♻️ use exclicit resource management for octo tokens (#3790)

Author: BenoitZugmeyer

scripts/lib/gitUtils.ts

@@ -6,7 +6,7 @@ import {
   getGithubReadToken,
   getGithubReleaseToken,
   getGithubPullRequestToken,
-  revokeGithubToken,
+  type OctoStsToken,
 } from './secrets.ts'
 import { fetchHandlingError } from './executionUtils.ts'
 
@@ -30,7 +30,8 @@ interface GitHubReleaseParams {
 }
 
 export async function fetchPR(localBranch: string): Promise<GitHubPR | null> {
-  const pr = await callGitHubApi<GitHubPR[]>('GET', `pulls?head=DataDog:${localBranch}`, getGithubReadToken())
+  using readToken = getGithubReadToken()
+  const pr = await callGitHubApi<GitHubPR[]>('GET', `pulls?head=DataDog:${localBranch}`, readToken)
   if (pr && pr.length > 1) {
     throw new Error('Multiple pull requests found for the branch')
   }
@@ -45,8 +46,9 @@ export async function fetchPR(localBranch: string): Promise<GitHubPR | null> {
  * @param params.body - The body of the release.
  */
 export async function createGitHubRelease({ version, body }: GitHubReleaseParams): Promise<GitHubRelease> {
+  using readToken = getGithubReadToken()
   try {
-    await callGitHubApi('GET', `releases/tags/${version}`, getGithubReadToken())
+    await callGitHubApi('GET', `releases/tags/${version}`, readToken)
     throw new Error(`Release ${version} already exists`)
   } catch (error) {
     if ((error as any).status !== 404) {
@@ -55,31 +57,29 @@ export async function createGitHubRelease({ version, body }: GitHubReleaseParams
   }
 
   // content write
-  return callGitHubApi<GitHubRelease>('POST', 'releases', getGithubReleaseToken(), {
+  using releaseToken = getGithubReleaseToken()
+  return callGitHubApi<GitHubRelease>('POST', 'releases', releaseToken, {
     tag_name: version,
     name: version,
     body,
   })
 }
 
 export async function getPrComments(prNumber: number): Promise<Array<{ id: number; body: string }>> {
+  using readToken = getGithubReadToken()
   const response = await callGitHubApi<Array<{ id: number; body: string }>>(
     'GET',
     `issues/${prNumber}/comments`,
-    getGithubReadToken()
+    readToken
   )
   return response
 }
 
 export function createPullRequest(mainBranch: string) {
-  const token = getGithubPullRequestToken()
-  try {
-    command`gh auth login --with-token`.withInput(token).run()
-    const pullRequestUrl = command`gh pr create --fill --base ${mainBranch}`.run()
-    return pullRequestUrl.trim()
-  } finally {
-    revokeGithubToken(token)
-  }
+  using token = getGithubPullRequestToken()
+  command`gh auth login --with-token`.withInput(token.value).run()
+  const pullRequestUrl = command`gh pr create --fill --base ${mainBranch}`.run()
+  return pullRequestUrl.trim()
 }
 
 export function getLastCommonCommit(baseBranch: string): string {
@@ -109,18 +109,14 @@ export function initGitConfig(repository: string): void {
 }
 export const LOCAL_BRANCH = process.env.CI_COMMIT_REF_NAME
 
-async function callGitHubApi<T>(method: string, path: string, token: string, body?: any): Promise<T> {
-  try {
-    const response = await fetchHandlingError(`https://api.github.com/repos/DataDog/browser-sdk/${path}`, {
-      method,
-      headers: {
-        Authorization: `token ${token}`,
-        'X-GitHub-Api-Version': '2022-11-28',
-      },
-      body: body ? JSON.stringify(body) : undefined,
-    })
-    return (await response.json()) as Promise<T>
-  } finally {
-    revokeGithubToken(token)
-  }
+async function callGitHubApi<T>(method: string, path: string, token: OctoStsToken, body?: any): Promise<T> {
+  const response = await fetchHandlingError(`https://api.github.com/repos/DataDog/browser-sdk/${path}`, {
+    method,
+    headers: {
+      Authorization: `token ${token.value}`,
+      'X-GitHub-Api-Version': '2022-11-28',
+    },
+    body: body ? JSON.stringify(body) : undefined,
+  })
+  return (await response.json()) as Promise<T>
 }

scripts/lib/secrets.ts

@@ -4,26 +4,34 @@ export function getGithubDeployKey(): string {
   return getSecretKey('ci.browser-sdk.github_deploy_key')
 }
 
+export class OctoStsToken {
+  readonly value: string
+
+  constructor(name: string) {
+    this.value = command`dd-octo-sts token --scope DataDog/browser-sdk --policy self.gitlab.${name}`.run().trim()
+  }
+
+  [Symbol.dispose]() {
+    command`dd-octo-sts revoke --token ${this.value}`.run()
+  }
+}
+
 /**
  * This token is scoped to main branch only.
  */
-export function getGithubPullRequestToken(): string {
-  return command`dd-octo-sts token --scope DataDog/browser-sdk --policy self.gitlab.pull_request`.run().trim()
+export function getGithubPullRequestToken() {
+  return new OctoStsToken('pull_request')
 }
 
 /**
  * This token is scoped to tags only.
  */
-export function getGithubReleaseToken(): string {
-  return command`dd-octo-sts token --scope DataDog/browser-sdk --policy self.gitlab.release`.run().trim()
-}
-
-export function getGithubReadToken(): string {
-  return command`dd-octo-sts token --scope DataDog/browser-sdk --policy self.gitlab.read`.run().trim()
+export function getGithubReleaseToken() {
+  return new OctoStsToken('release')
 }
 
-export function revokeGithubToken(token: string): string {
-  return command`dd-octo-sts revoke --token ${token}`.run().trim()
+export function getGithubReadToken() {
+  return new OctoStsToken('read')
 }
 
 export function getOrg2ApiKey(): string {