fix(ci-cd): use token-bureau

SocialGouv · Jan 7, 2025 · aaa00be · aaa00be
1 parent edba05e
commit aaa00be
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -3,12 +3,14 @@ name: 🔖 Release
 on:
   workflow_dispatch:
 
+permissions:
+  id-token: write  # Required for OIDC token generation
+
 env:
   GIT_AUTHOR_EMAIL: ${{ secrets.SOCIALGROOVYBOT_EMAIL }}
   GIT_AUTHOR_NAME: ${{ secrets.SOCIALGROOVYBOT_NAME }}
   GIT_COMMITTER_EMAIL: ${{ secrets.SOCIALGROOVYBOT_EMAIL }}
   GIT_COMMITTER_NAME: ${{ secrets.SOCIALGROOVYBOT_NAME }}
-  GITHUB_TOKEN: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
 
 jobs:
   release:
@@ -20,6 +22,14 @@ jobs:
       with:
         fetch-depth: 0
         persist-credentials: false
+
+    - name: Get GitHub App Token
+      id: token
+      uses: SocialGouv/token-bureau@main
+      with:
+        token-bureau-url: http://token-bureau.fabrique.social.gouv.fr
+        audience: socialgouv
+
     - name: Set up Node
       uses: actions/setup-node@v4
       with:
@@ -38,7 +48,10 @@ jobs:
         git_commit_gpgsign: true
         git_push_gpgsign: false
         git_tag_gpgsign: true
+
     - name: Semantic Release
+      env:
+        GITHUB_TOKEN: ${{ steps.token.outputs.token }}
       run: |
         export PATH="$(pwd)/.github/bin/:$PATH"
         yarn semantic-release