Skip to content

Commit

Permalink
Merge pull request #23423 from redpanda-data/PESDLC-1736-gh-oidc
Browse files Browse the repository at this point in the history 
gha: use oidc
  • Loading branch information
@andrewhsu
andrewhsu authored Sep 23, 2024
2 parents c80c354 + d9867d7 commit 4050949
Show file tree
Hide file tree
Showing 23 changed files with 320 additions and 418 deletions.
69 changes: 22 additions & 47 deletions .github/workflows/backport-command.yml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
---
name: backport-command
on:
repository_dispatch:
Expand All @@ -11,7 +12,9 @@ env:
ARG1: ${{ github.event.client_payload.slash_command.args.unnamed.arg1 }}
MILESTONE_ARG: ${{ github.event.client_payload.slash_command.args.named.milestone }}
TARGET_FULL_REPO: ${{ github.event.client_payload.slash_command.args.named.org }}/${{ github.event.client_payload.slash_command.args.named.repo }}

permissions:
id-token: write
contents: read
jobs:
# assumptions:
# label "kind/backport" exists
Expand All @@ -24,48 +27,38 @@ jobs:
target_milestone: ${{ steps.get_backport_type.outputs.target_milestone }}
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v4

- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v4
- uses: actions/checkout@v4
- uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }}
aws-region: us-west-2

- name: get secrets from aws sm
uses: aws-actions/aws-secretsmanager-get-secrets@v2
aws-region: ${{ vars.RP_AWS_CRED_REGION }}
role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }}
- uses: aws-actions/aws-secretsmanager-get-secrets@v2
with:
secret-ids: |
,sdlc/prod/github/actions_bot_token
parse-json-secrets: true

- name: Get type of backport (issue or PR)
env:
GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }}
CLIENT_PAYLOAD: ${{ toJson(github.event.client_payload) }}
id: get_backport_type
run: $SCRIPT_DIR/get_backport_type.sh
shell: bash

- name: Failed reaction
uses: peter-evans/create-or-update-comment@v1
uses: peter-evans/create-or-update-comment@v4
if: failure()
with:
token: ${{ env.ACTIONS_BOT_TOKEN }}
repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
reaction-type: "-1"

reactions: "-1"
- name: Post Error
if: failure()
env:
COMMENTED_ON: ${{ steps.get_backport_type.outputs.commented_on }}
GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }}
run: $SCRIPT_DIR/post_error.sh
shell: bash

# creates backport issue if commented on issue, or
# creates backport PR if commented on PR
# eg /backport v21.11.x
Expand All @@ -75,23 +68,16 @@ jobs:
env:
BACKPORT_BRANCH: ${{ needs.backport-type.outputs.backport_branch }}
steps:
- name: checkout
uses: actions/checkout@v4

- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v4
- uses: actions/checkout@v4
- uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }}
aws-region: us-west-2

- name: get secrets from aws sm
uses: aws-actions/aws-secretsmanager-get-secrets@v2
aws-region: ${{ vars.RP_AWS_CRED_REGION }}
role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }}
- uses: aws-actions/aws-secretsmanager-get-secrets@v2
with:
secret-ids: |
,sdlc/prod/github/actions_bot_token
parse-json-secrets: true

- name: Get user
env:
GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }}
Expand All @@ -101,21 +87,18 @@ jobs:
echo "username=$username" >> $GITHUB_OUTPUT
echo "repo=$TARGET_REPO" >> $GITHUB_OUTPUT
echo "[email protected]" >> $GITHUB_OUTPUT
- name: Get assignees
env:
ASSIGNEES: ${{ toJson(github.event.client_payload.github.payload.issue.assignees) }}
id: assignees
run: echo "assignees=$(echo $ASSIGNEES | jq -r '.[].login' | paste -s -d ',' -)" >> $GITHUB_OUTPUT

- name: Discover and create milestone
env:
GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }}
TARGET_MILESTONE: ${{ needs.backport-type.outputs.target_milestone }}
id: create_milestone
run: $SCRIPT_DIR/create_milestone.sh
shell: bash

- name: Create issue
if: needs.backport-type.outputs.commented_on == 'issue'
env:
Expand All @@ -125,9 +108,8 @@ jobs:
ORIG_LABELS: ${{ toJson(github.event.client_payload.github.payload.issue.labels) }}
ASSIGNEES: ${{ steps.assignees.outputs.assignees }}
id: create_issue
run: $SCRIPT_DIR/create_issue.sh
run: $SCRIPT_DIR/create_issue.sh
shell: bash

- name: Get commits of PR
if: needs.backport-type.outputs.commented_on == 'pr'
env:
Expand All @@ -137,14 +119,12 @@ jobs:
run: |
backport_commits=$(gh api "repos/$TARGET_FULL_REPO/pulls/$BACKPORT_PR_NUMBER/commits" --jq .[].sha | paste -s -d ' ' -)
echo "backport_commits=$backport_commits" >> $GITHUB_OUTPUT
- uses: actions/checkout@v4
if: needs.backport-type.outputs.commented_on == 'pr'
with:
repository: ${{ steps.user.outputs.username }}/${{ steps.user.outputs.repo }}
token: ${{ env.ACTIONS_BOT_TOKEN }}
path: ./fork

- name: Backport commits and get details
if: needs.backport-type.outputs.commented_on == 'pr'
env:
Expand All @@ -159,7 +139,6 @@ jobs:
id: pr_details
run: $SCRIPT_DIR/pr_details.sh
shell: bash

- name: Create pull request
if: needs.backport-type.outputs.commented_on == 'pr'
env:
Expand All @@ -173,34 +152,30 @@ jobs:
ORIG_PR_URL: ${{ github.event.client_payload.pull_request.html_url }}
GIT_USER: ${{ steps.user.outputs.username }}
id: create_pr
run: $SCRIPT_DIR/create_pr.sh
run: $SCRIPT_DIR/create_pr.sh
shell: bash

- name: Add reaction
uses: peter-evans/create-or-update-comment@v1
uses: peter-evans/create-or-update-comment@v4
with:
token: ${{ env.ACTIONS_BOT_TOKEN }}
repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
reaction-type: hooray

reactions: hooray
- name: Failed reaction
uses: peter-evans/create-or-update-comment@v1
uses: peter-evans/create-or-update-comment@v4
if: failure()
with:
token: ${{ env.ACTIONS_BOT_TOKEN }}
repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
reaction-type: "-1"

reactions: "-1"
- name: Post Error
if: failure()
env:
COMMENTED_ON: ${{ needs.backport-type.outputs.commented_on }}
GITHUB_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }}
run: $SCRIPT_DIR/post_error.sh
shell: bash

- name: Create Issue On Error
if: failure()
env:
Expand Down
27 changes: 10 additions & 17 deletions .github/workflows/backport-on-merge.yml
View file
Original file line number Diff line number Diff line change
@@ -1,24 +1,20 @@
---
# Invoke the backport bot whenever we merge into dev.

name: backport-on-merge

on:
push:
branches:
- dev

branches: [dev]
env:
SCRIPT_DIR: "${{ github.workspace }}/.github/workflows/scripts/backport-command"
PR_NUMBER: ${{ github.event.number }}

jobs:
backport-on-merge:
runs-on: ubuntu-latest

permissions:
id-token: write
contents: read
steps:
- name: checkout
uses: actions/checkout@v4

- uses: actions/checkout@v4
# Find the PR associated with this push, if there is one.
- uses: jwalton/gh-find-current-pr@v1
id: findPr
Expand All @@ -29,14 +25,11 @@ jobs:
if: success() && steps.findPr.outputs.number
env:
PR: ${{ steps.findPr.outputs.pr }}
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v4
- uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }}
aws-region: us-west-2
- name: get secrets from aws sm
uses: aws-actions/aws-secretsmanager-get-secrets@v2
aws-region: ${{ vars.RP_AWS_CRED_REGION }}
role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }}
- uses: aws-actions/aws-secretsmanager-get-secrets@v2
with:
secret-ids: |
,sdlc/prod/github/actions_bot_token
Expand Down
36 changes: 15 additions & 21 deletions .github/workflows/buildkite-slash-commands.yml
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
---
name: BK slash-command

on:
repository_dispatch:
types:
types:
- cdt-command
- ci-repeat-command
- dt-command
Expand All @@ -16,51 +16,45 @@ on:
jobs:
run-build:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v4
- uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }}
aws-region: us-west-2

- name: get secrets from aws sm
uses: aws-actions/aws-secretsmanager-get-secrets@v2
aws-region: ${{ vars.RP_AWS_CRED_REGION }}
role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }}
- uses: aws-actions/aws-secretsmanager-get-secrets@v2
with:
secret-ids: |
,sdlc/prod/github/actions_bot_token
,sdlc/prod/github/buildkite_token
parse-json-secrets: true

- uses: actions/checkout@v4
with:
repository: redpanda-data/sparse-checkout
with:
repository: redpanda-data/sparse-checkout
token: ${{ env.ACTIONS_BOT_TOKEN }}
path: sparse-checkout

- uses: ./sparse-checkout
- uses: ./sparse-checkout
with:
repository: redpanda-data/vtools
token: ${{ env.ACTIONS_BOT_TOKEN }}
patterns: actions
path: ghca

path: ghca
- name: Buildkite slash command action
uses: ./ghca/actions/buildkite-slash-commands
with:
buildkite_token: ${{ env.BUILDKITE_TOKEN }}
buildkite_org: redpanda
buildkite_pipeline: redpanda
command: ${{ github.event.client_payload.slash_command.command }}

- name: Success reaction
uses: peter-evans/create-or-update-comment@v2
uses: peter-evans/create-or-update-comment@v4
with:
token: ${{ env.ACTIONS_BOT_TOKEN }}
repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
reaction-type: hooray

reactions: hooray
- name: Error response
if: failure()
uses: ./ghca/actions/slash-command-error
Expand Down
29 changes: 12 additions & 17 deletions .github/workflows/cloud-installpack-bk-trigger.yml
View file
Original file line number Diff line number Diff line change
@@ -1,41 +1,36 @@
---
name: check formatting
on:
release:
types: [published]

jobs:
trigger-bump:
runs-on: ubuntu-latest

permissions:
id-token: write
contents: read
steps:
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v4
- uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }}
aws-region: us-west-2

- name: get secrets from aws sm
uses: aws-actions/aws-secretsmanager-get-secrets@v2
aws-region: ${{ vars.RP_AWS_CRED_REGION }}
role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }}
- uses: aws-actions/aws-secretsmanager-get-secrets@v2
with:
secret-ids: |
,sdlc/prod/github/actions_bot_token
,sdlc/prod/github/buildkite_token
parse-json-secrets: true

- uses: actions/checkout@v4
with:
repository: redpanda-data/sparse-checkout
with:
repository: redpanda-data/sparse-checkout
token: ${{ env.ACTIONS_BOT_TOKEN }}
path: sparse-checkout

- uses: ./sparse-checkout
- uses: ./sparse-checkout
with:
repository: redpanda-data/vtools
token: ${{ env.ACTIONS_BOT_TOKEN }}
patterns: actions
path: ghca

path: ghca
- name: Trigger Versions Bump Buildkite Job
uses: ./ghca/actions/buildkite-pipeline-trigger
with:
Expand Down
Loading

0 comments on commit 4050949

Please sign in to comment.