Skip to content

Commit

Permalink
fix(ci-cd): use token-bureau
Browse files Browse the repository at this point in the history
  • Loading branch information
@devthejo
devthejo committed Jan 7, 2025
1 parent 5e425f7 commit 32736b2
Show file tree
Hide file tree
Showing 19 changed files with 233 additions and 43 deletions.
12 changes: 11 additions & 1 deletion .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,23 @@ on:
push:
branches: [master]

permissions:
id-token: write # Required for OIDC token generation

jobs:
release:
name: Release
runs-on: ubuntu-latest
steps:
- name: Get GitHub App Token
id: token
uses: SocialGouv/token-bureau@main
with:
token-bureau-url: http://token-bureau.fabrique.social.gouv.fr
audience: socialgouv

- uses: socialgouv/workflows/actions/semantic-release@v1
with:
github-token: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
github-token: ${{ steps.token.outputs.token }}
author-name: ${{ secrets.SOCIALGROOVYBOT_NAME }}
author-email: ${{ secrets.SOCIALGROOVYBOT_EMAIL }}
12 changes: 11 additions & 1 deletion .github/workflows/use-ks-gh-deactivate.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ on:
KS_NOTIFY_MATTERMOST_WEBHOOK_URL:
required: false

permissions:
id-token: write # Required for OIDC token generation

jobs:
deploy:
name: Deactivate Pipeline ♻️
Expand Down Expand Up @@ -71,12 +74,19 @@ jobs:
env: ${{ steps.deployment-vars.outputs.deployment-name }}
desc: Deployment was pruned

- name: Get GitHub App Token
id: token
uses: SocialGouv/token-bureau@main
with:
token-bureau-url: http://token-bureau.fabrique.social.gouv.fr
audience: socialgouv

- name: Clean review sub environment
uses: socialgouv/deployments@v1
continue-on-error: true
with:
step: delete-env
token: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
token: ${{ steps.token.outputs.token }}
env: ${{ steps.deployment-vars.outputs.deployment-name }}
desc: Environment was pruned

Expand Down
14 changes: 12 additions & 2 deletions .github/workflows/use-ks-gh-preproduction.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ on:
required: false
type: string

permissions:
id-token: write # Required for OIDC token generation

jobs:
deploy:
name: 🐳 Deploy PreProd on Kubernetes
Expand All @@ -26,11 +29,18 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4

- name: Get GitHub App Token
id: token
uses: SocialGouv/token-bureau@main
with:
token-bureau-url: http://token-bureau.fabrique.social.gouv.fr
audience: socialgouv

- uses: socialgouv/workflows/actions/deployment-starting@v1
id: deployment-starting
with:
token: ${{ secrets.GITHUB_TOKEN }}
pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
pat: ${{ steps.token.outputs.token }}
environment-scope: preproduction

- uses: socialgouv/kontinuous/.github/actions/deploy-via-github@v1
Expand All @@ -49,7 +59,7 @@ jobs:
- uses: socialgouv/workflows/actions/deployment-ending@v1
id: deployment-ending
with:
pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
pat: ${{ steps.token.outputs.token }}
token: ${{ secrets.GITHUB_TOKEN }}
deployment-id: ${{ steps.deployment-starting.outputs.deployment-id }}
deployment-name:
Expand Down
14 changes: 12 additions & 2 deletions .github/workflows/use-ks-gh-production.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ on:
required: false
type: string

permissions:
id-token: write # Required for OIDC token generation

jobs:
deploy:
name: 🐳 Deploy Production on Kubernetes
Expand All @@ -26,11 +29,18 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4

- name: Get GitHub App Token
id: token
uses: SocialGouv/token-bureau@main
with:
token-bureau-url: http://token-bureau.fabrique.social.gouv.fr
audience: socialgouv

- uses: socialgouv/workflows/actions/deployment-starting@v1
id: deployment-starting
with:
token: ${{ secrets.GITHUB_TOKEN }}
pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
pat: ${{ steps.token.outputs.token }}
environment-scope: production

- uses: socialgouv/kontinuous/.github/actions/deploy-via-github@v1
Expand All @@ -49,7 +59,7 @@ jobs:
- uses: socialgouv/workflows/actions/deployment-ending@v1
id: deployment-ending
with:
pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
pat: ${{ steps.token.outputs.token }}
token: ${{ secrets.GITHUB_TOKEN }}
deployment-id: ${{ steps.deployment-starting.outputs.deployment-id }}
deployment-name:
Expand Down
14 changes: 12 additions & 2 deletions .github/workflows/use-ks-gh-review-auto.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ on:
required: false
type: string

permissions:
id-token: write # Required for OIDC token generation

jobs:
deploy:
name: 🐳 Deploy Review on Kubernetes
Expand All @@ -26,11 +29,18 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4

- name: Get GitHub App Token
id: token
uses: SocialGouv/token-bureau@main
with:
token-bureau-url: http://token-bureau.fabrique.social.gouv.fr
audience: socialgouv

- uses: socialgouv/workflows/actions/deployment-starting@v1
id: deployment-starting
with:
token: ${{ secrets.GITHUB_TOKEN }}
pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
pat: ${{ steps.token.outputs.token }}
environment-scope: review

- uses: socialgouv/kontinuous/.github/actions/deploy-via-github@v1
Expand All @@ -49,7 +59,7 @@ jobs:
- uses: socialgouv/workflows/actions/deployment-ending@v1
id: deployment-ending
with:
pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
pat: ${{ steps.token.outputs.token }}
token: ${{ secrets.GITHUB_TOKEN }}
deployment-id: ${{ steps.deployment-starting.outputs.deployment-id }}
deployment-name:
Expand Down
14 changes: 12 additions & 2 deletions .github/workflows/use-ks-gh-review.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ on:
required: false
type: string

permissions:
id-token: write # Required for OIDC token generation

jobs:
deploy:
name: 🐳 Deploy Review on Kubernetes
Expand All @@ -26,11 +29,18 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4

- name: Get GitHub App Token
id: token
uses: SocialGouv/token-bureau@main
with:
token-bureau-url: http://token-bureau.fabrique.social.gouv.fr
audience: socialgouv

- uses: socialgouv/workflows/actions/deployment-starting@v1
id: deployment-starting
with:
token: ${{ secrets.GITHUB_TOKEN }}
pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
pat: ${{ steps.token.outputs.token }}
environment-scope: review

- uses: socialgouv/kontinuous/.github/actions/deploy-via-github@v1
Expand All @@ -49,7 +59,7 @@ jobs:
- uses: socialgouv/workflows/actions/deployment-ending@v1
id: deployment-ending
with:
pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
pat: ${{ steps.token.outputs.token }}
token: ${{ secrets.GITHUB_TOKEN }}
deployment-id: ${{ steps.deployment-starting.outputs.deployment-id }}
deployment-name:
Expand Down
12 changes: 11 additions & 1 deletion .github/workflows/use-ks-gh-with-env-deactivate.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ on:
KS_NOTIFY_MATTERMOST_WEBHOOK_URL:
required: false

permissions:
id-token: write # Required for OIDC token generation

jobs:
deploy:
name: Deactivate Pipeline ♻️
Expand Down Expand Up @@ -71,12 +74,19 @@ jobs:
env: ${{ steps.deployment-vars.outputs.deployment-name }}
desc: Deployment was pruned

- name: Get GitHub App Token
id: token
uses: SocialGouv/token-bureau@main
with:
token-bureau-url: http://token-bureau.fabrique.social.gouv.fr
audience: socialgouv

- name: Clean review sub environment
uses: socialgouv/deployments@v1
continue-on-error: true
with:
step: delete-env
token: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
token: ${{ steps.token.outputs.token }}
env: ${{ steps.deployment-vars.outputs.deployment-name }}
desc: Environment was pruned

Expand Down
14 changes: 12 additions & 2 deletions .github/workflows/use-ks-gh-with-env-preproduction.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ on:
required: false
type: string

permissions:
id-token: write # Required for OIDC token generation

jobs:
deploy:
name: 🐳 Deploy PreProd on Kubernetes
Expand All @@ -26,11 +29,18 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4

- name: Get GitHub App Token
id: token
uses: SocialGouv/token-bureau@main
with:
token-bureau-url: http://token-bureau.fabrique.social.gouv.fr
audience: socialgouv

- uses: socialgouv/workflows/actions/deployment-starting@v1
id: deployment-starting
with:
token: ${{ secrets.GITHUB_TOKEN }}
pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
pat: ${{ steps.token.outputs.token }}
environment-scope: preproduction
github-env-enabled: true

Expand All @@ -50,7 +60,7 @@ jobs:
- uses: socialgouv/workflows/actions/deployment-ending@v1
id: deployment-ending
with:
pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
pat: ${{ steps.token.outputs.token }}
token: ${{ secrets.GITHUB_TOKEN }}
deployment-id: ${{ steps.deployment-starting.outputs.deployment-id }}
deployment-name:
Expand Down
14 changes: 12 additions & 2 deletions .github/workflows/use-ks-gh-with-env-production.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ on:
required: false
type: string

permissions:
id-token: write # Required for OIDC token generation

jobs:
deploy:
name: 🐳 Deploy Production on Kubernetes
Expand All @@ -26,11 +29,18 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4

- name: Get GitHub App Token
id: token
uses: SocialGouv/token-bureau@main
with:
token-bureau-url: http://token-bureau.fabrique.social.gouv.fr
audience: socialgouv

- uses: socialgouv/workflows/actions/deployment-starting@v1
id: deployment-starting
with:
token: ${{ secrets.GITHUB_TOKEN }}
pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
pat: ${{ steps.token.outputs.token }}
environment-scope: production
github-env-enabled: true

Expand All @@ -50,7 +60,7 @@ jobs:
- uses: socialgouv/workflows/actions/deployment-ending@v1
id: deployment-ending
with:
pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
pat: ${{ steps.token.outputs.token }}
token: ${{ secrets.GITHUB_TOKEN }}
deployment-id: ${{ steps.deployment-starting.outputs.deployment-id }}
deployment-name:
Expand Down
14 changes: 12 additions & 2 deletions .github/workflows/use-ks-gh-with-env-review-auto.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ on:
required: false
type: string

permissions:
id-token: write # Required for OIDC token generation

jobs:
deploy:
name: 🐳 Deploy Review on Kubernetes
Expand All @@ -26,11 +29,18 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4

- name: Get GitHub App Token
id: token
uses: SocialGouv/token-bureau@main
with:
token-bureau-url: http://token-bureau.fabrique.social.gouv.fr
audience: socialgouv

- uses: socialgouv/workflows/actions/deployment-starting@v1
id: deployment-starting
with:
token: ${{ secrets.GITHUB_TOKEN }}
pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
pat: ${{ steps.token.outputs.token }}
environment-scope: review
github-env-enabled: true

Expand All @@ -50,7 +60,7 @@ jobs:
- uses: socialgouv/workflows/actions/deployment-ending@v1
id: deployment-ending
with:
pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
pat: ${{ steps.token.outputs.token }}
token: ${{ secrets.GITHUB_TOKEN }}
deployment-id: ${{ steps.deployment-starting.outputs.deployment-id }}
deployment-name:
Expand Down
14 changes: 12 additions & 2 deletions .github/workflows/use-ks-gh-with-env-review.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ on:
required: false
type: string

permissions:
id-token: write # Required for OIDC token generation

jobs:
deploy:
name: 🐳 Deploy Review on Kubernetes
Expand All @@ -26,11 +29,18 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4

- name: Get GitHub App Token
id: token
uses: SocialGouv/token-bureau@main
with:
token-bureau-url: http://token-bureau.fabrique.social.gouv.fr
audience: socialgouv

- uses: socialgouv/workflows/actions/deployment-starting@v1
id: deployment-starting
with:
token: ${{ secrets.GITHUB_TOKEN }}
pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
pat: ${{ steps.token.outputs.token }}
environment-scope: review
github-env-enabled: true

Expand All @@ -50,7 +60,7 @@ jobs:
- uses: socialgouv/workflows/actions/deployment-ending@v1
id: deployment-ending
with:
pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
pat: ${{ steps.token.outputs.token }}
token: ${{ secrets.GITHUB_TOKEN }}
deployment-id: ${{ steps.deployment-starting.outputs.deployment-id }}
deployment-name:
Expand Down
Loading

0 comments on commit 32736b2

Please sign in to comment.