diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml index c002bdb33..720783c0a 100644 --- a/.github/workflows/create-release-pr.yml +++ b/.github/workflows/create-release-pr.yml @@ -30,19 +30,19 @@ jobs: with: role-to-assume: ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_ROLE_ARN }} aws-region: us-west-2 - # Retrieve the Access Token from Secrets Manager - - name: Retrieve secret from AWS Secrets Manager + # Retrieve the per-repo deploy key + FG PAT from Secrets Manager + - name: Retrieve secrets from AWS Secrets Manager uses: aws-actions/aws-secretsmanager-get-secrets@3a411b6ec5cace3d626412dd917e7bfeac242cfa #v3.0.0 with: secret-ids: | - AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }} - parse-json-secrets: true - # Checkout a full clone of the repo + DEPLOY_KEY, prod/devops/aws-lambda-dotnet-deploy-key + FG_PAT, prod/devops/aws-lambda-dotnet-fg-pat + # Checkout a full clone of the repo using the deploy key (push runs over SSH) - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: "0" - token: ${{ env.AWS_SECRET_TOKEN }} + ssh-key: ${{ env.DEPLOY_KEY }} # Install .NET9 which is needed for AutoVer - name: Setup .NET 9.0 uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0 @@ -116,7 +116,7 @@ jobs: # Create the Release PR and label it - name: Create Pull Request env: - GITHUB_TOKEN: ${{ env.AWS_SECRET_TOKEN }} + GITHUB_TOKEN: ${{ env.FG_PAT }} run: | pr_url="$(gh pr create --title "${{ steps.read-release-name.outputs.VERSION }}" --body "${{ steps.read-changelog.outputs.CHANGELOG }}" --base dev --head ${{ steps.create-release-branch.outputs.BRANCH }})" gh label create "Release PR" --description "A Release PR that includes versioning and changelog changes" -c "#FF0000" -f diff --git a/.github/workflows/sync-master-dev.yml b/.github/workflows/sync-master-dev.yml index c4a72f2f7..ae1f6e923 100644 --- a/.github/workflows/sync-master-dev.yml +++ b/.github/workflows/sync-master-dev.yml @@ -30,20 +30,20 @@ jobs: with: role-to-assume: ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_ROLE_ARN }} aws-region: us-west-2 - # Retrieve the Access Token from Secrets Manager - - name: Retrieve secret from AWS Secrets Manager + # Retrieve the per-repo deploy key + FG PAT from Secrets Manager + - name: Retrieve secrets from AWS Secrets Manager uses: aws-actions/aws-secretsmanager-get-secrets@3a411b6ec5cace3d626412dd917e7bfeac242cfa #v3.0.0 with: secret-ids: | - AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }} - parse-json-secrets: true - # Checkout a full clone of the repo + DEPLOY_KEY, prod/devops/aws-lambda-dotnet-deploy-key + FG_PAT, prod/devops/aws-lambda-dotnet-fg-pat + # Checkout a full clone of the repo using the deploy key (push runs over SSH) - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: dev fetch-depth: 0 - token: ${{ env.AWS_SECRET_TOKEN }} + ssh-key: ${{ env.DEPLOY_KEY }} # Install .NET9 which is needed for AutoVer - name: Setup .NET 9.0 uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0 @@ -95,7 +95,7 @@ jobs: # Create the GitHub Release - name: Create GitHub Release env: - GITHUB_TOKEN: ${{ env.AWS_SECRET_TOKEN }} + GITHUB_TOKEN: ${{ env.FG_PAT }} run: | gh release create "${{ steps.read-tag-name.outputs.TAG }}" --title "${{ steps.read-release-name.outputs.VERSION }}" --notes "${{ steps.read-changelog.outputs.CHANGELOG }}" # Delete the `releases/next-release` branch @@ -119,7 +119,7 @@ jobs: github.event.pull_request.base.ref == 'dev' runs-on: ubuntu-latest steps: - # Checkout a full clone of the repo + # Checkout a full clone of the repo using the deploy key (push runs over SSH) - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: