github-actions: use GH app to manage the projects (#3829)

v1v · web-flow · commit 6dcd5e841eb6 · 2024-10-08T17:30:37.000+02:00
diff --git a/.github/workflows/addToProject.yml b/.github/workflows/addToProject.yml
@@ -3,6 +3,7 @@ on:
   issues:
     types:
       - opened, milestoned
+
 permissions:
   contents: read
 
@@ -11,9 +12,21 @@ jobs:
     if: github.event.issue && github.event.issue.milestone
     runs-on: ubuntu-latest
     steps:
+      - name: Get token
+        id: get_token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+        with:
+          app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }}
+          permissions: >-
+            {
+              "organization_projects": "write",
+              "issues": "read"
+            }
+
       - name: Get project data
         env:
-          GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}
           TEAM: Java
           ORGANIZATION: elastic
           PROJECT_NUMBER: 595
@@ -49,7 +62,7 @@ jobs:
         
       - name: Add issue to project
         env:
-          GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}
           ISSUE_ID: ${{ github.event.issue.node_id }}
         run: |
           item_id="$( gh api graphql -f query='
@@ -65,7 +78,7 @@ jobs:
 
       - name: Set fields
         env:
-          GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}
         run: |
           gh api graphql -f query='
             mutation (
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -24,12 +24,27 @@ jobs:
             repo: context.repo.repo,
             labels: ["agent-java"]
           })
+
+    - name: Get token
+      id: get_token
+      uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+      with:
+        app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }}
+        private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }}
+        permissions: >-
+          {
+            "members": "read",
+            "organization_projects": "write",
+            "issues": "read"
+          }
+
     - id: is_elastic_member
       uses: elastic/oblt-actions/github/is-member-of@v1
       with:
         github-org: "elastic"
         github-user: ${{ github.actor }}
-        github-token: ${{ secrets.APM_TECH_USER_TOKEN }}
+        github-token: ${{ steps.get_token.outputs.token }}
+
     - name: Add community and triage lables
       if: contains(steps.is_elastic_member.outputs.result, 'false') && github.actor != 'dependabot[bot]' && github.actor != 'elastic-renovate-prod[bot]'
       uses: actions/github-script@v7
@@ -56,7 +71,7 @@ jobs:
       uses: elastic/assign-one-project-github-action@1.2.2
       if: contains(steps.is_elastic_member.outputs.result, 'true') && github.event.pull_request
       env:
-        MY_GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }}
+        MY_GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}
       with:
         project: 'https://github.com/orgs/elastic/projects/454'
         project_id: '5882982'
