Use JWT to get GH Token

Previously I thought that we could use the JWT to as the token for github, but
we actually need to use that to get the github token, and then everything else
should work the same.  I tried this by checking the auth status on a test run,
and it seems to work.

Author: avangelillo

serverless/release.sh

@@ -71,7 +71,7 @@ if [ "$PROD_RELEASE" = true ] ; then
     git remote set-url origin https://github.com/DataDog/datadog-cloudformation-macro.git
 
     echo "Checking git auth status"
-    gh auth status 
+    gh auth status
 
     git config --global user.name "gitlab-actions[bot]"
     git config --global user.email "gitlab-actions[bot]@users.noreply.github.com"

serverless/tools/get_secrets.sh

@@ -10,13 +10,20 @@ set -e
 # Get the JWT
 export GH_APP_ID=$(vault kv get -field="gh_app_id" kv/k8s/gitlab-runner/datadog-cloudformation-macro/secrets)
 export GH_PRIVATE_KEY=$(vault kv get -field="gh_private_key" kv/k8s/gitlab-runner/datadog-cloudformation-macro/secrets)
+export GH_INSTALLATION_ID=$(vault kv get -field="gh_installation_id" kv/k8s/gitlab-runner/datadog-cloudformation-macro/secrets)
+
 
 # Write private key to a temporary file
 PRIVATE_KEY_FILE=$(mktemp)
 echo "$GH_PRIVATE_KEY" > "$PRIVATE_KEY_FILE"
 
 # Get the GH token
-export GH_TOKEN=$(bash serverless/tools/generate_jwt.sh $GH_APP_ID $PRIVATE_KEY_FILE)
+export JWT_TOKEN=$(bash serverless/tools/generate_jwt.sh $GH_APP_ID $PRIVATE_KEY_FILE)
+
+export GH_TOKEN=$(curl -s -X POST \
+    -H "Authorization: Bearer $JWT_TOKEN" \
+    -H "Accept: application/vnd.github.v3+json" \
+    "https://api.github.com/app/installations/$GH_INSTALLATION_ID/access_tokens" | jq -r '.token')
 
 
 if [ -z "$EXTERNAL_ID_NAME" ]; then