From fd8227130c1ae24787e1684f85527ccd76d38d99 Mon Sep 17 00:00:00 2001 From: Marc Sanmiquel Date: Thu, 17 Oct 2024 12:21:27 +0200 Subject: [PATCH] chore: leverage github app secrets in helm releases (#3631) --- .github/workflows/helm-release.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml index 6ca3b5a686..d6b9721a96 100644 --- a/.github/workflows/helm-release.yml +++ b/.github/workflows/helm-release.yml @@ -6,6 +6,18 @@ on: - main - "release-[0-9]+.[0-9]+" +# NOTE: We need to store GH_RELEASES_APP_ID and GH_RELEASES_APP_PRIVATE_KEY as repository secrets +# (even though we already store them in Vault) due to limitations in how secrets can be +# accessed and passed between different parts of a GitHub Actions workflow. +# +# The grafana/helm-charts/.github/workflows/update-helm-repo.yaml is a reusable workflow, +# not a composite action. This means we can't run steps to retrieve secrets from Vault +# before calling this workflow within the same job. +# +# While we have access to the grafana/shared-workflows/actions/get-vault-secrets@main action, +# environment variables set by this action in one job are not accessible in other jobs or +# in reusable workflows called from this workflow. + jobs: call-update-helm-repo: uses: grafana/helm-charts/.github/workflows/update-helm-repo.yaml@main @@ -14,4 +26,5 @@ jobs: cr_configfile: operations/pyroscope/helm/cr.yaml ct_configfile: operations/pyroscope/helm/ct.yaml secrets: - helm_repo_token: ${{ secrets.GH_BOT_ACCESS_TOKEN }} + github_app_id: ${{ secrets.GH_RELEASES_APP_ID }} + github_app_private_key: ${{ secrets.GH_RELEASES_APP_PRIVATE_KEY }}