From 7089b5978ed1ca2e5f75e431b86a4bf02230cb93 Mon Sep 17 00:00:00 2001
From: Jev Forsberg <46619047+baldm0mma@users.noreply.github.com>
Date: Tue, 29 Apr 2025 18:28:39 -0600
Subject: [PATCH] Chore: Use Vault secrets in `create-next-release-branch.yml`
 (#104730)

* baldm0mma/ update to use vault

* Update .github/workflows/create-next-release-branch.yml

Co-authored-by: Kevin Minehart <5140827+kminehart@users.noreply.github.com>

* Update .github/workflows/create-next-release-branch.yml

Co-authored-by: Kevin Minehart <5140827+kminehart@users.noreply.github.com>

---------

Co-authored-by: Kevin Minehart <5140827+kminehart@users.noreply.github.com>
---
 .../workflows/create-next-release-branch.yml  | 26 ++++++++++---------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/create-next-release-branch.yml b/.github/workflows/create-next-release-branch.yml
index 1107842a765..6a48327dc04 100644
--- a/.github/workflows/create-next-release-branch.yml
+++ b/.github/workflows/create-next-release-branch.yml
@@ -10,11 +10,6 @@ on:
         description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.4` being created)
         type: string
         required: true
-    secrets:
-      GRAFANA_DELIVERY_BOT_APP_ID:
-        required: true
-      GRAFANA_DELIVERY_BOT_APP_PEM:
-        required: true
     outputs:
       branch:
         description: The new branch that was created
@@ -27,23 +22,30 @@ on:
         description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.4` being created)
         type: string
         required: true
-    secrets:
-      GRAFANA_DELIVERY_BOT_APP_ID:
-        required: true
-      GRAFANA_DELIVERY_BOT_APP_PEM:
-        required: true
+
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   main:
     runs-on: ubuntu-latest
     outputs:
       branch: ${{ steps.branch.outputs.branch }}
     steps:
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
+          repo_secrets: |
+            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
       - name: "Generate token"
         id: generate_token
         uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
         with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
+          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
       - name: Create release branch
         id: branch
         uses: grafana/grafana-github-actions-go/bump-release@main # zizmor: ignore[unpinned-uses]