From 43cad93e6227c26f73f44883a22b4206995dbbc1 Mon Sep 17 00:00:00 2001
From: Esteban Beltran <academo@users.noreply.github.com>
Date: Tue, 17 Sep 2024 12:32:58 +0200
Subject: [PATCH] Chore: use github app for issue commands workflow (#93304)

* Chore: use github app for issue commands workflow

* use it in issue-opened too

* update comments and permissions

* use issue app for triager token

* add spaces

* add config as requirement

* only run main if it has secrets

* Check for repository name,

* remove config work

* get secrets after sleep
---
 .github/workflows/commands.yml     | 31 +++++++++++++-
 .github/workflows/issue-opened.yml | 66 +++++++++++++++++++-----------
 2 files changed, 70 insertions(+), 27 deletions(-)

diff --git a/.github/workflows/commands.yml b/.github/workflows/commands.yml
index c0244a0274a..f733b2f244d 100644
--- a/.github/workflows/commands.yml
+++ b/.github/workflows/commands.yml
@@ -1,11 +1,21 @@
 name: Run commands when issues are labeled or comments added
+
+# important: this workflow uses a github app that is strictly limited
+# to issues. If you want to change the triggers for this workflow,
+# please review if the permissions are still sufficient.
 on:
   issues:
     types: [labeled, unlabeled]
   issue_comment:
     types: [created]
+
 concurrency:
   group: issue-commands-${{ github.event.issue.number }}
+
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   config:
     runs-on: "ubuntu-latest"
@@ -16,7 +26,7 @@ jobs:
         id: check
         shell: bash
         run: |
-          if [ -n "${{ (secrets.GRAFANA_MISC_STATS_API_KEY != '' && secrets.ISSUE_COMMANDS_TOKEN != '') || '' }}" ]; then
+          if [ "${{ github.repository }}" == "grafana/grafana" ] && [ -n "${{ secrets.GRAFANA_MISC_STATS_API_KEY }}" ]; then
             echo "has-secrets=1" >> "$GITHUB_OUTPUT"
           fi
 
@@ -25,17 +35,34 @@ jobs:
     if: needs.config.outputs.has-secrets
     runs-on: ubuntu-latest
     steps:
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
+          repo_secrets: |
+            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
+            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem
+
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ env.GH_APP_ID }}
+          private_key: ${{ env.GH_APP_PEM }}
+
       - name: Checkout Actions
         uses: actions/checkout@v4
         with:
           repository: "grafana/grafana-github-actions"
           path: ./actions
           ref: main
+
       - name: Install Actions
         run: npm install --production --prefix ./actions
       - name: Run Commands
         uses: ./actions/commands
         with:
           metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
-          token: ${{secrets.ISSUE_COMMANDS_TOKEN}}
+          token: ${{ steps.generate_token.outputs.token }}
           configPath: commands
diff --git a/.github/workflows/issue-opened.yml b/.github/workflows/issue-opened.yml
index c75fe2e4524..9f62da223b6 100644
--- a/.github/workflows/issue-opened.yml
+++ b/.github/workflows/issue-opened.yml
@@ -1,7 +1,12 @@
 name: Run commands when issues are opened
+
+# important: this workflow uses a github app that is strictly limited
+# to issues. If you want to change the triggers for this workflow,
+# please review if the permissions are still sufficient.
 on:
   issues:
     types: [opened]
+
 concurrency:
   group: issue-opened-${{ github.event.issue.number }}
 
@@ -12,59 +17,70 @@ permissions:
 jobs:
   main:
     runs-on: ubuntu-latest
+    if: github.repository == 'grafana/grafana'
     steps:
+
       - name: Checkout Actions
         uses: actions/checkout@v4
         with:
           repository: "grafana/grafana-github-actions"
           path: ./actions
           ref: main
+
       - name: Install Actions
         run: npm install --production --prefix ./actions
+
       # give issue-openers a chance to add labels after submit
       - name: Sleep for 2 minutes
         run: sleep 2m
         shell: bash
+
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
+          repo_secrets: |
+            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
+            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem
+
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ env.GH_APP_ID }}
+          private_key: ${{ env.GH_APP_PEM }}
+
       - name: Run Commands
         uses: ./actions/commands
         with:
           metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
-          token: ${{secrets.ISSUE_COMMANDS_TOKEN}}
+          token: ${{ steps.generate_token.outputs.token }}
           configPath: "issue-opened"
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' &&
-                        secrets.GRAFANA_DELIVERY_BOT_APP_PEM != ''
-                        ) || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
+
   auto-triage:
-    needs: [main, config]
-    if: needs.config.outputs.has-secrets && (github.event.issue.author_association == 'NONE' || github.event.issue.author_association == 'FIRST_TIMER' || github.event.issue.author_association == 'FIRST_TIME_CONTRIBUTOR')
+    needs: [main]
+    if: github.repository == 'grafana/grafana' && (github.event.issue.author_association == 'NONE' || github.event.issue.author_association == 'FIRST_TIMER' || github.event.issue.author_association == 'FIRST_TIME_CONTRIBUTOR')
     runs-on: ubuntu-latest
     steps:
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
 
       - name: "Get vault secrets"
         id: vault-secrets
         uses: grafana/shared-workflows/actions/get-vault-secrets@main
         with:
-          # Secrets placed in the ci/repo/grafana/<repo>/<path> path in Vault
+          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_triager path in Vault
           repo_secrets: |
             AUTOTRIAGER_OPENAI_API_KEY=plugins_platform_issue_triager:AUTOTRIAGER_OPENAI_API_KEY
             AUTOTRIAGER_SLACK_WEBHOOK_URL=plugins_platform_issue_triager:AUTOTRIAGER_SLACK_WEBHOOK_URL
+            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
+            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem
+
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ env.GH_APP_ID }}
+          private_key: ${{ env.GH_APP_PEM }}
 
       - name: Checkout auto-triager repository
         uses: actions/checkout@v4
@@ -89,7 +105,7 @@ jobs:
           echo ${{ steps.auto_triage.outputs.triage_labels }}
 
       - name: "Send Slack notification"
-        if : ${{ steps.auto_triage.outputs.triage_labels != '' }}
+        if: ${{ steps.auto_triage.outputs.triage_labels != '' }}
         uses: slackapi/slack-github-action@v1.27.0
         with:
           payload: >