Skip to content

Commit fc3e45c

Browse files
authored
Updating all uses of the secrets.PROJECT_MANAGEMENT_PAT to use a registered Github App (nv-morpheus#1730)
Removes all uses of `secrets.PROJECT_MANAGEMENT_PAT` to instead use the registered app and generate a token via the actions/create-github-app-token` action ## By Submitting this PR I confirm: - I am familiar with the [Contributing Guidelines](https://github.com/nv-morpheus/Morpheus/blob/main/docs/source/developer_guide/contributing.md). - When the PR is ready for review, new or existing tests cover these changes. - When the PR is ready for review, the documentation is up to date with these changes. Authors: - Michael Demoret (https://github.com/mdemoret-nv) Approvers: - Ben Jarmak (https://github.com/jarmak-nv) - David Gardner (https://github.com/dagardner-nv) URL: nv-morpheus#1730
1 parent 61ed7c3 commit fc3e45c

6 files changed

+107
-70
lines changed

.github/workflows/label-external-issues.yml

+15-7
Original file line numberDiff line numberDiff line change
@@ -19,27 +19,35 @@ on:
1919
issues:
2020
types:
2121
- opened
22-
23-
env:
24-
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
2522

2623
jobs:
2724
Label-Issue:
2825
runs-on: ubuntu-latest
2926
# Only run if the issue author is not part of NV-Morpheus
3027
if: ${{ ! contains(fromJSON('["OWNER", "MEMBER", "CONTRIBUTOR", "COLLABORATOR"]'), github.event.issue.author_association)}}
31-
steps:
28+
steps:
29+
- name: Generate Token
30+
uses: actions/create-github-app-token@v1
31+
id: generate-token
32+
with:
33+
app-id: ${{ secrets.ACTIONS_APP_ID }}
34+
private-key: ${{ secrets.ACTIONS_APP_KEY }}
35+
3236
- name: add-triage-label
37+
env:
38+
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
3339
run: |
3440
issue_url=${{ github.event.issue.html_url }}
3541
gh issue edit ${issue_url} --add-label "Needs Triage,external"
36-
42+
3743
- name: add-comment-to-issue
44+
env:
45+
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
3846
run: |
3947
issue_url=${{ github.event.issue.html_url }}
4048
author=${{ github.event.issue.user.login }}
4149
echo ${author}
4250
gh issue comment ${issue_url} --body "Hi @${author}!
43-
51+
4452
Thanks for submitting this issue - our team has been notified and we'll get back to you as soon as we can!
45-
In the mean time, feel free to add any relevant information to this issue."
53+
In the meantime, feel free to add any relevant information to this issue."

.github/workflows/project_automation_set_in_progress.yml

+26-34
Original file line numberDiff line numberDiff line change
@@ -23,33 +23,33 @@ on:
2323
pull_request_review:
2424
# Run this action when a PR is reviewed
2525
types: [submitted]
26-
26+
2727
env:
28-
ORG: ${{ github.event.repository.owner.login }}
29-
PR_NUMBER: ${{ github.event.pull_request.number }}
30-
REPO: ${{ github.event.repository.name }}
31-
PR_GLOBAL_ID: ${{ github.event.pull_request.node_id}}
28+
ORG: ${{ github.event.repository.owner.login }}
29+
PR_NUMBER: ${{ github.event.pull_request.number }}
30+
REPO: ${{ github.event.repository.name }}
31+
PR_GLOBAL_ID: ${{ github.event.pull_request.node_id}}
3232

33-
# The environment vars below are hard-coded from external queries to save time + complexity here
34-
# Note: PVT means Project V2, not "Private"
35-
# PVT = Project V2, PVTSSF = Project V2 Single Select Field, PVTIF = Project V2 Iteration Field
36-
PROJECT_ID: "PVT_kwDOBkAsks4ACeio"
37-
STATUS_FIELD_ID: "PVTSSF_lADOBkAsks4ACeiozgBbno0"
38-
WORKING_SPRINT_FIELD_ID: "PVTIF_lADOBkAsks4ACeiozgJ_KCY"
39-
START_SPRINT_FIELD_ID: "PVTIF_lADOBkAsks4ACeiozgI90p0"
40-
IN_PROGRESS_PROJECT_OPTION_ID: "47fc9ee4"
41-
IN_REVIEW_PROJECT_OPTION_ID: "eb7a6302"
33+
# The environment vars below are hard-coded from external queries to save time + complexity here
34+
# Note: PVT means Project V2, not "Private"
35+
# PVT = Project V2, PVTSSF = Project V2 Single Select Field, PVTIF = Project V2 Iteration Field
36+
PROJECT_ID: "PVT_kwDOBkAsks4ACeio"
37+
STATUS_FIELD_ID: "PVTSSF_lADOBkAsks4ACeiozgBbno0"
38+
WORKING_SPRINT_FIELD_ID: "PVTIF_lADOBkAsks4ACeiozgJ_KCY"
39+
START_SPRINT_FIELD_ID: "PVTIF_lADOBkAsks4ACeiozgI90p0"
40+
IN_PROGRESS_PROJECT_OPTION_ID: "47fc9ee4"
41+
IN_REVIEW_PROJECT_OPTION_ID: "eb7a6302"
4242

4343
jobs:
4444
project_automation_in_progress:
4545
runs-on: ubuntu-latest
4646

4747
# We use the default GitHub token to perform the draft update because
48-
# The pull_request_review trigger does not grant access to the secrets.PROJECT_MANAGEMENT_PAT
48+
# The pull_request_review trigger does not grant access to secrets
4949
permissions:
5050
issues: write
5151
pull-requests: write
52-
52+
5353
steps:
5454
- name: Check if changes requested from a reviewer
5555
id: check_changes_requested
@@ -58,7 +58,7 @@ jobs:
5858
if [ ${{ github.event.review.state }} != 'changes_requested' ]; then
5959
echo "Changes not requested, exiting"
6060
exit 0
61-
61+
6262
# If it is requesting changes, set PR to draft
6363
# We use the default token here since we're granting write access to the PR
6464
elif [ ${{ github.event.pull_request.draft }} == false ]; then
@@ -80,8 +80,6 @@ jobs:
8080
- name: Select Status Field Value
8181
id: select_status_field_value
8282
if: github.event_name == 'pull_request_target'
83-
env:
84-
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
8583
run: |
8684
# If it's not a draft and it's an opened trigger, the status should be "Ready for Review", otherwise "In Progress"
8785
if [ ${{ github.event.pull_request.draft }} == false ] && [ ${{ github.event.action }} == "opened" ]; then
@@ -96,8 +94,6 @@ jobs:
9694
- name: Get PR Project ID
9795
id: get_pr_id
9896
if: github.event_name == 'pull_request_target'
99-
env:
100-
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
10197
run: |
10298
# Query up to 10 projects for the PR
10399
gh api graphql -f query='
@@ -122,20 +118,18 @@ jobs:
122118
}
123119
}
124120
}' > project_data.json
125-
121+
126122
# Filter the json result to only the project-specific ID for the PR
127123
# A PR can be in multiple projects so we need to filter by the project ID we want
128124
pr_id=$(jq -r '.data.organization.repository.issueOrPullRequest.projectItems.edges[] |
129125
select(.node.project.id == "${{ env.PROJECT_ID }}") |
130126
.node.id' project_data.json)
131127
echo "PR_ID=$pr_id" >> $GITHUB_ENV
132128
continue-on-error: true
133-
129+
134130
- name: Set PR Fields
135131
id: set_pr_fields
136132
if: github.event_name == 'pull_request_target'
137-
env:
138-
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
139133
run: |
140134
gh api graphql -f query='
141135
mutation {
@@ -154,7 +148,7 @@ jobs:
154148
}
155149
}
156150
}'
157-
151+
158152
# Check if the PR has a start sprint assigned, save the result for the linked issues
159153
gh api graphql -f query='
160154
query {
@@ -171,7 +165,7 @@ jobs:
171165
}' > start_sprint_exists_data.json
172166
start_sprint_option_id=$(jq -r '.data.node.fieldValueByName.id' start_sprint_exists_data.json)
173167
echo "START_SPRINT_OPTION_ID=$start_sprint_option_id" >> $GITHUB_ENV
174-
168+
175169
# If there is no start sprint assigned, assign the current start sprint
176170
if [ "$start_sprint_option_id" == 'null' ]; then
177171
# Get current start sprint iteration id
@@ -197,7 +191,7 @@ jobs:
197191
}' > start_sprint_option_data.json
198192
current_start_sprint_option_id=$(jq -r '.data.node.field.configuration.iterations[0].id' start_sprint_option_data.json)
199193
echo "CURRENT_START_SPRINT_OPTION_ID=$current_start_sprint_option_id" >> $GITHUB_ENV
200-
194+
201195
# The query below is constructed differently than the ones above due to bash variable syntax + github actions syntax interactions
202196
QUERY="mutation {
203197
updateProjectV2ItemFieldValue(
@@ -217,7 +211,7 @@ jobs:
217211
}"
218212
gh api graphql --field query="$QUERY"
219213
fi
220-
214+
221215
# Assign the current working sprint to the PR (faster/simpler to just overwrite even if it is the same)
222216
gh api graphql -f query='
223217
query {
@@ -240,7 +234,7 @@ jobs:
240234
}' > working_sprint_options_data.json
241235
current_working_sprint_option_id=$(jq -r '.data.node.field.configuration.iterations[0].id' working_sprint_options_data.json)
242236
echo "CURRENT_WORKING_SPRINT_OPTION_ID=$current_working_sprint_option_id" >> $GITHUB_ENV
243-
237+
244238
# Set the working sprint to the current working sprint
245239
QUERY="mutation {
246240
updateProjectV2ItemFieldValue(
@@ -260,12 +254,10 @@ jobs:
260254
}"
261255
gh api graphql --field query="$QUERY"
262256
continue-on-error: true
263-
257+
264258
- name: Sync Linked Issues
265259
id: sync_linked_issues
266260
if: github.event_name == 'pull_request_target'
267-
env:
268-
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
269261
run: |
270262
# Find the linked issues to the PR
271263
gh api graphql -f query='
@@ -303,7 +295,7 @@ jobs:
303295
issue_ids=$(jq -r '.data.organization.repository.issueOrPullRequest.closingIssuesReferences.edges[].node.projectItems.edges[] |
304296
select(.node.project.id == "${{ env.PROJECT_ID }}") |
305297
.node.id' linked_issues.json)
306-
298+
307299
# For each linked issue, set the status to "In Progress", the Working Sprint to the current working sprint
308300
# If there's no Start Sprint, set that to the current Start Sprint as well
309301
for issue_id in $issue_ids; do

.github/workflows/project_automation_set_in_review.yml

+16-9
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ on:
2020
# Run this action when a PR is opened or edited
2121
# Issues do not have a graphQL connection to linked PRs so we can't use that event
2222
types: [ready_for_review, review_requested]
23-
23+
2424
env:
2525
ORG: ${{ github.event.repository.owner.login }}
2626
PR_NUMBER: ${{ github.event.pull_request.number }}
@@ -36,16 +36,23 @@ env:
3636
jobs:
3737
project_automation_in_review:
3838
runs-on: ubuntu-latest
39-
39+
4040
steps:
41+
- name: Generate Token
42+
uses: actions/create-github-app-token@v1
43+
id: generate-token
44+
with:
45+
app-id: ${{ secrets.ACTIONS_APP_ID }}
46+
private-key: ${{ secrets.ACTIONS_APP_KEY }}
47+
4148
- name: Wait 1 Second
4249
id: sleep
4350
run: sleep 1
44-
51+
4552
- name: Get PR Project ID
4653
id: get_pr_id
4754
env:
48-
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
55+
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
4956
run: |
5057
# Query up to 10 projects for the PR
5158
gh api graphql -f query='
@@ -70,7 +77,7 @@ jobs:
7077
}
7178
}
7279
}' > project_data.json
73-
80+
7481
# Filter the json result to only the project-specific ID for the PR
7582
# A PR can be in multiple projects so we need to filter by the project ID we want
7683
pr_id=$(jq -r '.data.organization.repository.issueOrPullRequest.projectItems.edges[] |
@@ -81,8 +88,8 @@ jobs:
8188

8289
- name: Set PR to In Review
8390
id: set_pr_in_review
84-
env:
85-
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
91+
env:
92+
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
8693
run: |
8794
# Update the PR status to In Review
8895
gh api graphql -f query='
@@ -107,7 +114,7 @@ jobs:
107114
- name: Set Linked Issues to In Review
108115
id: update_linked_issues
109116
env:
110-
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
117+
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
111118
run: |
112119
gh api graphql -f query='
113120
query {
@@ -144,7 +151,7 @@ jobs:
144151
issue_ids=$(jq -r '.data.organization.repository.issueOrPullRequest.closingIssuesReferences.edges[].node.projectItems.edges[] |
145152
select(.node.project.id == "${{ env.PROJECT_ID }}") |
146153
.node.id' linked_issue_data.json)
147-
154+
148155
# Set Linked Issues to In Review
149156
for issue_id in $issue_ids; do
150157
# The query below is constructed differently than the others due to bash variable syntax + github actions syntax interactions

.github/workflows/project_automation_set_roadmap.yml

+19-12
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ on:
2222
issues:
2323
# Run this action when an issue is closed
2424
types: [closed]
25-
25+
2626
env:
2727
ORG: ${{ github.event.repository.owner.login }}
2828
PR_NUMBER: ${{ github.event.pull_request.number }} # evaluates to null for issues
@@ -38,13 +38,20 @@ env:
3838
jobs:
3939
project_automation_roadmap_on_close:
4040
runs-on: ubuntu-latest
41-
42-
steps:
41+
42+
steps:
43+
- name: Generate Token
44+
uses: actions/create-github-app-token@v1
45+
id: generate-token
46+
with:
47+
app-id: ${{ secrets.ACTIONS_APP_ID }}
48+
private-key: ${{ secrets.ACTIONS_APP_KEY }}
49+
4350
- name: Get PR Project ID
4451
if: github.event_name == 'pull_request_target'
4552
id: get_pr_id
4653
env:
47-
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
54+
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
4855
run: |
4956
# Query up to 10 projects for the PR
5057
gh api graphql -f query='
@@ -69,20 +76,20 @@ jobs:
6976
}
7077
}
7178
}' > project_data.json
72-
79+
7380
# Filter the json result to only the project-specific ID for the PR
7481
# A PR can be in multiple projects so we need to filter by the project ID we want
7582
pr_id=$(jq -r '.data.organization.repository.issueOrPullRequest.projectItems.edges[] |
7683
select(.node.project.id == "${{ env.PROJECT_ID }}") |
7784
.node.id' project_data.json)
7885
echo "ITEM_ID=$pr_id" >> $GITHUB_ENV
7986
continue-on-error: true
80-
87+
8188
- name: Get Issue Project ID
8289
if: github.event_name == 'issues'
8390
id: get_issue_id
8491
env:
85-
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
92+
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
8693
run: |
8794
# Query up to 10 projects for the Issue
8895
gh api graphql -f query='
@@ -107,7 +114,7 @@ jobs:
107114
}
108115
}
109116
}' > project_data.json
110-
117+
111118
# Filter the json result to only the project-specific ID for the PR
112119
# A PR can be in multiple projects so we need to filter by the project ID we want
113120
issue_id=$(jq -r '.data.organization.repository.issueOrPullRequest.projectItems.edges[] |
@@ -119,8 +126,8 @@ jobs:
119126
- name: Get Current Release
120127
id: get_current_release
121128
env:
122-
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
123-
run: |
129+
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
130+
run: |
124131
# Get current roadmap id
125132
# We maintain the roadmap as a single select field in the project, with the first value being the upcoming release
126133
@@ -146,8 +153,8 @@ jobs:
146153

147154
- name: Set Item Roadmap
148155
id: set_item_roadmap
149-
env:
150-
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
156+
env:
157+
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
151158
run: |
152159
# Perform the mutation to update the Roadmap
153160
gh api graphql -f query='

0 commit comments

Comments
 (0)