Skip to content

Commit

Permalink
github-actions: use GitHub secrets (#39646)
Browse files Browse the repository at this point in the history
  • Loading branch information
v1v authored May 22, 2024
1 parent 5347b9c commit 4a67039
Show file tree
Hide file tree
Showing 3 changed files with 73 additions and 60 deletions.
40 changes: 30 additions & 10 deletions .github/workflows/bump-elastic-stack-snapshot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,22 +21,42 @@ jobs:

bump-elastic-stack:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
needs: [filter]
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.filter.outputs.matrix) }}
steps:
- uses: actions/checkout@v4

- uses: elastic/apm-pipeline-library/.github/actions/updatecli@current
with:
vaultUrl: ${{ secrets.VAULT_ADDR }}
vaultRoleId: ${{ secrets.VAULT_ROLE_ID }}
vaultSecretId: ${{ secrets.VAULT_SECRET_ID }}
pipeline: .github/workflows/updatecli.d/bump-elastic-stack-snapshot.yml
values: .github/workflows/updatecli.d/scm.yml
command: '--experimental apply'
notifySlackChannel: "#ingest-notifications"
messageIfFailure: ":traffic_cone: updatecli failed for `${{ github.repository }}@${{ github.ref_name }}`, `@update-me-with-the-slack-team-to-be-poked` please look what's going on <${{ env.JOB_URL }}|here>"
- name: Install Updatecli in the runner
uses: updatecli/updatecli-action@9a37c7e35598d7b37d8e7568b40ed9538112be01 # v0.76.1

- name: Run Updatecli in Apply mode
run: updatecli --experimental apply --config .github/workflows/updatecli.d/bump-elastic-stack-snapshot.yml --values .github/workflows/updatecli.d/scm.yml
env:
BRANCH: ${{ matrix.branch }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- if: ${{ failure() }}
uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
with:
channel-id: '#ingest-notifications'
payload: |
{
"text": "${{ env.SLACK_MESSAGE }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "${{ env.SLACK_MESSAGE }}"
}
}
]
}
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
SLACK_MESSAGE: ":traffic_cone: updatecli failed for `${{ github.repository }}@${{ github.ref_name }}`, `@update-me-with-the-slack-team-to-be-poked` please look what's going on <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|here>"
57 changes: 33 additions & 24 deletions .github/workflows/bump-golang.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,34 +10,43 @@ permissions:
contents: read

jobs:
bump-main:
bump:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
strategy:
fail-fast: false
matrix:
file: ['bump-golang.yml', 'bump-golang-7.17.yml']
steps:
- uses: actions/checkout@v4

- uses: elastic/apm-pipeline-library/.github/actions/updatecli@current
with:
vaultUrl: ${{ secrets.VAULT_ADDR }}
vaultRoleId: ${{ secrets.VAULT_ROLE_ID }}
vaultSecretId: ${{ secrets.VAULT_SECRET_ID }}
pipeline: .github/workflows/updatecli.d/bump-golang.yml
values: .github/workflows/updatecli.d/scm.yml
command: '--experimental apply'
notifySlackChannel: "#ingest-notifications"
messageIfFailure: ":traffic_cone: updatecli failed for `${{ github.repository }}@${{ github.ref_name }}`, `@update-me-with-the-slack-team-to-be-poked` please look what's going on <${{ env.JOB_URL }}|here>"
- name: Install Updatecli in the runner
uses: updatecli/updatecli-action@9a37c7e35598d7b37d8e7568b40ed9538112be01 # v0.76.1

bump-7-17:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Updatecli in Apply mode
run: updatecli --experimental apply --config .github/workflows/updatecli.d/${{ matrix.file }} --values .github/workflows/updatecli.d/scm.yml
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- uses: elastic/apm-pipeline-library/.github/actions/updatecli@current
- if: ${{ failure() }}
uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
with:
vaultUrl: ${{ secrets.VAULT_ADDR }}
vaultRoleId: ${{ secrets.VAULT_ROLE_ID }}
vaultSecretId: ${{ secrets.VAULT_SECRET_ID }}
pipeline: .github/workflows/updatecli.d/bump-golang-7.17.yml
values: .github/workflows/updatecli.d/scm.yml
command: '--experimental apply'
notifySlackChannel: "#ingest-notifications"
messageIfFailure: ":traffic_cone: updatecli failed for `${{ github.repository }}@${{ github.ref_name }}`, `@update-me-with-the-slack-team-to-be-poked` please look what's going on <${{ env.JOB_URL }}|here>"
channel-id: '#ingest-notifications'
payload: |
{
"text": "${{ env.SLACK_MESSAGE }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "${{ env.SLACK_MESSAGE }}"
}
}
]
}
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
SLACK_MESSAGE: ":traffic_cone: updatecli failed for `${{ github.repository }}@${{ github.ref_name }}`, `@update-me-with-the-slack-team-to-be-poked` please look what's going on <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|here>"
36 changes: 10 additions & 26 deletions .github/workflows/notify-stalled-snapshots.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ permissions:
contents: read

env:
EMAIL_VAULT_SECRET: secret/observability-team/ci/service-account/email-github-actions
EMAIL: [email protected]
URL_QUERY: 'https://github.com/elastic/beats/pulls?q=is%3Apr+is%3Aopen+label%3ATeam%3ABeats-On-Call'
JOB_URL: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
Expand Down Expand Up @@ -56,37 +55,22 @@ jobs:

- if: ${{ contains(steps.search.outputs.found, 'true') }}
name: Report obsoleted branches (slack)
uses: elastic/apm-pipeline-library/.github/actions/slack-message@current
uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
with:
url: ${{ secrets.VAULT_ADDR }}
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
channel: "#ingest-notifications"
message: ":red_circle: Elastic Stack version for the `${{ matrix.branch }}` branch has not been updated for a while (`> 7 days`). Review the (<${{ env.URL_QUERY }}|open PRs>)"

- if: ${{ contains(steps.search.outputs.found, 'true') }}
uses: hashicorp/[email protected]
with:
url: ${{ secrets.VAULT_ADDR }}
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
method: approle
secrets: |
${{ env.EMAIL_VAULT_SECRET }} username | MAIL_USERNAME ;
${{ env.EMAIL_VAULT_SECRET }} app_token | MAIL_PASSWORD;
${{ env.EMAIL_VAULT_SECRET }} from | MAIL_FROM;
${{ env.EMAIL_VAULT_SECRET }} reply | MAIL_REPLY;
${{ env.EMAIL_VAULT_SECRET }} server | MAIL_SERVER
channel-id: '#ingest-notifications'
payload: ":red_circle: Elastic Stack version for the `${{ matrix.branch }}` branch has not been updated for a while (`> 7 days`). Review the (<${{ env.URL_QUERY }}|open PRs>)"
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}

- if: ${{ contains(steps.search.outputs.found, 'true') }}
name: Report obsoleted branches (email)
uses: dawidd6/action-send-mail@6063705cefe50cb915fc53bb06d4049cae2953b2
with:
server_address: ${{ env.MAIL_SERVER }}
username: ${{ env.MAIL_USERNAME }}
password: ${{ env.MAIL_PASSWORD }}
server_address: ${{ secrets.MAIL_SERVER }}
username: ${{ secrets.MAIL_USERNAME }}
password: ${{ secrets.MAIL_PASSWORD }}
subject: '[${{ matrix.branch }}] ${{ steps.date.outputs.date }}: Elastic Stack version has not been updated recently.'
to: ${{ env.EMAIL }}
from: ${{ env.MAIL_FROM }}
reply_to: ${{ env.MAIL_REPLY }}
from: ${{ secrets.MAIL_FROM }}
reply_to: ${{ secrets.MAIL_REPLY }}
body: 'Elastic Stack version for the ${{ matrix.branch }} branch has not been updated for a while (> 7 days). Review the open PRs in ${{ env.URL_QUERY }}. Generated automatically with ${{ env.JOB_URL }}'

0 comments on commit 4a67039

Please sign in to comment.