diff --git a/.github/workflows/addToProject.yml b/.github/workflows/addToProject.yml index e7befea26f..08efeef38f 100644 --- a/.github/workflows/addToProject.yml +++ b/.github/workflows/addToProject.yml @@ -3,6 +3,7 @@ on: issues: types: - opened, milestoned + permissions: contents: read @@ -11,9 +12,21 @@ jobs: if: github.event.issue && github.event.issue.milestone runs-on: ubuntu-latest steps: + - name: Get token + id: get_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }} + private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }} + permissions: >- + { + "organization_projects": "write", + "issues": "read" + } + - name: Get project data env: - GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }} + GITHUB_TOKEN: ${{ steps.get_token.outputs.token }} TEAM: Java ORGANIZATION: elastic PROJECT_NUMBER: 595 @@ -49,7 +62,7 @@ jobs: - name: Add issue to project env: - GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }} + GITHUB_TOKEN: ${{ steps.get_token.outputs.token }} ISSUE_ID: ${{ github.event.issue.node_id }} run: | item_id="$( gh api graphql -f query=' @@ -65,7 +78,7 @@ jobs: - name: Set fields env: - GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }} + GITHUB_TOKEN: ${{ steps.get_token.outputs.token }} run: | gh api graphql -f query=' mutation ( diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 8c4d1068ab..0bd0bf20f4 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -24,12 +24,27 @@ jobs: repo: context.repo.repo, labels: ["agent-java"] }) + + - name: Get token + id: get_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }} + private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }} + permissions: >- + { + "members": "read", + "organization_projects": "write", + "issues": "read" + } + - id: is_elastic_member uses: elastic/oblt-actions/github/is-member-of@v1 with: github-org: "elastic" github-user: ${{ github.actor }} - github-token: ${{ secrets.APM_TECH_USER_TOKEN }} + github-token: ${{ steps.get_token.outputs.token }} + - name: Add community and triage lables if: contains(steps.is_elastic_member.outputs.result, 'false') && github.actor != 'dependabot[bot]' && github.actor != 'elastic-renovate-prod[bot]' uses: actions/github-script@v7 @@ -56,7 +71,7 @@ jobs: uses: elastic/assign-one-project-github-action@1.2.2 if: contains(steps.is_elastic_member.outputs.result, 'true') && github.event.pull_request env: - MY_GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }} + MY_GITHUB_TOKEN: ${{ steps.get_token.outputs.token }} with: project: 'https://github.com/orgs/elastic/projects/454' project_id: '5882982'