Skip to content

Commit

Permalink
[release-v2.6] fix: create a GitHub token for the release process (#4196
Browse files Browse the repository at this point in the history
)

* create a GitHub token for the release process (#4195)

* use gcr secret for pulling image (#4197)

* use proper path to get tempo secrets (#4199)
  • Loading branch information
joe-elliott authored Oct 17, 2024
1 parent caeda85 commit 6698eec
Show file tree
Hide file tree
Showing 2 changed files with 58 additions and 3 deletions.
27 changes: 25 additions & 2 deletions .drone/drone.jsonnet
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,9 @@ local docker_config_json_secret = secret('dockerconfigjson', 'secret/data/common

// secret needed for dep-tools
local gh_token_secret = secret('gh_token', 'infra/data/ci/github/grafanabot', 'pat');
local tempo_app_id_secret = secret('tempo_app_id_secret', 'infra/data/ci/tempo/github-app', 'app-id');
local tempo_app_installation_id_secret = secret('tempo_app_installation_id_secret', 'infra/data/ci/tempo/github-app', 'app-installation-id');
local tempo_app_private_key_secret = secret('tempo_app_private_key_secret', 'infra/data/ci/tempo/github-app', 'app-private-key');

// secret to sign linux packages
local gpg_passphrase = secret('gpg_passphrase', 'infra/data/ci/packages-publish/gpg', 'passphrase');
Expand Down Expand Up @@ -295,12 +298,17 @@ local deploy_to_dev() = {
for d in aws_serverless_deployments
],
},

local ghTokenFilename = '/drone/src/gh-token.txt';
// Build and release packages
// Tested by installing the packages on a systemd container
pipeline('release') {
trigger: {
event: ['tag', 'pull_request'],
},
image_pull_secrets: [
docker_config_json_secret.name,
],
volumes+: [
{
name: 'cgroup',
Expand Down Expand Up @@ -346,6 +354,18 @@ local deploy_to_dev() = {
image: 'docker:git',
commands: ['git fetch --tags'],
},
{
name: 'Generate GitHub token',
image: 'us.gcr.io/kubernetes-dev/github-app-secret-writer:latest',
environment: {
GITHUB_APP_ID: { from_secret: tempo_app_id_secret.name },
GITHUB_APP_INSTALLATION_ID: { from_secret: tempo_app_installation_id_secret.name },
GITHUB_APP_PRIVATE_KEY: { from_secret: tempo_app_private_key_secret.name },
},
commands: [
'/usr/bin/github-app-external-token > %s' % ghTokenFilename,
],
},
{
name: 'write-key',
image: 'golang:1.22',
Expand Down Expand Up @@ -390,8 +410,11 @@ local deploy_to_dev() = {
},
{
name: 'release',
image: 'golang:1.22',
commands: ['make release'],
image: 'golang:1.23',
commands: [
'export GITHUB_TOKEN=$(cat %s)' % ghTokenFilename,
'make release'
],
environment: {
GITHUB_TOKEN: { from_secret: gh_token_secret.name },
NFPM_DEFAULT_PASSPHRASE: { from_secret: gpg_passphrase.name },
Expand Down
34 changes: 33 additions & 1 deletion .drone/drone.yml
Original file line number Diff line number Diff line change
Expand Up @@ -418,6 +418,8 @@ trigger:
- refs/heads/r???
---
depends_on: []
image_pull_secrets:
- dockerconfigjson
kind: pipeline
name: release
platform:
Expand All @@ -441,6 +443,17 @@ steps:
- git fetch --tags
image: docker:git
name: fetch
- commands:
- /usr/bin/github-app-external-token > /drone/src/gh-token.txt
environment:
GITHUB_APP_ID:
from_secret: tempo_app_id_secret
GITHUB_APP_INSTALLATION_ID:
from_secret: tempo_app_installation_id_secret
GITHUB_APP_PRIVATE_KEY:
from_secret: tempo_app_private_key_secret
image: us.gcr.io/kubernetes-dev/github-app-secret-writer:latest
name: Generate GitHub token
- commands:
- printf "%s" "$NFPM_SIGNING_KEY" > $NFPM_SIGNING_KEY_FILE
environment:
Expand Down Expand Up @@ -474,6 +487,7 @@ steps:
- name: docker
path: /var/run/docker.sock
- commands:
- export GITHUB_TOKEN=$(cat /drone/src/gh-token.txt)
- make release
environment:
GITHUB_TOKEN:
Expand Down Expand Up @@ -522,6 +536,24 @@ get:
kind: secret
name: gh_token
---
get:
name: app-id
path: infra/data/ci/tempo/github-app
kind: secret
name: tempo_app_id_secret
---
get:
name: app-installation-id
path: infra/data/ci/tempo/github-app
kind: secret
name: tempo_app_installation_id_secret
---
get:
name: app-private-key
path: infra/data/ci/tempo/github-app
kind: secret
name: tempo_app_private_key_secret
---
get:
name: credentials.json
path: infra/data/ci/tempo-ops-tools-function-upload
Expand Down Expand Up @@ -565,6 +597,6 @@ kind: secret
name: gpg_passphrase
---
kind: signature
hmac: bee5601dffa0f46559f5d8734ebda1261ec9171a3dca7add1a23188f6f162945
hmac: 0265cd585d8c7fc444bebc8aa1164ec6aa7893c2aa16f3beb61503102b00a798

...

0 comments on commit 6698eec

Please sign in to comment.