ci: update bot tokens to read/write accesses

customerio · Feb 7, 2022 · ab6a09a · ab6a09a
1 parent 9648e65
commit ab6a09a
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 7 deletions.
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -1,4 +1,4 @@
-Complete each step to get your pull request merged in. [Learn more about the workflow this project uses](https://github.com/customerio/customerio-ios/develop/docs/dev-notes/GIT-WORKFLOW.md). 
+Complete each step to get your pull request merged in. [Learn more about the workflow this project uses](https://github.com/customerio/customerio-ios/blob/develop/docs/dev-notes/GIT-WORKFLOW.md). 
 - [ ] [Assign members of your team](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/requesting-a-pull-request-review) to review the pull request. 
 - [ ] Wait for pull request status checks to complete. If there are problems, fix them until you see that [all status checks are passing](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fsymfony.com%2Fdoc%2F4.3%2F_images%2Fdocs-pull-request-symfonycloud.png&f=1&nofb=1). 
 - [ ] Wait until the pull request has been reviewed *and approved* by a teammate

diff --git a/.github/workflows/deploy-git-tag.yml b/.github/workflows/deploy-git-tag.yml
@@ -1,4 +1,7 @@
 name: Deploy git tag  
+
+# Only run after a pull request has been merged. This is because
+# bot account runs write operations on the github repo to push a tag. 
 on:
   push:
     branches: [main, beta, alpha]
@@ -21,4 +24,5 @@ jobs:
             @semantic-release/github@8
             @semantic-release/exec@6
         env:
-          GITHUB_TOKEN: ${{ secrets.REPO_PUSH_TOKEN }}
+          # Needs to push git commits to repo. Needs write access. 
+          GITHUB_TOKEN: ${{ secrets.WRITE_ACCESS_BOT_TOKEN }}
diff --git a/.github/workflows/pr-helper.yml b/.github/workflows/pr-helper.yml
@@ -10,8 +10,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Semantic PR helper 
-        uses: levibostian/action-semantic-pr@v1
+        uses: levibostian/action-semantic-pr@v2
         with:
-          token: ${{ secrets.REPO_PUSH_TOKEN }}
+          readToken: ${{ secrets.READ_ONLY_BOT_TOKEN }}
+          writeToken: ${{ secrets.WRITE_ACCESS_BOT_TOKEN }}
           # Sets rules on the types of commits allowed on a specific branch. Example: {"beta": "fix,docs"} gives a warning on the pull request if a pull request is made into the beta branch with a type thats not fix.
           branchTypeWarning: '{"beta": "fix", "main": "fix"}'
diff --git a/.github/workflows/promote.yml b/.github/workflows/promote.yml
@@ -12,4 +12,4 @@ jobs:
         uses: levibostian/action-promote-semantic-release@v1
         with:
           sequence: "develop,alpha,beta,main"
-          githubToken: ${{ secrets.REPO_PUSH_TOKEN }}
+          githubToken: ${{ secrets.WRITE_ACCESS_BOT_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -44,7 +44,7 @@ jobs:
       with:
         check_name: XCode macOS tests (xcode ${{ matrix.xcode }}) - Results
         report_paths: test-report.xml
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ secrets.READ_ONLY_BOT_TOKEN }}
         fail_on_failure: true 
         require_tests: true 
       if: ${{ always() }} # if running tests fails, we still want to parse the test results     
@@ -82,7 +82,7 @@ jobs:
       with:
         check_name: SPM Linux tests (swift ${{ matrix.swift }}) - Results 
         report_paths: test-report.xml
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ secrets.READ_ONLY_BOT_TOKEN }}
         fail_on_failure: true 
         require_tests: true 
       if: ${{ always() }} # if running tests fails, we still want to parse the test results