Use dynamically generated tokens for our public repo (#4102)

lucian-tosa · fealebenpae · commit 729bce3dc3ec · 2025-02-14T14:12:07.000+01:00
# Summary Our public repo didn't have a github app configured. Added one now so we need to use dynamically generated github tokens due to the ssh deprecation. ## Proof of Work https://spruce.mongodb.com/task/mongodb_enterprise_kubernetes_release_mcli_package_goreleaser_patch_80d6da01fe68171624a89660772a6c406578c5e3_67ae2cde4d6d4300074a9f50_25_02_13_17_33_20/logs?execution=1 ## Checklist - [ ] Have you linked a jira ticket and/or is the ticket in the title? - [ ] Have you checked whether your jira ticket required DOCSP changes? - [ ] Have you checked for release_note changes? ## Reminder (Please remove this when merging) - Please try to Approve or Reject Changes the PR, keep PRs in review as short as possible - Our Short Guide for PRs: [Link](REDACTED) - Remember the following Communication Standards - use comment prefixes for clarity: * **blocking**: Must be addressed before approval. * **follow-up**: Can be addressed in a later PR or ticket. * **q**: Clarifying question. * **nit**: Non-blocking suggestions. * **note**: Side-note, non-actionable. Example: Praise * --> no prefix is considered a question
diff --git a/public/.evergreen.yml b/public/.evergreen.yml
@@ -39,12 +39,14 @@ functions:
           unzip -u macos-notary.zip
           chmod 755 ./linux_amd64/macnotary
   "release":
+    - command: github.generate_token
+      params:
+        expansion_name: generated_token
     - command: shell.exec
       type: setup
       params:
         working_dir: src/github.com/mongodb/mongodb-enterprise-kubernetes/tools/multicluster
         include_expansions_in_env:
-          - GITHUB_TOKEN
           - GRS_USERNAME
           - GRS_PASSWORD
           - PKCS11_URI
@@ -65,18 +67,19 @@ functions:
           set -Eeu pipefail
 
           export PATH=$GOROOT/bin:$PATH
+          export GITHUB_TOKEN=${generated_token}
           ${workdir}/goreleaser release --rm-dist
 
 tasks:
   - name: package_goreleaser
-    git_tag_only: true
+    allowed_requesters: [ "patch", "github_tag" ]
     tags: ["packaging"]
     commands:
       - func: "clone"
       - func: "install goreleaser"
       - func: "install macos notarization service"
       - func: "release"
-# add a noop task because if the only task in a variant is git_tag_only: true Evergreen doesn't start it at all
+  # add a noop task because if the only task in a variant is git_tag_only: true Evergreen doesn't start it at all
   - name: noop
     commands:
       - command: shell.exec
@@ -85,11 +88,11 @@ tasks:
           script: echo "this is the noop task"
 
 buildvariants:
-# This variant is run when a new tag is out similar to github actions.
-- name: release_mcli
-  display_name: Release Go multi-cluster binary
-  run_on:
-    - ubuntu2204-small
-  tasks:
-    - name: package_goreleaser
-    - name: noop
+  # This variant is run when a new tag is out similar to github actions.
+  - name: release_mcli
+    display_name: Release Go multi-cluster binary
+    run_on:
+      - ubuntu2204-small
+    tasks:
+      - name: package_goreleaser
+      - name: noop
