diff --git a/.github/workflows/build-citus-community-nightlies.yml b/.github/workflows/build-citus-community-nightlies.yml index c5695a01..84a435ce 100644 --- a/.github/workflows/build-citus-community-nightlies.yml +++ b/.github/workflows/build-citus-community-nightlies.yml @@ -6,7 +6,6 @@ env: PACKAGE_CLOUD_API_TOKEN: ${{ secrets.PACKAGE_CLOUD_API_TOKEN }} PACKAGING_PASSPHRASE: ${{ secrets.PACKAGING_PASSPHRASE }} PACKAGING_SECRET_KEY: ${{ secrets.PACKAGING_SECRET_KEY }} - GH_TOKEN: ${{ secrets.GH_TOKEN }} DOCKERHUB_USER_NAME: ${{ secrets.DOCKERHUB_USER_NAME }} DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} on: @@ -25,6 +24,7 @@ jobs: build_package: name: Build package runs-on: ubuntu-latest + strategy: fail-fast: false matrix: @@ -37,9 +37,27 @@ jobs: - ubuntu/noble steps: + + - name: Create GitHub App token + id: app + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: ${{ github.repository_owner }} + + - name: Set GH_TOKEN for all steps + run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV + - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v6 + with: + token: ${{ steps.app.outputs.token }} + + - name: Configure git with x-access-token + run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/" + # This step is to fetch the images unanonymously to have higher bandwidth - name: Login to Docker Hub uses: docker/login-action@v2 @@ -47,8 +65,8 @@ jobs: username: ${{ secrets.DOCKERHUB_USER_NAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} - - name: Clone tools branch - run: git clone -b v0.8.35 --depth=1 https://github.com/citusdata/tools.git tools + - name: Clone tools repo for test + run: git clone -b brk-test --depth=1 https://github.com/citusdata/tools.git tools - name: Clone build branch run: git clone -b "${MAIN_BRANCH}" --depth=1 https://github.com/citusdata/packaging.git packaging diff --git a/.github/workflows/build-package-test.yml b/.github/workflows/build-package-test.yml index e4032d50..09dcca56 100644 --- a/.github/workflows/build-package-test.yml +++ b/.github/workflows/build-package-test.yml @@ -1,7 +1,6 @@ name: Build package for test images env: - GH_TOKEN: "${{ secrets.GH_TOKEN }}" PACKAGING_SECRET_KEY: "${{ secrets.PACKAGING_SECRET_KEY }}" PACKAGE_ENCRYPTION_KEY: "${{ secrets.PACKAGE_ENCRYPTION_KEY }}" PACKAGING_PASSPHRASE: "${{ secrets.PACKAGING_PASSPHRASE }}" @@ -26,7 +25,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v6 - name: Update and check dockerfiles run: | ./update_dockerfiles @@ -57,8 +56,25 @@ jobs: - TARGET_PLATFORM: ubuntu,noble - TARGET_PLATFORM: pgxn steps: + + - name: Create GitHub App token + id: app + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: ${{ github.repository_owner }} + + - name: Set GH_TOKEN for all steps + run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV + - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v6 + with: + token: ${{ steps.app.outputs.token }} + + - name: Configure git with x-access-token + run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/" - name: Install package dependencies run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources @@ -75,6 +91,7 @@ jobs: TARGET_PLATFORM: ${{ matrix.TARGET_PLATFORM }} POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} + - name: Clone tools repo for test run: git clone -b v0.8.35 --depth=1 https://github.com/citusdata/tools.git tools @@ -91,4 +108,4 @@ jobs: ./ci/push_images env: TARGET_PLATFORM: ${{ matrix.TARGET_PLATFORM }} - POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} + POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} \ No newline at end of file diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml index 2061778d..92e0911a 100644 --- a/.github/workflows/build-package.yml +++ b/.github/workflows/build-package.yml @@ -1,7 +1,6 @@ name: Build Package env: - GH_TOKEN: "${{ secrets.GH_TOKEN }}" PACKAGING_SECRET_KEY: "${{ secrets.PACKAGING_SECRET_KEY }}" PACKAGE_ENCRYPTION_KEY: "${{ secrets.PACKAGE_ENCRYPTION_KEY }}" PACKAGING_PASSPHRASE: "${{ secrets.PACKAGING_PASSPHRASE }}" @@ -26,7 +25,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v6 - name: Update and check dockerfiles run: | ./update_dockerfiles @@ -57,8 +56,24 @@ jobs: - TARGET_PLATFORM: ubuntu,noble - TARGET_PLATFORM: pgxn steps: + - name: Create GitHub App token + id: app + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: ${{ github.repository_owner }} + + - name: Set GH_TOKEN for all steps + run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV + - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v6 + with: + token: ${{ steps.app.outputs.token }} + + - name: Configure git with x-access-token + run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/" - name: Install package dependencies run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources diff --git a/.github/workflows/build-pgazure-nightlies.yml b/.github/workflows/build-pgazure-nightlies.yml index 50eb6186..59256a1e 100644 --- a/.github/workflows/build-pgazure-nightlies.yml +++ b/.github/workflows/build-pgazure-nightlies.yml @@ -6,7 +6,6 @@ env: PACKAGE_CLOUD_API_TOKEN: ${{ secrets.PACKAGE_CLOUD_API_TOKEN }} PACKAGING_PASSPHRASE: ${{ secrets.PACKAGING_PASSPHRASE }} PACKAGING_SECRET_KEY: ${{ secrets.PACKAGING_SECRET_KEY }} - GH_TOKEN: ${{ secrets.GH_TOKEN }} DOCKERHUB_USER_NAME: ${{ secrets.DOCKERHUB_USER_NAME }} DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} on: @@ -38,8 +37,24 @@ jobs: - ubuntu/focal steps: + - name: Create GitHub App token + id: app + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: ${{ github.repository_owner }} + + - name: Set GH_TOKEN for all steps + run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV + - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v6 + with: + token: ${{ steps.app.outputs.token }} + + - name: Configure git with x-access-token + run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/" # This step is to fetch the images unanonymously to have higher bandwidth - name: Login to Docker Hub @@ -49,7 +64,7 @@ jobs: password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Clone tools branch - run: git clone -b v0.8.35 --depth=1 https://github.com/citusdata/tools.git tools + run: git clone -b brk-test --depth=1 https://github.com/citusdata/tools.git tools - name: Clone build branch run: git clone -b "${MAIN_BRANCH}" --depth=1 https://github.com/citusdata/packaging.git packaging diff --git a/.github/workflows/image-health-check.yml b/.github/workflows/image-health-check.yml index ddbd0cea..ac88d2e5 100644 --- a/.github/workflows/image-health-check.yml +++ b/.github/workflows/image-health-check.yml @@ -1,7 +1,6 @@ name: Image Health Check env: - GH_TOKEN: "${{ secrets.GH_TOKEN }}" PACKAGING_SECRET_KEY: "${{ secrets.PACKAGING_SECRET_KEY }}" PACKAGE_ENCRYPTION_KEY: "${{ secrets.PACKAGE_ENCRYPTION_KEY }}" PACKAGING_PASSPHRASE: "${{ secrets.PACKAGING_PASSPHRASE }}" @@ -27,8 +26,10 @@ jobs: name: Check if docker files are compliant with templates runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v2 + + - name: Check out repository + uses: actions/checkout@v6 + - name: Update and check dockerfiles run: | ./update_dockerfiles @@ -59,8 +60,25 @@ jobs: - TARGET_PLATFORM: ubuntu,noble - TARGET_PLATFORM: pgxn steps: + + - name: Create GitHub App token + id: app + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: ${{ github.repository_owner }} + + - name: Set GH_TOKEN for all steps + run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV + - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v6 + with: + token: ${{ steps.app.outputs.token }} + + - name: Configure git with x-access-token + run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/" - name: Install package dependencies run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources diff --git a/.github/workflows/update-pgxn-version.yml b/.github/workflows/update-pgxn-version.yml index 4699209f..4cf7df3a 100644 --- a/.github/workflows/update-pgxn-version.yml +++ b/.github/workflows/update-pgxn-version.yml @@ -2,7 +2,6 @@ name: Update Version on PGXN Config Files env: PROJECT_VERSION: ${{ github.event.inputs.project_version }} - GH_TOKEN: ${{ secrets.GH_TOKEN }} on: workflow_dispatch: @@ -16,7 +15,25 @@ jobs: name: Update pgxn configuration runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + + - name: Create Github App Token + id: app + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: ${{ github.repository_owner }} + + - name: Set GH_TOKEN for all steps + run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV + + - name: Check out repository + uses: actions/checkout@v6 + with: + token: ${{ steps.app.outputs.token }} + + - name: Configure git with x-access-token + run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/" - name: Install dependencies run: sudo apt install libcurl4-openssl-dev libssl-dev diff --git a/.github/workflows/update_package_properties.yml b/.github/workflows/update_package_properties.yml index 9644928c..32e38d55 100644 --- a/.github/workflows/update_package_properties.yml +++ b/.github/workflows/update_package_properties.yml @@ -18,8 +18,9 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + + - name: Checkout repository + uses: actions/checkout@v6 # Runs a single command using the runners shell - name: Clone Tools branch diff --git a/build_packages b/build_packages index 471cb208..9c054b80 100755 --- a/build_packages +++ b/build_packages @@ -17,6 +17,8 @@ fi project=$1 buildtype=$2 +git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" + name=$(git config --get user.name) email=$(git config --get user.email) packager="${name} <${email}>" diff --git a/scripts/fetch_and_build_deb b/scripts/fetch_and_build_deb index 16bafc57..472e3d46 100755 --- a/scripts/fetch_and_build_deb +++ b/scripts/fetch_and_build_deb @@ -88,7 +88,15 @@ if [ -z "${pkglatest}" ]; then exit $noinput fi +if [[ "$GITHUB_TOKEN" == ..* ]]; then + echo "TOKEN FORMAT: appears to be a JWT (app-level token)." +else + echo "TOKEN FORMAT: not a JWT (installation token or PAT)." +fi + + echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc +git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" export NAME NAME=$(determine_name) diff --git a/scripts/fetch_and_build_pgxn b/scripts/fetch_and_build_pgxn index fd5f20a6..17fecc13 100755 --- a/scripts/fetch_and_build_pgxn +++ b/scripts/fetch_and_build_pgxn @@ -51,6 +51,7 @@ if [ -z "${pkglatest}" ]; then fi echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc +git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" cp -R /buildfiles/META.json "${builddir}" repopath="citusdata/${hubproj}" diff --git a/scripts/fetch_and_build_rpm b/scripts/fetch_and_build_rpm index 28e8285b..9979c609 100755 --- a/scripts/fetch_and_build_rpm +++ b/scripts/fetch_and_build_rpm @@ -82,6 +82,7 @@ if [ -z "${pkglatest}" ]; then fi echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc +git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" name=$(determine_name) email=$(determine_email)