fix(ci): Use 1Password-bot token for flake update PRs so approval job runs #465
Conversation
| @@ -17,7 +17,7 @@ jobs: | |||
| run: nix flake update | |||
| - name: Create signed commit with flake.lock changes | |||
| env: | |||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |||
| GITHUB_TOKEN: ${{ secrets.OP_BOT_TOKEN }} | |||
There was a problem hiding this comment.
Sanity check: Who is 1Password bot? Did you create a Github account specifically for creating these PRs? I saw that our IT team added the token to this repo's variables but I was curious whether you know what permissions we used for that token?
Question: I see how this action will now use the 1Password bot to create the PRs, but I'm missing the part where the GitHub actions bot is called upon for approving.
There was a problem hiding this comment.
The 1Password-bot is a user, I think controlled by IT, it's also used in the 1Password for Open Source repo for some automations relating to application approvals.
The GitHub Actions bot applies the approval via a separate job, which was introduced here: #456
The issue is just that that job is never running currently, because PRs created by GitHub Actions bot do not trigger further CI actions. Switching to the 1Password-bot token should make it so that the flake.lock PRs still trigger GitHub Actions, and that other job will run, and GitHub Actions bot will apply an approval.
mrjones2014
changed the title
Overview
Changes the token used for the flake update CI jobs to use the
1Password-botusers token, so that the approval job runs andgithub-actions[bot]can apply an approval to the flake.lock update PRs.Type of change
Related Issue(s)
pull_request:instead ofpull_request_target:#459 chore(ci): Auto-add one approval to automated flake.lock PRs #456How To Test
Merge this change, then run a flake.lock update CI job. The PR should be created by 1Password-bot, and github-actions[bot] should provide one approval for it.
Changelog
Use 1Password-bot instead of github-actions[bot] to run the flake.lock update CI jobs.