An helper application that simply creates release PRs to the requesting repo. This app is intended to be used with optic-release-automation-action.
- Install the GitHub App optic-release-automation on the repositories or the organization where you want to use the action
optic-release-automation-action. - Use
optic-release-automation-actionin your GitHub action workflow as documented here
This application is a companion to the GitHub action optic-release-automation-action.
When used in a GitHub workflow, the action invokes this application to delegate creating of pull request for the new release.
The reason why an external application is needed to automate this is because events triggered by the GITHUB_TOKEN will not create a new workflow run. Learn more:
Hence we need a separate Github App that does not rely on the GITHUB_TOKEN and can generate one when needed.
- optic-release-automation GitHub app is installed on the target repository/organization.
- This allows the GitHub app to create relevant token for the requesting repository.
- optic-release-automation-action GitHub action is used in a workflow and it delegates to this app the responsibility of creating the pull request using a HTTP request.
- The action provides the
GITHUB_TOKENsecret to the GitHub app as the authentication token. - The GitHub app uses the token to infer which repository is being targeted (i.e. the requesting repository), thereby preventing misuse.
- Once the GitHub app has verified that the provided token has access to the target repository, it uses its own credentials to create the pull request
The approach used by this mechanism is secure.
- It does not serve to unauthenticated requests.
- It expects a
GITHUB_TOKENthat's scoped to the repository and is valid for the duration of the workflow execution to infer the target repository, to prevent anybody from sending a malicious request. - It does/can not do anything besides openning a pull request.
So if somebody has a token for your repository, and they invoke the GitHub app's HTTP API with correct request body, they can do nothing but open a pull request from a branch that "already exist" in your repo.
This section covers how to contribute to this app. You don't need to read further if you're simply using this as described in the above sections.
- Prerequisites: a GCP project with the cloud run and cloud build apis enabled
- Create a service account in the IAM & Admin console to be used to deploy the app
- Create a key for the service account, this key will be configured as a secret in the GitHub actions to be able to deploy the app
- Grant following permissions for the service account
- Artifact Registry Administrator
- Cloud Build Service Account
- Service Account User
- Cloud Run Admin
- Cloud Run Service Agent
- Storage Admin
- Clone this repo to your GitHub account
- In the
Settingsof your GitHub repo, go toSecretsand create theNew repository secretwith the names and values below:GCP_PROJECT_ID: The ID of the GCP project as found in your GCP AccountGCP_CLOUDRUN_SERVICE_NAME: The name of the cloud run service, you can select any name that you preferGCP_CLOUDRUN_SERVICE_REGION: The region in the GCP that you want to create the cloud run serviceGCP_SA_KEY: The key that you created for your service account with the permissions to deploy the app. This is a JSON object and should be used as-is.APP_ID: The ID of the GitHub App. You can get this from the GitHub app settings. The default app is herePRIVATE_KEY: The private key of the GitHub App. You can get this from the GitHub app settings. The default app is here
- After the steps above are configured, go to
Actionsin your GitHub repo and run the CD workflow that is created in the folder.github/workflows/cd.yaml. The file is already configured with the action to deploy the cloud run service using the secrets that were created in the step above. - Once the workflow run, go to you GCP Account and open the "Cloud Run" page to see the details of the deployed service.