From 6698eec2a0730fdd3148338ce0fda627eed4321d Mon Sep 17 00:00:00 2001
From: Joe Elliott <number101010@gmail.com>
Date: Thu, 17 Oct 2024 04:48:04 -0400
Subject: [PATCH] [release-v2.6] fix: create a GitHub token for the release
 process (#4196)

* create a GitHub token for the release process (#4195)

* use gcr secret for pulling image (#4197)

* use proper path to get tempo secrets (#4199)
---
 .drone/drone.jsonnet | 27 +++++++++++++++++++++++++--
 .drone/drone.yml     | 34 +++++++++++++++++++++++++++++++++-
 2 files changed, 58 insertions(+), 3 deletions(-)

diff --git a/.drone/drone.jsonnet b/.drone/drone.jsonnet
index 926ac7180bd..07a1362011a 100644
--- a/.drone/drone.jsonnet
+++ b/.drone/drone.jsonnet
@@ -44,6 +44,9 @@ local docker_config_json_secret = secret('dockerconfigjson', 'secret/data/common
 
 // secret needed for dep-tools
 local gh_token_secret = secret('gh_token', 'infra/data/ci/github/grafanabot', 'pat');
+local tempo_app_id_secret = secret('tempo_app_id_secret', 'infra/data/ci/tempo/github-app', 'app-id');
+local tempo_app_installation_id_secret = secret('tempo_app_installation_id_secret', 'infra/data/ci/tempo/github-app', 'app-installation-id');
+local tempo_app_private_key_secret = secret('tempo_app_private_key_secret', 'infra/data/ci/tempo/github-app', 'app-private-key');
 
 // secret to sign linux packages
 local gpg_passphrase = secret('gpg_passphrase', 'infra/data/ci/packages-publish/gpg', 'passphrase');
@@ -295,12 +298,17 @@ local deploy_to_dev() = {
               for d in aws_serverless_deployments
             ],
   },
+
+  local ghTokenFilename = '/drone/src/gh-token.txt';
   // Build and release packages
   // Tested by installing the packages on a systemd container
   pipeline('release') {
     trigger: {
       event: ['tag', 'pull_request'],
     },
+    image_pull_secrets: [
+      docker_config_json_secret.name,
+    ],
     volumes+: [
       {
         name: 'cgroup',
@@ -346,6 +354,18 @@ local deploy_to_dev() = {
         image: 'docker:git',
         commands: ['git fetch --tags'],
       },
+      {
+        name: 'Generate GitHub token',
+        image: 'us.gcr.io/kubernetes-dev/github-app-secret-writer:latest',
+        environment: {
+          GITHUB_APP_ID: { from_secret:  tempo_app_id_secret.name },
+          GITHUB_APP_INSTALLATION_ID: { from_secret:  tempo_app_installation_id_secret.name },
+          GITHUB_APP_PRIVATE_KEY: { from_secret: tempo_app_private_key_secret.name },
+        },
+        commands: [
+          '/usr/bin/github-app-external-token > %s' % ghTokenFilename,
+        ],
+      },
       {
         name: 'write-key',
         image: 'golang:1.22',
@@ -390,8 +410,11 @@ local deploy_to_dev() = {
       },
       {
         name: 'release',
-        image: 'golang:1.22',
-        commands: ['make release'],
+        image: 'golang:1.23',
+        commands: [
+          'export GITHUB_TOKEN=$(cat %s)' % ghTokenFilename,
+          'make release'
+        ],
         environment: {
           GITHUB_TOKEN: { from_secret: gh_token_secret.name },
           NFPM_DEFAULT_PASSPHRASE: { from_secret: gpg_passphrase.name },
diff --git a/.drone/drone.yml b/.drone/drone.yml
index 358625498c4..4b296bfe50b 100644
--- a/.drone/drone.yml
+++ b/.drone/drone.yml
@@ -418,6 +418,8 @@ trigger:
   - refs/heads/r???
 ---
 depends_on: []
+image_pull_secrets:
+- dockerconfigjson
 kind: pipeline
 name: release
 platform:
@@ -441,6 +443,17 @@ steps:
   - git fetch --tags
   image: docker:git
   name: fetch
+- commands:
+  - /usr/bin/github-app-external-token > /drone/src/gh-token.txt
+  environment:
+    GITHUB_APP_ID:
+      from_secret: tempo_app_id_secret
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: tempo_app_installation_id_secret
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: tempo_app_private_key_secret
+  image: us.gcr.io/kubernetes-dev/github-app-secret-writer:latest
+  name: Generate GitHub token
 - commands:
   - printf "%s" "$NFPM_SIGNING_KEY" > $NFPM_SIGNING_KEY_FILE
   environment:
@@ -474,6 +487,7 @@ steps:
   - name: docker
     path: /var/run/docker.sock
 - commands:
+  - export GITHUB_TOKEN=$(cat /drone/src/gh-token.txt)
   - make release
   environment:
     GITHUB_TOKEN:
@@ -522,6 +536,24 @@ get:
 kind: secret
 name: gh_token
 ---
+get:
+  name: app-id
+  path: infra/data/ci/tempo/github-app
+kind: secret
+name: tempo_app_id_secret
+---
+get:
+  name: app-installation-id
+  path: infra/data/ci/tempo/github-app
+kind: secret
+name: tempo_app_installation_id_secret
+---
+get:
+  name: app-private-key
+  path: infra/data/ci/tempo/github-app
+kind: secret
+name: tempo_app_private_key_secret
+---
 get:
   name: credentials.json
   path: infra/data/ci/tempo-ops-tools-function-upload
@@ -565,6 +597,6 @@ kind: secret
 name: gpg_passphrase
 ---
 kind: signature
-hmac: bee5601dffa0f46559f5d8734ebda1261ec9171a3dca7add1a23188f6f162945
+hmac: 0265cd585d8c7fc444bebc8aa1164ec6aa7893c2aa16f3beb61503102b00a798
 
 ...