chore(ci): Use GitHub App token for team membership rather than user PAT

.github/workflows/comment-trigger.yml

@@ -59,13 +59,19 @@ jobs:
           || contains(github.event.comment.body, '/ci-run-k8s')
       )
     steps:
+      - name: Generate authentication token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_ID }}
+          private_key: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_PRIVATE_KEY }}
       - name: Get PR comment author
         id: comment
         uses: tspascoal/get-user-teams-membership@v2
         with:
           username: ${{ github.actor }}
           team: 'Vector'
-          GITHUB_TOKEN: ${{ secrets.GH_PAT_ORG }}
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
 
       - name: Validate author membership
         if: steps.comment.outputs.isTeamMember == 'false'

.github/workflows/gardener_open_pr.yml

@@ -13,17 +13,23 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.actor != 'dependabot[bot]' }}
     steps:
+      - name: Generate authentication token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_ID }}
+          private_key: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_PRIVATE_KEY }}
       - uses: tspascoal/get-user-teams-membership@v2
         id: checkVectorMember
         with:
           username: ${{ github.actor }}
           team: vector
-          GITHUB_TOKEN: ${{ secrets.GH_PAT_ORG }}
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
       - uses: actions/[email protected]
         if: ${{ steps.checkVectorMember.outputs.isTeamMember == 'false' }}
         with:
           project-url: https://github.com/orgs/vectordotdev/projects/49
-          github-token: ${{ secrets.GH_PROJECT_PAT }}
+          github-token: ${{ steps.generate_token.outputs.token }}
   add-dependabot-to-project:
     name: Add dependabot PR to Gardener project board
     runs-on: ubuntu-latest

.github/workflows/integration-comment.yml

@@ -47,13 +47,19 @@ jobs:
     runs-on: ubuntu-latest
     if: contains(github.event.comment.body, '/ci-run-integration') || contains(github.event.comment.body, '/ci-run-all')
     steps:
+      - name: Generate authentication token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_ID }}
+          private_key: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_PRIVATE_KEY }}
       - name: Get PR comment author
         id: comment
         uses: tspascoal/get-user-teams-membership@v2
         with:
           username: ${{ github.actor }}
           team: 'Vector'
-          GITHUB_TOKEN: ${{ secrets.GH_PAT_ORG }}
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
 
       - name: Validate author membership
         if: steps.comment.outputs.isTeamMember == 'false'
@@ -365,13 +371,19 @@ jobs:
     needs: integration-tests
     if: always() && (contains(github.event.comment.body, '/ci-run-integration') || contains(github.event.comment.body, '/ci-run-all'))
     steps:
+      - name: Generate authentication token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_ID }}
+          private_key: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_PRIVATE_KEY }}
       - name: Validate issue comment
         if: github.event_name == 'issue_comment'
         uses: tspascoal/get-user-teams-membership@v2
         with:
           username: ${{ github.actor }}
           team: 'Vector'
-          GITHUB_TOKEN: ${{ secrets.GH_PAT_ORG }}
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
 
       - name: (PR comment) Get PR branch
         uses: xt0rted/pull-request-comment-branch@v2

.github/workflows/integration.yml

@@ -98,9 +98,9 @@ jobs:
       - name: Determine if secrets are defined (PR author is team member).
         if: github.event_name == 'pull_request'
         env:
-          GH_PAT_ORG: ${{ secrets.GH_PAT_ORG }}
+          GH_APP_DATADOG_VECTOR_CI_APP_ID: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_ID }}
         run: |
-          if [[ "$GH_PAT_ORG" != "" ]] ; then
+          if [[ "$GH_APP_DATADOG_VECTOR_CI_APP_ID" != "" ]] ; then
             echo "PR_HAS_ACCESS_TO_SECRETS=true" >> "$GITHUB_ENV"
           else
             echo "PR_HAS_ACCESS_TO_SECRETS=false" >> "$GITHUB_ENV"

.github/workflows/test.yml

@@ -40,6 +40,23 @@ jobs:
     env:
       CARGO_INCREMENTAL: 0
     steps:
+      - name: Generate authentication token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_ID }}
+          private_key: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_PRIVATE_KEY }}
+      - name: Get PR comment author
+        id: comment
+        uses: tspascoal/get-user-teams-membership@v2
+        with:
+          username: ${{ github.actor }}
+          team: 'Vector'
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+
+      - name: Validate author membership
+        if: steps.comment.outputs.isTeamMember == 'false'
+        run: exit 1
       - uses: actions/checkout@v3
         with:
           # check-version needs tags