Support GitHub Apps for GitOps Workflow

Staffbase · Apr 24, 2024 · 51d812d · 51d812d
1 parent ad5c53c
commit 51d812d
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 6 deletions.
diff --git a/.github/workflows/template_gitops.yml b/.github/workflows/template_gitops.yml
@@ -12,7 +12,7 @@ on:
       docker-file:
         required: false
         type: string
-        default: './Dockerfile'
+        default: "./Dockerfile"
       docker-image:
         required: false
         type: string
@@ -26,10 +26,14 @@ on:
       gitops-prod:
         required: false
         type: string
+      gitops-organization:
+        required: false
+        type: string
+        default: ${{ github.repository_owner }}
       working-directory:
         required: false
         type: string
-        default: '.'
+        default: "."
     # waiting for: https://github.com/github-community/community/discussions/17554
     secrets:
       docker-username:
@@ -44,18 +48,30 @@ on:
         required: false
       gonosumdb:
         required: false
+      app-id:
+        required: false
+      private-key:
+        required: false
 
 jobs:
   gitops:
-
     name: GitOps
     runs-on: ubuntu-22.04
 
     if: github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/')
 
+    env:
+      USING_APP_CREDENTIALS: ${{ secrets.app-id != '' && secrets.private-key != '' }}
+
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - name: Get App Token
+        if: ${{ env.USING_APP_CREDENTIALS == 'true' }}
+        uses: actions/create-github-app-token@v1.9.0
+        id: get_token
+        with:
+          app-id: ${{ secrets.app-id }}
+          private-key: ${{ secrets.private-key }}
+          owner: ${{inputs.gitops-organization }}
 
       - name: GitOps (build, push and deploy a new Docker image)
         uses: Staffbase/gitops-github-action@v5.4
@@ -70,7 +86,7 @@ jobs:
           docker-build-target: ${{ inputs.docker-build-target }}
           docker-file: ${{ inputs.docker-file }}
           docker-image: ${{ inputs.docker-image }}
-          gitops-token: ${{ secrets.gitops-token }}
+          gitops-token: ${{ env.USING_APP_CREDENTIALS == 'true' && steps.get_token.outputs.token || secrets.gitops-token }}
           gitops-dev: ${{ inputs.gitops-dev }}
           gitops-stage: ${{ inputs.gitops-stage }}
           gitops-prod: ${{ inputs.gitops-prod }}

diff --git a/README.md b/README.md
@@ -102,6 +102,7 @@ jobs:
       # optional: private key of the GitHub App 
       private_key: ${{ <your-private-key> }}
 ```
+
 </details>
 
 ### GitOps
@@ -150,7 +151,12 @@ jobs:
       gitops-token: ${{ <your-gitops-token> }}
       # optional: gonosumdb environment variable
       gonosumdb: ${{ <your-gonosumdb> }}
+      # optional: identifier of the GitHub App for authentication
+      app-id: ${{ <your-app-id> }}
+      # optional: private key of the GitHub App
+      private-key: ${{ <your-private-key> }}
 ```
+
 </details>
 
 ### Jira Ticket Tagging
@@ -183,6 +189,7 @@ jobs:
       # email of the api token owner
       jira-email: ${{ <your-email> }}
 ```
+
 </details>
 
 ### LaunchDarkly Code References
@@ -209,6 +216,7 @@ jobs:
       # LD access token with correct access rights
       access-token: ${{ <your-access-token> }}
 ```
+
 </details>
 
 ### Release Drafter
@@ -247,6 +255,7 @@ jobs:
       # optional: private key of the GitHub App 
       private_key: ${{ <your-private-key> }}
 ```
+
 </details>
 
 ### Release Version Detector
@@ -283,6 +292,7 @@ on:
     - cron: '0 0 * * 1'
     - cron: '0 0 1 1 *'
 ```
+
 </details>
 
 ### Secret Scanning
@@ -299,6 +309,7 @@ jobs:
   trufflehog:
     uses: Staffbase/gha-workflows/.github/workflows/template_secret_scan.yml@v5.1.0
 ```
+
 </details>
 
 ### Stale
@@ -330,6 +341,7 @@ jobs:
       # optional: comment on the staled pull request, default: This PR has been automatically marked as stale because there has been no recent activity in the last 60 days. It will be closed in 7 days if no further activity occurs such as removing the label.
       stale-pr-message: your message
 ```
+
 </details>
 
 ### TechDocs
@@ -366,6 +378,7 @@ jobs:
       # optional: specifies the access key associated with the storage account
       azure-account-key: ${{ secrets.TECHDOCS_AZURE_ACCESS_KEY }}
 ```
+
 </details>
 
 ### TestIO
@@ -421,6 +434,7 @@ jobs:
       # optional: path which files should be checked recursively, default: .
       target-path: your path
 ```
+
 </details>
 
 ## Limitations 🚧