From f2aecc876222cdfbe40fbaa672c56e5edbbeaef8 Mon Sep 17 00:00:00 2001 From: "Grot (@grafanabot)" <43478413+grafanabot@users.noreply.github.com> Date: Wed, 11 Jan 2023 13:11:45 +0200 Subject: [PATCH] [v9.2.x] Update publishing workflows to use PATs with fine-grained access control (#61267) Update publishing workflows to use PATs with fine-grained access control (#61098) Signed-off-by: Jack Baldry Signed-off-by: Jack Baldry (cherry picked from commit 87ccf10ffe9adf8cf9aee48d27964a6c704ee8ac) Co-authored-by: Jack Baldry --- .../workflows/publish-technical-documentation-next.yml | 8 ++++++-- .../workflows/publish-technical-documentation-release.yml | 8 ++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish-technical-documentation-next.yml b/.github/workflows/publish-technical-documentation-next.yml index 30666f2ebb0..1b23f8ba3f2 100644 --- a/.github/workflows/publish-technical-documentation-next.yml +++ b/.github/workflows/publish-technical-documentation-next.yml @@ -17,7 +17,9 @@ jobs: uses: "actions/checkout@v3" - name: "Clone website-sync Action" - run: "git clone --single-branch --no-tags --depth 1 -b master https://grafanabot:${{ secrets.GH_BOT_ACCESS_TOKEN }}@github.com/grafana/website-sync ./.github/actions/website-sync" + # WEBSITE_SYNC_GRAFANA is a fine-grained GitHub Personal Access Token that expires. + # It must be updated in the grafanabot GitHub account. + run: "git clone --single-branch --no-tags --depth 1 -b master https://grafanabot:${{ secrets.WEBSITE_SYNC_GRAFANA }}@github.com/grafana/website-sync ./.github/actions/website-sync" - name: "Publish to website repository (next)" uses: "./.github/actions/website-sync" @@ -26,6 +28,8 @@ jobs: repository: "grafana/website" branch: "master" host: "github.com" - github_pat: "${{ secrets.GH_BOT_ACCESS_TOKEN }}" + # PUBLISH_TO_WEBSITE_GRAFANA is a fine-grained GitHub Personal Access Token that expires. + # It must be updated in the grafanabot GitHub account. + github_pat: "grafanabot:${{ secrets.PUBLISH_TO_WEBSITE_GRAFANA }}" source_folder: "docs/sources" target_folder: "content/docs/grafana/next" diff --git a/.github/workflows/publish-technical-documentation-release.yml b/.github/workflows/publish-technical-documentation-release.yml index 2eb005e6ff8..e57b25ec17d 100644 --- a/.github/workflows/publish-technical-documentation-release.yml +++ b/.github/workflows/publish-technical-documentation-release.yml @@ -46,7 +46,9 @@ jobs: - name: "Clone website-sync Action" if: "steps.has-matching-release-tag.outputs.bool == 'true'" - run: "git clone --single-branch --no-tags --depth 1 -b master https://grafanabot:${{ secrets.GH_BOT_ACCESS_TOKEN }}@github.com/grafana/website-sync ./.github/actions/website-sync" + # WEBSITE_SYNC_GRAFANA is a fine-grained GitHub Personal Access Token that expires. + # It must be updated in the grafanabot GitHub account. + run: "git clone --single-branch --no-tags --depth 1 -b master https://grafanabot:${{ secrets.WEBSITE_SYNC_GRAFANA }}@github.com/grafana/website-sync ./.github/actions/website-sync" - name: "Publish to website repository (release)" if: "steps.has-matching-release-tag.outputs.bool == 'true'" @@ -56,6 +58,8 @@ jobs: repository: "grafana/website" branch: "master" host: "github.com" - github_pat: "${{ secrets.GH_BOT_ACCESS_TOKEN }}" + # PUBLISH_TO_WEBSITE_GRAFANA is a fine-grained GitHub Personal Access Token that expires. + # It must be updated in the grafanabot GitHub account. + github_pat: "grafanabot:${{ secrets.PUBLISH_TO_WEBSITE_GRAFANA }}" source_folder: "docs/sources" target_folder: "content/docs/grafana/${{ steps.target.outputs.target }}"