From 2bf383a4dd07bba100ac943b37df4e0044dffb79 Mon Sep 17 00:00:00 2001
From: Kevin Yu <kevinwcyu@users.noreply.github.com>
Date: Wed, 21 May 2025 13:19:37 -0700
Subject: [PATCH] Chore: Use Vault secrets in `sync-mirror-event.yml` (#104705)
 (#105782)

* baldm0mma/ update to using vault secrets

* Update .github/workflows/sync-mirror-event.yml



* Update .github/workflows/sync-mirror-event.yml



---------


(cherry picked from commit f0686a61cec94465c79d91c3fe3b4bb426035082)

Co-authored-by: Jev Forsberg <46619047+baldm0mma@users.noreply.github.com>
Co-authored-by: Kevin Minehart <5140827+kminehart@users.noreply.github.com>
---
 .github/workflows/sync-mirror-event.yml | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/sync-mirror-event.yml b/.github/workflows/sync-mirror-event.yml
index b9387e02069..13c9563846a 100644
--- a/.github/workflows/sync-mirror-event.yml
+++ b/.github/workflows/sync-mirror-event.yml
@@ -10,7 +10,8 @@ on:
       - "v*.*.*"
       - "release-*"
 
-permissions: {}
+permissions:
+  id-token: write
 
 # This is run after the pull request has been merged, so we'll run against the target branch
 jobs:
@@ -22,24 +23,30 @@ jobs:
     env:
       REF_NAME: ${{ github.ref_name }}
       REPO: ${{ github.repository }}
-      SENDER: ${{ github.event.sender.login }}
       SHA: ${{ github.sha }}
-      PR_COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
     steps:
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
+          repo_secrets: |
+            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
+
       - name: "Generate token"
         id: generate_token
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
         with:
           # App needs Actions: Read/Write for the grafana/security-patch-actions repo
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
+          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
 
       - uses: actions/github-script@v7
         if: github.repository == 'grafana/grafana'
         with:
           github-token: ${{ steps.generate_token.outputs.token }}
           script: |
-            const {HEAD_REF, BASE_REF, REPO, SENDER, SHA} = process.env;
+            const {REF_NAME, REPO, SHA} = process.env;
 
             await github.rest.actions.createWorkflowDispatch({
                 owner: 'grafana',