Docker Phase 4: GH_TOKEN -> GitHub App token (workflows)#381
Draft
ihalatci wants to merge 1 commit into
Draft
Conversation
Mint a GitHub App token in update_version.yml and export it to the job environment (GH_TOKEN/GITHUB_TOKEN) so the update_docker --pipeline PR creation runs under the citusdata GitHub App instead of the org PAT. Top-level GH_TOKEN secret is intentionally retained for zero-downtime (removed only in Phase 6). The 4 publish workflows use DockerHub creds only and need no change. Matches the proven pattern in citusdata/packaging update-pgxn-version.yml. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Docker Phase 4: org PAT (
GH_TOKEN) -> GitHub App tokenPart of the org-wide CI migration off the org PAT
GH_TOKENto a GitHub App token. Docker is the last repo still on the PAT for its write-path workflow.What changed
Only
.github/workflows/update_version.ymlreferences the org PAT, so it is the only file changed. Two steps were added after checkout:actions/create-github-app-token@v3(app-id: vars.GH_APP_ID,private-key: secrets.GH_APP_KEY,owner: citusdata).$GITHUB_ENVas bothGH_TOKENandGITHUB_TOKENso downstream steps/scripts consume it.The existing
--gh_token "${GH_TOKEN}"argument toupdate_dockeris unchanged - it now resolves to the app token at runtime.update_docker --pipelinedoesgit push+ opens a PR viacreate_pr(gh_token, ...); the PR is now created under the GitHub App (so it can trigger downstream workflows and uses the app install contents:write + pull_requests:write). The branch push continues under checkout defaultGITHUB_TOKEN(the workflow already grantscontents: write), matching the proven sibling pattern.Zero-downtime / scope
GH_TOKEN: secrets.GH_TOKENis intentionally retained (removed only in Phase 6).publish_docker_images_*) use DockerHub creds only - no change needed.v0.8.36pin is a separate convergence PR, Pin tools to v0.8.36 to fix Citus docker publish pipeline (gated — do not merge yet) #380).citusdata/packagingupdate-pgxn-version.yml(sameupdate_*--gh_token --pipelinemodule family).Notes
master; diff is purely additive (+13 lines, the two new steps). Independent of Pin tools to v0.8.36 to fix Citus docker publish pipeline (gated — do not merge yet) #380 - different lines in the same file, no overlap.Push permission (verified)
update_version.ymlsets an explicit workflow-levelpermissions:block withcontents: write. An explicit block overrides the repo/org default token permissions, so the defaultGITHUB_TOKENreliably hascontents: writefor thegit pushstep regardless of restrictive defaults. PR creation uses the app token's ownpull_requests:write(from the install), not the default token — so nopull-requestsscope is needed in this block.