👷 [RUM-11361] Replace github PAT by using dd octo (#3725)

Author: amortemousque

.gitlab-ci.yml

@@ -1,7 +1,7 @@
 variables:
   CURRENT_STAGING: staging-34
   APP: 'browser-sdk'
-  CURRENT_CI_IMAGE: 87
+  CURRENT_CI_IMAGE: 88
   BUILD_STABLE_REGISTRY: 'registry.ddbuild.io'
   CI_IMAGE: '$BUILD_STABLE_REGISTRY/ci/$APP:$CURRENT_CI_IMAGE'
   GIT_REPOSITORY: '[email protected]:DataDog/browser-sdk.git'
@@ -33,6 +33,9 @@ stages:
   tags:
     - 'arch:amd64'
   image: $CI_IMAGE
+  id_tokens:
+    DDOCTOSTS_ID_TOKEN:
+      aud: dd-octo-sts
   retry:
     max: 2
     when:

Dockerfile

@@ -7,28 +7,28 @@ RUN test -n "$CHROME_PACKAGE_VERSION" || (echo "\nCHROME_PACKAGE_VERSION not set
 
 # Install Chrome deps
 RUN apt-get update && apt-get install -y -q --no-install-recommends \
-        libgcc-s1 \
-        libgtk-3-dev \
-        libx11-xcb1  \
-        libnss3 \
-        libxss1 \
-        libasound2 \
-        libu2f-udev \
-        libvulkan1 \
-        fonts-liberation \
-        libappindicator3-1 \
-        lsb-release \
-        xdg-utils \
-        curl \
-        ca-certificates \
-        wget \
-        zip
+  libgcc-s1 \
+  libgtk-3-dev \
+  libx11-xcb1  \
+  libnss3 \
+  libxss1 \
+  libasound2 \
+  libu2f-udev \
+  libvulkan1 \
+  fonts-liberation \
+  libappindicator3-1 \
+  lsb-release \
+  xdg-utils \
+  curl \
+  ca-certificates \
+  wget \
+  zip
 
 # Download and install Chrome
 # Debian taken from https://www.ubuntuupdates.org/package/google_chrome/stable/main/base/google-chrome-stable
 RUN curl --silent --show-error --fail http://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-stable/google-chrome-stable_${CHROME_PACKAGE_VERSION}_amd64.deb --output google-chrome.deb \
-    && dpkg -i google-chrome.deb \
-    && rm google-chrome.deb
+  && dpkg -i google-chrome.deb \
+  && rm google-chrome.deb
 
 
 # Install AWS cli
@@ -51,6 +51,11 @@ RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg -o
   && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" > /etc/apt/sources.list.d/github-cli.list \
   && apt-get update && apt-get install -y -q gh
 
+# DD Octo STS to get security token
+COPY --from=registry.ddbuild.io/dd-octo-sts:v1.8.1@sha256:eb2895829cdcb1f41cc4fc9d1f3f329c7d8f6fa72b0e8bb915d8195717e02bfa /usr/local/bin/dd-octo-sts /usr/local/bin/dd-octo-sts
+
+RUN apt-get update && apt-get install -y jq
+
 # Webdriverio deps
 RUN mkdir -p /usr/share/man/man1
 

scripts/lib/gitUtils.ts

@@ -1,7 +1,13 @@
 import os from 'os'
 import fs from 'fs'
 import { command } from './command.ts'
-import { getGithubDeployKey, getGithubAccessToken } from './secrets.ts'
+import {
+  getGithubDeployKey,
+  getGithubReadToken,
+  getGithubReleaseToken,
+  getGithubPullRequestToken,
+  revokeGithubToken,
+} from './secrets.ts'
 import { fetchHandlingError } from './executionUtils.ts'
 
 interface GitHubPR {
@@ -24,7 +30,7 @@ interface GitHubReleaseParams {
 }
 
 export async function fetchPR(localBranch: string): Promise<GitHubPR | null> {
-  const pr = await callGitHubApi<GitHubPR[]>('GET', `pulls?head=DataDog:${localBranch}`)
+  const pr = await callGitHubApi<GitHubPR[]>('GET', `pulls?head=DataDog:${localBranch}`, getGithubReadToken())
   if (pr && pr.length > 1) {
     throw new Error('Multiple pull requests found for the branch')
   }
@@ -40,31 +46,40 @@ export async function fetchPR(localBranch: string): Promise<GitHubPR | null> {
  */
 export async function createGitHubRelease({ version, body }: GitHubReleaseParams): Promise<GitHubRelease> {
   try {
-    await callGitHubApi('GET', `releases/tags/${version}`)
+    await callGitHubApi('GET', `releases/tags/${version}`, getGithubReadToken())
     throw new Error(`Release ${version} already exists`)
   } catch (error) {
     if ((error as any).status !== 404) {
       throw error
     }
   }
 
-  return callGitHubApi('POST', 'releases', {
+  // content write
+  return callGitHubApi<GitHubRelease>('POST', 'releases', getGithubReleaseToken(), {
     tag_name: version,
     name: version,
     body,
   })
 }
 
-async function callGitHubApi<T>(method: string, path: string, body?: any): Promise<T> {
-  const response = await fetchHandlingError(`https://api.github.com/repos/DataDog/browser-sdk/${path}`, {
-    method,
-    headers: {
-      Authorization: `token ${getGithubAccessToken()}`,
-      'X-GitHub-Api-Version': '2022-11-28',
-    },
-    body: body ? JSON.stringify(body) : undefined,
-  })
-  return response.json() as Promise<T>
+export async function getPrComments(prNumber: number): Promise<Array<{ id: number; body: string }>> {
+  const response = await callGitHubApi<Array<{ id: number; body: string }>>(
+    'GET',
+    `issues/${prNumber}/comments`,
+    getGithubReadToken()
+  )
+  return response
+}
+
+export function createPullRequest(mainBranch: string) {
+  const token = getGithubPullRequestToken()
+  try {
+    command`gh auth login --with-token`.withInput(token).run()
+    const pullRequestUrl = command`gh pr create --fill --base ${mainBranch}`.run()
+    return pullRequestUrl.trim()
+  } finally {
+    revokeGithubToken(token)
+  }
 }
 
 export function getLastCommonCommit(baseBranch: string): string {
@@ -92,5 +107,20 @@ export function initGitConfig(repository: string): void {
   command`git config user.name ci.browser-sdk`.run()
   command`git remote set-url origin ${repository}`.run()
 }
-
 export const LOCAL_BRANCH = process.env.CI_COMMIT_REF_NAME
+
+async function callGitHubApi<T>(method: string, path: string, token: string, body?: any): Promise<T> {
+  try {
+    const response = await fetchHandlingError(`https://api.github.com/repos/DataDog/browser-sdk/${path}`, {
+      method,
+      headers: {
+        Authorization: `token ${token}`,
+        'X-GitHub-Api-Version': '2022-11-28',
+      },
+      body: body ? JSON.stringify(body) : undefined,
+    })
+    return (await response.json()) as Promise<T>
+  } finally {
+    revokeGithubToken(token)
+  }
+}

scripts/lib/secrets.ts

@@ -4,8 +4,26 @@ export function getGithubDeployKey(): string {
   return getSecretKey('ci.browser-sdk.github_deploy_key')
 }
 
-export function getGithubAccessToken(): string {
-  return getSecretKey('ci.browser-sdk.github_access_token')
+/**
+ * This token is scoped to main branch only.
+ */
+export function getGithubPullRequestToken(): string {
+  return command`dd-octo-sts token --scope DataDog/browser-sdk --policy self.gitlab.pull_request`.run().trim()
+}
+
+/**
+ * This token is scoped to tags only.
+ */
+export function getGithubReleaseToken(): string {
+  return command`dd-octo-sts token --scope DataDog/browser-sdk --policy self.gitlab.release`.run().trim()
+}
+
+export function getGithubReadToken(): string {
+  return command`dd-octo-sts token --scope DataDog/browser-sdk --policy self.gitlab.read`.run().trim()
+}
+
+export function revokeGithubToken(token: string): string {
+  return command`dd-octo-sts revoke --token ${token}`.run().trim()
 }
 
 export function getOrg2ApiKey(): string {

scripts/performance/lib/reportAsAPrComment.ts

@@ -1,8 +1,7 @@
 import { command } from '../../lib/command.ts'
 import { formatSize } from '../../lib/computeBundleSize.ts'
 import { fetchHandlingError } from '../../lib/executionUtils.ts'
-import { LOCAL_BRANCH, getLastCommonCommit, fetchPR } from '../../lib/gitUtils.ts'
-import { getGithubAccessToken } from '../../lib/secrets.ts'
+import { LOCAL_BRANCH, getLastCommonCommit, fetchPR, getPrComments } from '../../lib/gitUtils.ts'
 import { fetchPerformanceMetrics } from './fetchPerformanceMetrics.ts'
 
 const PR_COMMENT_HEADER = 'Bundles Sizes Evolution'
@@ -104,16 +103,8 @@ function compare(
 }
 
 async function retrieveExistingCommentId(prNumber: number): Promise<number | undefined> {
-  const response = await fetchHandlingError(
-    `https://api.github.com/repos/DataDog/browser-sdk/issues/${prNumber}/comments`,
-    {
-      method: 'GET',
-      headers: {
-        Authorization: `token ${getGithubAccessToken()}`,
-      },
-    }
-  )
-  const comments = (await response.json()) as Array<{ id: number; body: string }>
+  const comments = await getPrComments(prNumber)
+
   const targetComment = comments.find((comment) => comment.body.startsWith(`## ${PR_COMMENT_HEADER}`))
   if (targetComment !== undefined) {
     return targetComment.id

scripts/test/bump-chrome-version.ts

@@ -2,8 +2,7 @@ import fs from 'node:fs'
 import { printLog, runMain, fetchHandlingError } from '../lib/executionUtils.ts'
 import { command } from '../lib/command.ts'
 import { CI_FILE, replaceCiFileVariable } from '../lib/filesUtils.ts'
-import { initGitConfig } from '../lib/gitUtils.ts'
-import { getGithubAccessToken } from '../lib/secrets.ts'
+import { initGitConfig, createPullRequest } from '../lib/gitUtils.ts'
 
 const REPOSITORY = process.env.GIT_REPOSITORY
 const MAIN_BRANCH = process.env.MAIN_BRANCH
@@ -56,7 +55,7 @@ runMain(async () => {
 
   printLog('Create PR...')
 
-  const pullRequestUrl = createPullRequest()
+  const pullRequestUrl = createPullRequest(MAIN_BRANCH)
   printLog(`Chrome version bump PR created (from ${CURRENT_PACKAGE_VERSION} to ${packageVersion}).`)
 
   // used to share the pull request url to the notification jobs
@@ -77,9 +76,3 @@ function getMajor(version: string): number {
 
   return Number(major)
 }
-
-function createPullRequest(): string {
-  command`gh auth login --with-token`.withInput(getGithubAccessToken()).run()
-  const pullRequestUrl = command`gh pr create --fill --base ${MAIN_BRANCH}`.run()
-  return pullRequestUrl.trim()
-}