ci: update the token used in the CI workflows (#520)

galargh · web-flow · commit ca236666d528 · 2024-12-09T17:48:13.000+01:00
* chore: disable staging/production locking
* chore: update the github tokens used in the repo
diff --git a/.github/workflows/deploy-to-production.yml b/.github/workflows/deploy-to-production.yml
@@ -16,6 +16,5 @@ jobs:
     with:
       tag: ${{ inputs.tag }}
       environment: production
-      lock: true
     secrets:
-      DEPLOYMENT_GITHUB_TOKEN: ${{ secrets.DEPLOYMENT_GITHUB_TOKEN }}
+      DEPLOYMENT_GITHUB_TOKEN: ${{ secrets.UCI_GITHUB_TOKEN }}
diff --git a/.github/workflows/deploy-to-staging.yml b/.github/workflows/deploy-to-staging.yml
@@ -16,7 +16,5 @@ jobs:
     with:
       tag: ${{ inputs.tag }}
       environment: staging
-      lock: true
     secrets:
-      DEPLOYMENT_GITHUB_TOKEN: ${{ secrets.DEPLOYMENT_GITHUB_TOKEN }}
-
+      DEPLOYMENT_GITHUB_TOKEN: ${{ secrets.UCI_GITHUB_TOKEN }}
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -11,16 +11,10 @@ on:
         description: 'Environment to deploy to'
         required: true
         type: string
-      lock:
-        description: 'Lock environment branch after deployment'
-        required: false
-        type: boolean
-        default: false
     secrets:
       DEPLOYMENT_GITHUB_TOKEN:
         description: |
           A GitHub token with the following permissions:
-          administration: write (optional; to be able to lock the environment branch)
           contents: write (required; to be able to push to the environment branch)
           workflows: write (required; to be able to modify .github/workflows)
         required: true
@@ -29,7 +23,7 @@ permissions: {}
 
 jobs:
   deploy:
-    name: Deploy
+    name: Deploy ${{ inputs.tag }} to ${{ inputs.environment }}
     runs-on: ubuntu-latest
     environment: ${{ inputs.environment }}
     steps:
@@ -59,34 +53,7 @@ jobs:
         env:
           TAG: ${{ inputs.tag }}
         run: git reset --hard $TAG
-      # TODO: Use repository rule sets instead of branch protection rules
-      - name: Unlock environment branch
-        if: inputs.lock == true
-        env:
-          ENVIRONMENT: ${{ inputs.environment }}
-          GITHUB_TOKEN: ${{ secrets.DEPLOYMENT_GITHUB_TOKEN }}
-        run: |
-          gh api --method PUT /repos/$GITHUB_REPOSITORY/branches/$ENVIRONMENT/protection \
-            -F required_status_checks=null \
-            -F enforce_admins=true \
-            -F required_pull_request_reviews=null \
-            -F restrictions=null \
-            -F allow_force_pushes=true \
-            -F lock_branch=false
       - name: Force push environment branch
         env:
           ENVIRONMENT: ${{ inputs.environment }}
         run: git push -f origin $ENVIRONMENT
-      - name: Lock environment branch
-        if: inputs.lock == true
-        env:
-          ENVIRONMENT: ${{ inputs.environment }}
-          GITHUB_TOKEN: ${{ secrets.DEPLOYMENT_GITHUB_TOKEN }}
-        run: |
-          gh api --method PUT /repos/$GITHUB_REPOSITORY/branches/$ENVIRONMENT/protection \
-            -F required_status_checks=null \
-            -F enforce_admins=true \
-            -F required_pull_request_reviews=null \
-            -F restrictions=null \
-            -F allow_force_pushes=false \
-            -F lock_branch=true
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -178,4 +178,4 @@ jobs:
           release-type: node
           # Use a token for creating the release-pr and git tags so that the `deploy` workflow can be triggered by them
           # see https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#triggering-further-workflow-runs and https://github.com/orgs/community/discussions/27028 for more information
-          token: ${{ secrets.SGTPOOKI_PAT }}
+          token: ${{ secrets.UCI_GITHUB_TOKEN }}
