From d5f1858f7877fc149f5b4ec00ac12315cfddf3a9 Mon Sep 17 00:00:00 2001 From: Alexander Bayandin Date: Wed, 6 Sep 2023 16:50:59 +0100 Subject: [PATCH] approved-for-ci-run.yml: use different tokens (#5218) ## Problem `CI_ACCESS_TOKEN` has quite limited access (which is good), but this doesn't allow it to remove labels from PRs (which is bad) ## Summary of changes - Use `GITHUB_TOKEN` to remove labels - Use `CI_ACCESS_TOKEN` to create PRs --- .github/workflows/approved-for-ci-run.yml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/approved-for-ci-run.yml b/.github/workflows/approved-for-ci-run.yml index 256ab8b438..81955a602e 100644 --- a/.github/workflows/approved-for-ci-run.yml +++ b/.github/workflows/approved-for-ci-run.yml @@ -17,9 +17,11 @@ on: - labeled env: - GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_NUMBER: ${{ github.event.pull_request.number }} +permissions: write-all + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number }} @@ -60,14 +62,17 @@ jobs: - run: git push --force origin "ci-run/pr-${PR_NUMBER}" - name: Create a Pull Request for CI run (if required) + env: + GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }} run: | HEAD="ci-run/pr-${PR_NUMBER}" + BODY="This Pull Request was create automatically to run CI pipeline for #${PR_NUMBER}.\n\nPlease do not alter or merge/close it.\n\nFeel free to comment the original PR." - ALREADY_CREATED=$(gh pr --repo "${GITHUB_REPOSITORY}" list --head "${HEAD}" --base main --json number --jq '.[].number') + ALREADY_CREATED=$(gh pr --repo "${GITHUB_REPOSITORY}" list --head "${HEAD}" --base "main" --json "number" --jq '.[].number') if [ -z "${ALREADY_CREATED}" ]; then - gh pr --repo "${GITHUB_REPOSITORY}" create --title "[DO NOT MERGE] CI run for PR #${PR_NUMBER}" \ - --body "Ref #${PR_NUMBER}" \ + gh pr --repo "${GITHUB_REPOSITORY}" create --title "CI run for PR #${PR_NUMBER}" \ + --body "${BODY}" \ --head "${HEAD}" \ - --base main \ + --base "main" \ --draft fi