id "arn:aws:secretsmanager:us-east-1:863249929524:secret:qpp/qppa/github/token/automation-bhLO2e" \ + --query SecretString \ + --output text | jq -r ".GITHUB_TOKEN") + echo "::add-mask::$SECRET_VALUE" + echo "GITHUB_TOKEN=$SECRET_VALUE" >> $GITHUB_OUTPUT - name: Checkout Codebase uses: actions/checkout@v2 @@ -26,7 +44,7 @@ jobs: - name: Download Coverage Artifacts uses: dawidd6/action-download-artifact@891cccee4b25d3306cf5edafa174ddc1d969871f with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.get-token.outputs.GITHUB_TOKEN }} workflow: ${{ github.event.workflow_run.workflow_id }} commit: ${{ github.event.workflow_run.head_commit.id }} name: coverage @@ -37,9 +55,8 @@ jobs: uses: 5monkeys/cobertura-action@67ec5c1b5ee78e49d22300126df88761ca6a7031 # pin @v7 with: path: coverage/cobertura-coverage.xml - repo_token: ${{ secrets.GITHUB_TOKEN }} + repo_token: ${{ steps.get-token.outputs.GITHUB_TOKEN }} only_changed_files: ${{github.base_ref != null}} show_line: true show_branch: true minimum_coverage: 90 -