Chore: Use Vault secrets in sync-mirror-event.yml (#104705) (#105777)

* baldm0mma/ update to using vault secrets * Update .github/workflows/sync-mirror-event.yml * Update .github/workflows/sync-mirror-event.yml --------- (cherry picked from commit f0686a61ce) Co-authored-by: Jev Forsberg <46619047+baldm0mma@users.noreply.github.com> Co-authored-by: Kevin Minehart <5140827+kminehart@users.noreply.github.com>
2025-05-21 13:19:31 -07:00
parent 2480f4b3d7
commit f8dafd73eb
1 changed files with 13 additions and 6 deletions
@@ -10,7 +10,8 @@ on:
      - "v*.*.*"
      - "release-*"

-permissions: {}
+permissions:
+  id-token: write

 # This is run after the pull request has been merged, so we'll run against the target branch
 jobs:
@@ -22,24 +23,30 @@ jobs:
    env:
      REF_NAME: ${{ github.ref_name }}
      REPO: ${{ github.repository }}
-      SENDER: ${{ github.event.sender.login }}
      SHA: ${{ github.sha }}
-      PR_COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
    steps:
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
+          repo_secrets: |
+            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
+
      - name: "Generate token"
        id: generate_token
        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
        with:
          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
+          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}

      - uses: actions/github-script@v7
        if: github.repository == 'grafana/grafana'
        with:
          github-token: ${{ steps.generate_token.outputs.token }}
          script: |
-            const {HEAD_REF, BASE_REF, REPO, SENDER, SHA} = process.env;
+            const {REF_NAME, REPO, SHA} = process.env;

            await github.rest.actions.createWorkflowDispatch({
                owner: 'grafana',