diff --git a/.github/workflows/reusable-agreements.yaml b/.github/workflows/reusable-agreements.yaml index 28a9407..fb715a1 100644 --- a/.github/workflows/reusable-agreements.yaml +++ b/.github/workflows/reusable-agreements.yaml @@ -4,26 +4,56 @@ on: workflow_call: secrets: GH_TOKEN: - description: Github token - required: true + description: "GITHUB_TOKEN of the calling workflow. Optional; defaults to github.token." + required: false PERSONAL_ACCESS_TOKEN: - description: Personal access token - required: true + description: | + Legacy PAT with write access to the remote signatures repository + (splunk/cla-agreement). Prefer GH_APP_CLIENT_ID/GH_APP_PRIVATE_KEY + which mint a short-lived GitHub App installation token in-job. + required: false + GH_APP_CLIENT_ID: + description: | + GitHub App client id. When provided together with GH_APP_PRIVATE_KEY, + an installation token scoped to splunk/cla-agreement is generated + in-job and used in place of PERSONAL_ACCESS_TOKEN. + required: false + GH_APP_PRIVATE_KEY: + description: "GitHub App private key (PEM)." + required: false + permissions: actions: read contents: read pull-requests: write statuses: read + jobs: ContributorLicenseAgreement: runs-on: ubuntu-latest + # `secrets` context is not allowed in step `if:` conditions; bridge via env. + env: + HAS_APP_CREDS: ${{ (secrets.GH_APP_CLIENT_ID != '' && secrets.GH_APP_PRIVATE_KEY != '') && 'true' || 'false' }} steps: + # NOTE: the App token MUST be minted in the same job that consumes it. + # GitHub Actions strips secret-classified values from `jobs..outputs` + # ("Skip output 'token' since it may contain secret"), so minting it in + # a separate job and passing via `needs.*.outputs.token` does not work. + - name: Generate GitHub App installation token + id: app-token + if: env.HAS_APP_CREDS == 'true' + uses: actions/create-github-app-token@v3 + with: + client-id: ${{ secrets.GH_APP_CLIENT_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: splunk + repositories: cla-agreement - name: "CLA Assistant" if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby accept the CLA') || github.event_name == 'pull_request_target' uses: contributor-assistant/github-action@v2.6.1 env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} - PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GH_TOKEN || github.token }} + PERSONAL_ACCESS_TOKEN: ${{ steps.app-token.outputs.token || secrets.PERSONAL_ACCESS_TOKEN }} with: path-to-signatures: "signatures/version1/cla.json" path-to-document: "https://github.com/splunk/cla-agreement/blob/main/CLA.md" # e.g. a CLA or a DCO document @@ -38,13 +68,24 @@ jobs: custom-allsigned-prcomment: "****CLA Assistant Lite bot**** All contributors have signed the CLA ✍️ ✅" CodeOfConduct: runs-on: ubuntu-latest + env: + HAS_APP_CREDS: ${{ (secrets.GH_APP_CLIENT_ID != '' && secrets.GH_APP_PRIVATE_KEY != '') && 'true' || 'false' }} steps: + - name: Generate GitHub App installation token + id: app-token + if: env.HAS_APP_CREDS == 'true' + uses: actions/create-github-app-token@v3 + with: + client-id: ${{ secrets.GH_APP_CLIENT_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: splunk + repositories: cla-agreement - name: "COC Assistant" - if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the Code of Conduct and I hereby accept the Terms') || github.event_name == 'pull_request_target' + if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the Code of Conduct and I hereby accept the Terms') || github.event_name == 'pull_request_target' uses: contributor-assistant/github-action@v2.6.1 env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} - PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GH_TOKEN || github.token }} + PERSONAL_ACCESS_TOKEN: ${{ steps.app-token.outputs.token || secrets.PERSONAL_ACCESS_TOKEN }} with: path-to-signatures: "signatures/version1/coc.json" path-to-document: "https://github.com/splunk/cla-agreement/blob/main/CODE_OF_CONDUCT.md" # e.g. a COC or a DCO document