diff --git a/.github/workflows/template_gitops.yml b/.github/workflows/template_gitops.yml index 0538706..5f62f65 100644 --- a/.github/workflows/template_gitops.yml +++ b/.github/workflows/template_gitops.yml @@ -12,7 +12,7 @@ on: docker-file: required: false type: string - default: './Dockerfile' + default: "./Dockerfile" docker-image: required: false type: string @@ -26,10 +26,14 @@ on: gitops-prod: required: false type: string + gitops-organization: + required: false + type: string + default: ${{ github.repository_owner }} working-directory: required: false type: string - default: '.' + default: "." # waiting for: https://github.com/github-community/community/discussions/17554 secrets: docker-username: @@ -44,18 +48,30 @@ on: required: false gonosumdb: required: false + app-id: + required: false + private-key: + required: false jobs: gitops: - name: GitOps runs-on: ubuntu-22.04 if: github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/') + env: + USING_APP_CREDENTIALS: ${{ secrets.app-id != '' && secrets.private-key != '' }} + steps: - - name: Checkout - uses: actions/checkout@v4 + - name: Get App Token + if: ${{ env.USING_APP_CREDENTIALS == 'true' }} + uses: actions/create-github-app-token@v1.9.0 + id: get_token + with: + app-id: ${{ secrets.app-id }} + private-key: ${{ secrets.private-key }} + owner: ${{inputs.gitops-organization }} - name: GitOps (build, push and deploy a new Docker image) uses: Staffbase/gitops-github-action@v5.4 @@ -70,7 +86,7 @@ jobs: docker-build-target: ${{ inputs.docker-build-target }} docker-file: ${{ inputs.docker-file }} docker-image: ${{ inputs.docker-image }} - gitops-token: ${{ secrets.gitops-token }} + gitops-token: ${{ env.USING_APP_CREDENTIALS == 'true' && steps.get_token.outputs.token || secrets.gitops-token }} gitops-dev: ${{ inputs.gitops-dev }} gitops-stage: ${{ inputs.gitops-stage }} gitops-prod: ${{ inputs.gitops-prod }} diff --git a/README.md b/README.md index 7b14331..5b220d3 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,7 @@ jobs: # optional: private key of the GitHub App private_key: ${{ }} ``` + ### GitOps @@ -150,7 +151,12 @@ jobs: gitops-token: ${{ }} # optional: gonosumdb environment variable gonosumdb: ${{ }} + # optional: identifier of the GitHub App for authentication + app-id: ${{ }} + # optional: private key of the GitHub App + private-key: ${{ }} ``` + ### Jira Ticket Tagging @@ -183,6 +189,7 @@ jobs: # email of the api token owner jira-email: ${{ }} ``` + ### LaunchDarkly Code References @@ -209,6 +216,7 @@ jobs: # LD access token with correct access rights access-token: ${{ }} ``` + ### Release Drafter @@ -247,6 +255,7 @@ jobs: # optional: private key of the GitHub App private_key: ${{ }} ``` + ### Release Version Detector @@ -283,6 +292,7 @@ on: - cron: '0 0 * * 1' - cron: '0 0 1 1 *' ``` + ### Secret Scanning @@ -299,6 +309,7 @@ jobs: trufflehog: uses: Staffbase/gha-workflows/.github/workflows/template_secret_scan.yml@v5.1.0 ``` + ### Stale @@ -330,6 +341,7 @@ jobs: # optional: comment on the staled pull request, default: This PR has been automatically marked as stale because there has been no recent activity in the last 60 days. It will be closed in 7 days if no further activity occurs such as removing the label. stale-pr-message: your message ``` + ### TechDocs @@ -366,6 +378,7 @@ jobs: # optional: specifies the access key associated with the storage account azure-account-key: ${{ secrets.TECHDOCS_AZURE_ACCESS_KEY }} ``` + ### TestIO @@ -421,6 +434,7 @@ jobs: # optional: path which files should be checked recursively, default: . target-path: your path ``` + ## Limitations 🚧