ci: update release lib (#17573)

2 weeks ago · 6f8b6e1d33
parent 23c4f8d89a
commit 6f8b6e1d33
8 changed files with 44 additions and 19 deletions
--- a/.github/jsonnetfile.json
+++ b/.github/jsonnetfile.json
@ -8,7 +8,7 @@
          "subdir": "workflows"
        }
      },
-      "version": "c81bbf8aae70c6899796068184e3406caaddf27c"
+      "version": "4d8854445092dc2900fb865cde82e51075a54cc3"
    }
  ],
  "legacyImports": true
--- a/.github/jsonnetfile.lock.json
+++ b/.github/jsonnetfile.lock.json
@ -8,8 +8,8 @@
          "subdir": "workflows"
        }
      },
-      "version": "c81bbf8aae70c6899796068184e3406caaddf27c",
-      "sum": "UcFLhQVmAWE8HdInfk9VRU4lrDAkAB4QcS9XTO4Nnus="
+      "version": "4d8854445092dc2900fb865cde82e51075a54cc3",
+      "sum": "QI0E48jM4dflGOvZcFLYOI2aW3U+7DSjpsU7V6NvVYQ="
    }
  ],
  "legacyImports": false
--- a/.github/vendor/github.com/grafana/loki-release/workflows/common.libsonnet
+++ b/.github/vendor/github.com/grafana/loki-release/workflows/common.libsonnet
@ -140,8 +140,8 @@
                       + $.step.withIf('${{ fromJSON(env.USE_GITHUB_APP_TOKEN) }}')
                       + $.step.with({
                         repo_secrets: |||
-                           APP_ID=loki-gh-app:app-id
-                           PRIVATE_KEY=loki-gh-app:private-key
+                           APP_ID=${{ env.GITHUB_APP }}:app-id
+                           PRIVATE_KEY=${{ env.GITHUB_APP }}:private-key
                         |||,
                       }),
  githubAppToken: $.step.new('get github app token', 'actions/create-github-app-token@v1')
--- a/.github/vendor/github.com/grafana/loki-release/workflows/main.jsonnet
+++ b/.github/vendor/github.com/grafana/loki-release/workflows/main.jsonnet
@ -6,6 +6,7 @@
  release: import 'release.libsonnet',
  validate: import 'validate.libsonnet',
  validateGel: import 'validate-gel.libsonnet',
+
  releasePRWorkflow: function(
    branches=['release-[0-9]+.[0-9]+.x', 'k[0-9]+'],
    buildArtifactsBucket='loki-build-artifacts',
@ -28,6 +29,8 @@
    useGCR=false,
    versioningStrategy='always-bump-patch',
                    ) {
+    local githubApp = if releaseRepo == 'grafana/enterprise-logs' then 'enterprise-logs-app' else 'loki-gh-app',
+
    name: 'create release PR',
    on: {
      push: {
@ -53,6 +56,7 @@
      SKIP_VALIDATION: skipValidation,
      USE_GITHUB_APP_TOKEN: useGitHubAppToken,
      VERSIONING_STRATEGY: versioningStrategy,
+      GITHUB_APP: githubApp,
    } + if releaseAs != null then {
      RELEASE_AS: releaseAs,
    } else {},
@ -104,6 +108,8 @@
    dockerPluginPath='clients/cmd/docker-driver',
    publishDockerPlugins=true,
                  ) {
+    local githubApp = if releaseRepo == 'grafana/enterprise-logs' then 'enterprise-logs-app' else 'loki-gh-app',
+
    name: 'create release',
    on: {
      push: {
@ -123,6 +129,7 @@
      RELEASE_LIB_REF: releaseLibRef,
      RELEASE_REPO: releaseRepo,
      USE_GITHUB_APP_TOKEN: useGitHubAppToken,
+      GITHUB_APP: githubApp,
    } + if publishToGCS then {
      PUBLISH_BUCKET: publishBucket,
      PUBLISH_TO_GCS: true,
--- a/.github/vendor/github.com/grafana/loki-release/workflows/release.libsonnet
+++ b/.github/vendor/github.com/grafana/loki-release/workflows/release.libsonnet
@ -16,6 +16,8 @@ local pullRequestFooter = 'Merging this PR will release the [artifacts](https://
    job.new()
    + job.withPermissions({
      'id-token': 'write',
+      contents: 'write',
+      'pull-requests': 'write',
    })
    + job.withSteps([
      common.fetchReleaseRepo,
@ -178,6 +180,9 @@ local pullRequestFooter = 'Merging this PR will release the [artifacts](https://
  publishImages: function(getDockerCredsFromVault=false, dockerUsername='grafanabot')
    job.new()
    + job.withNeeds(['createRelease'])
+    + job.withPermissions({
+      'id-token': 'write',
+    })
    + job.withSteps(
      [
        common.fetchReleaseLib,
@ -258,6 +263,7 @@ local pullRequestFooter = 'Merging this PR will release the [artifacts](https://
    + job.withNeeds(dependencies)
    + job.withPermissions({
      'id-token': 'write',
+      contents: 'write',
    })
    + job.withSteps([
      common.fetchReleaseRepo,
@ -283,6 +289,7 @@ local pullRequestFooter = 'Merging this PR will release the [artifacts](https://
    + job.withNeeds(['publishRelease'])  // always need createRelease for version info
    + job.withPermissions({
      'id-token': 'write',
+      contents: 'write',
    })
    + job.withSteps([
      common.fetchReleaseRepo,
--- a/.github/workflows/minor-release-pr.yml
+++ b/.github/workflows/minor-release-pr.yml
@ -6,6 +6,7 @@ env:
  CHANGELOG_PATH: "CHANGELOG.md"
  DOCKER_USERNAME: "grafana"
  DRY_RUN: false
+  GITHUB_APP: "loki-gh-app"
  IMAGE_PREFIX: "grafana"
  RELEASE_LIB_REF: "main"
  RELEASE_REPO: "grafana/loki"
@ -39,7 +40,9 @@ jobs:
    - "promtail"
    - "querytee"
    permissions:
+      contents: "write"
      id-token: "write"
+      pull-requests: "write"
    runs-on: "ubuntu-latest"
    steps:
    - name: "pull code to release"
@ -70,8 +73,8 @@ jobs:
      uses: "grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760"
      with:
        repo_secrets: |
-          APP_ID=loki-gh-app:app-id
-          PRIVATE_KEY=loki-gh-app:private-key
+          APP_ID=${{ env.GITHUB_APP }}:app-id
+          PRIVATE_KEY=${{ env.GITHUB_APP }}:private-key
    - id: "get_github_app_token"
      if: "${{ fromJSON(env.USE_GITHUB_APP_TOKEN) }}"
      name: "get github app token"
@ -918,8 +921,8 @@ jobs:
      uses: "grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760"
      with:
        repo_secrets: |
-          APP_ID=loki-gh-app:app-id
-          PRIVATE_KEY=loki-gh-app:private-key
+          APP_ID=${{ env.GITHUB_APP }}:app-id
+          PRIVATE_KEY=${{ env.GITHUB_APP }}:private-key
    - id: "get_github_app_token"
      if: "${{ fromJSON(env.USE_GITHUB_APP_TOKEN) }}"
      name: "get github app token"
--- a/.github/workflows/patch-release-pr.yml
+++ b/.github/workflows/patch-release-pr.yml
@ -6,6 +6,7 @@ env:
  CHANGELOG_PATH: "CHANGELOG.md"
  DOCKER_USERNAME: "grafana"
  DRY_RUN: false
+  GITHUB_APP: "loki-gh-app"
  IMAGE_PREFIX: "grafana"
  RELEASE_LIB_REF: "main"
  RELEASE_REPO: "grafana/loki"
@ -39,7 +40,9 @@ jobs:
    - "promtail"
    - "querytee"
    permissions:
+      contents: "write"
      id-token: "write"
+      pull-requests: "write"
    runs-on: "ubuntu-latest"
    steps:
    - name: "pull code to release"
@ -70,8 +73,8 @@ jobs:
      uses: "grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760"
      with:
        repo_secrets: |
-          APP_ID=loki-gh-app:app-id
-          PRIVATE_KEY=loki-gh-app:private-key
+          APP_ID=${{ env.GITHUB_APP }}:app-id
+          PRIVATE_KEY=${{ env.GITHUB_APP }}:private-key
    - id: "get_github_app_token"
      if: "${{ fromJSON(env.USE_GITHUB_APP_TOKEN) }}"
      name: "get github app token"
@ -918,8 +921,8 @@ jobs:
      uses: "grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760"
      with:
        repo_secrets: |
-          APP_ID=loki-gh-app:app-id
-          PRIVATE_KEY=loki-gh-app:private-key
+          APP_ID=${{ env.GITHUB_APP }}:app-id
+          PRIVATE_KEY=${{ env.GITHUB_APP }}:private-key
    - id: "get_github_app_token"
      if: "${{ fromJSON(env.USE_GITHUB_APP_TOKEN) }}"
      name: "get github app token"
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -2,6 +2,7 @@ concurrency:
  group: "create-release-${{ github.sha }}"
 env:
  BUILD_ARTIFACTS_BUCKET: "loki-build-artifacts"
+  GITHUB_APP: "loki-gh-app"
  IMAGE_PREFIX: "grafana"
  PUBLISH_TO_GCS: false
  RELEASE_LIB_REF: "main"
@ -57,8 +58,8 @@ jobs:
      uses: "grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760"
      with:
        repo_secrets: |
-          APP_ID=loki-gh-app:app-id
-          PRIVATE_KEY=loki-gh-app:private-key
+          APP_ID=${{ env.GITHUB_APP }}:app-id
+          PRIVATE_KEY=${{ env.GITHUB_APP }}:private-key
    - id: "get_github_app_token"
      if: "${{ fromJSON(env.USE_GITHUB_APP_TOKEN) }}"
      name: "get github app token"
@ -142,6 +143,7 @@ jobs:
      branchExists: "${{ steps.create_branch.outputs.branch_exists }}"
      branchName: "${{ steps.create_branch.outputs.branch_name }}"
    permissions:
+      contents: "write"
      id-token: "write"
    runs-on: "ubuntu-latest"
    steps:
@ -162,8 +164,8 @@ jobs:
      uses: "grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760"
      with:
        repo_secrets: |
-          APP_ID=loki-gh-app:app-id
-          PRIVATE_KEY=loki-gh-app:private-key
+          APP_ID=${{ env.GITHUB_APP }}:app-id
+          PRIVATE_KEY=${{ env.GITHUB_APP }}:private-key
    - id: "get_github_app_token"
      if: "${{ fromJSON(env.USE_GITHUB_APP_TOKEN) }}"
      name: "get github app token"
@ -285,6 +287,8 @@ jobs:
  publishImages:
    needs:
    - "createRelease"
+    permissions:
+      id-token: "write"
    runs-on: "ubuntu-latest"
    steps:
    - name: "pull release library code"
@ -328,6 +332,7 @@ jobs:
    outputs:
      name: "${{ needs.createRelease.outputs.name }}"
    permissions:
+      contents: "write"
      id-token: "write"
    runs-on: "ubuntu-latest"
    steps:
@ -343,8 +348,8 @@ jobs:
      uses: "grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760"
      with:
        repo_secrets: |
-          APP_ID=loki-gh-app:app-id
-          PRIVATE_KEY=loki-gh-app:private-key
+          APP_ID=${{ env.GITHUB_APP }}:app-id
+          PRIVATE_KEY=${{ env.GITHUB_APP }}:private-key
    - id: "get_github_app_token"
      if: "${{ fromJSON(env.USE_GITHUB_APP_TOKEN) }}"
      name: "get github app token"