fix(ci-cd): use token-bureau (#30)

Author: devthejo

.github/workflows/release.yml

@@ -5,13 +5,23 @@ on:
   push:
     branches: [master]
 
+permissions:
+  id-token: write  # Required for OIDC token generation
+
 jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
     steps:
+      - name: Get GitHub App Token
+        id: token
+        uses: SocialGouv/token-bureau@main
+        with:
+          token-bureau-url: https://token-bureau.fabrique.social.gouv.fr
+          audience: socialgouv
+
       - uses: socialgouv/workflows/actions/semantic-release@v1
         with:
-          github-token: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
+          github-token: ${{ steps.token.outputs.token }}
           author-name: ${{ secrets.SOCIALGROOVYBOT_NAME }}
           author-email: ${{ secrets.SOCIALGROOVYBOT_EMAIL }}

.github/workflows/use-ks-gh-deactivate.yaml

@@ -25,6 +25,9 @@ on:
       KS_NOTIFY_MATTERMOST_WEBHOOK_URL:
         required: false
 
+permissions:
+  id-token: write  # Required for OIDC token generation
+
 jobs:
   deploy:
     name: Deactivate Pipeline ♻️
@@ -71,12 +74,19 @@ jobs:
           env: ${{ steps.deployment-vars.outputs.deployment-name }}
           desc: Deployment was pruned
 
+      - name: Get GitHub App Token
+        id: token
+        uses: SocialGouv/token-bureau@main
+        with:
+          token-bureau-url: https://token-bureau.fabrique.social.gouv.fr
+          audience: socialgouv
+
       - name: Clean review sub environment
         uses: socialgouv/deployments@v1
         continue-on-error: true
         with:
           step: delete-env
-          token: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
+          token: ${{ steps.token.outputs.token }}
           env: ${{ steps.deployment-vars.outputs.deployment-name }}
           desc: Environment was pruned
 

.github/workflows/use-ks-gh-preproduction.yaml

@@ -15,6 +15,9 @@ on:
         required: false
         type: string
 
+permissions:
+  id-token: write  # Required for OIDC token generation
+
 jobs:
   deploy:
     name: 🐳 Deploy PreProd on Kubernetes
@@ -26,11 +29,18 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Get GitHub App Token
+        id: token
+        uses: SocialGouv/token-bureau@main
+        with:
+          token-bureau-url: https://token-bureau.fabrique.social.gouv.fr
+          audience: socialgouv
+
       - uses: socialgouv/workflows/actions/deployment-starting@v1
         id: deployment-starting
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
+          pat: ${{ steps.token.outputs.token }}
           environment-scope: preproduction
 
       - uses: socialgouv/kontinuous/.github/actions/deploy-via-github@v1
@@ -49,7 +59,7 @@ jobs:
       - uses: socialgouv/workflows/actions/deployment-ending@v1
         id: deployment-ending
         with:
-          pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
+          pat: ${{ steps.token.outputs.token }}
           token: ${{ secrets.GITHUB_TOKEN }}
           deployment-id: ${{ steps.deployment-starting.outputs.deployment-id }}
           deployment-name:

.github/workflows/use-ks-gh-production.yaml

@@ -15,6 +15,9 @@ on:
         required: false
         type: string
 
+permissions:
+  id-token: write  # Required for OIDC token generation
+
 jobs:
   deploy:
     name: 🐳 Deploy Production on Kubernetes
@@ -26,11 +29,18 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Get GitHub App Token
+        id: token
+        uses: SocialGouv/token-bureau@main
+        with:
+          token-bureau-url: https://token-bureau.fabrique.social.gouv.fr
+          audience: socialgouv
+
       - uses: socialgouv/workflows/actions/deployment-starting@v1
         id: deployment-starting
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
+          pat: ${{ steps.token.outputs.token }}
           environment-scope: production
 
       - uses: socialgouv/kontinuous/.github/actions/deploy-via-github@v1
@@ -49,7 +59,7 @@ jobs:
       - uses: socialgouv/workflows/actions/deployment-ending@v1
         id: deployment-ending
         with:
-          pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
+          pat: ${{ steps.token.outputs.token }}
           token: ${{ secrets.GITHUB_TOKEN }}
           deployment-id: ${{ steps.deployment-starting.outputs.deployment-id }}
           deployment-name:

.github/workflows/use-ks-gh-review-auto.yaml

@@ -15,6 +15,9 @@ on:
         required: false
         type: string
 
+permissions:
+  id-token: write  # Required for OIDC token generation
+
 jobs:
   deploy:
     name: 🐳 Deploy Review on Kubernetes
@@ -26,11 +29,18 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Get GitHub App Token
+        id: token
+        uses: SocialGouv/token-bureau@main
+        with:
+          token-bureau-url: https://token-bureau.fabrique.social.gouv.fr
+          audience: socialgouv
+
       - uses: socialgouv/workflows/actions/deployment-starting@v1
         id: deployment-starting
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
+          pat: ${{ steps.token.outputs.token }}
           environment-scope: review
 
       - uses: socialgouv/kontinuous/.github/actions/deploy-via-github@v1
@@ -49,7 +59,7 @@ jobs:
       - uses: socialgouv/workflows/actions/deployment-ending@v1
         id: deployment-ending
         with:
-          pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
+          pat: ${{ steps.token.outputs.token }}
           token: ${{ secrets.GITHUB_TOKEN }}
           deployment-id: ${{ steps.deployment-starting.outputs.deployment-id }}
           deployment-name:

.github/workflows/use-ks-gh-review.yaml

@@ -15,6 +15,9 @@ on:
         required: false
         type: string
 
+permissions:
+  id-token: write  # Required for OIDC token generation
+
 jobs:
   deploy:
     name: 🐳 Deploy Review on Kubernetes
@@ -26,11 +29,18 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Get GitHub App Token
+        id: token
+        uses: SocialGouv/token-bureau@main
+        with:
+          token-bureau-url: https://token-bureau.fabrique.social.gouv.fr
+          audience: socialgouv
+
       - uses: socialgouv/workflows/actions/deployment-starting@v1
         id: deployment-starting
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
+          pat: ${{ steps.token.outputs.token }}
           environment-scope: review
 
       - uses: socialgouv/kontinuous/.github/actions/deploy-via-github@v1
@@ -49,7 +59,7 @@ jobs:
       - uses: socialgouv/workflows/actions/deployment-ending@v1
         id: deployment-ending
         with:
-          pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
+          pat: ${{ steps.token.outputs.token }}
           token: ${{ secrets.GITHUB_TOKEN }}
           deployment-id: ${{ steps.deployment-starting.outputs.deployment-id }}
           deployment-name:

.github/workflows/use-ks-gh-with-env-deactivate.yaml

@@ -25,6 +25,9 @@ on:
       KS_NOTIFY_MATTERMOST_WEBHOOK_URL:
         required: false
 
+permissions:
+  id-token: write  # Required for OIDC token generation
+
 jobs:
   deploy:
     name: Deactivate Pipeline ♻️
@@ -71,12 +74,19 @@ jobs:
           env: ${{ steps.deployment-vars.outputs.deployment-name }}
           desc: Deployment was pruned
 
+      - name: Get GitHub App Token
+        id: token
+        uses: SocialGouv/token-bureau@main
+        with:
+          token-bureau-url: https://token-bureau.fabrique.social.gouv.fr
+          audience: socialgouv
+
       - name: Clean review sub environment
         uses: socialgouv/deployments@v1
         continue-on-error: true
         with:
           step: delete-env
-          token: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
+          token: ${{ steps.token.outputs.token }}
           env: ${{ steps.deployment-vars.outputs.deployment-name }}
           desc: Environment was pruned
 

.github/workflows/use-ks-gh-with-env-preproduction.yaml

@@ -15,6 +15,9 @@ on:
         required: false
         type: string
 
+permissions:
+  id-token: write  # Required for OIDC token generation
+
 jobs:
   deploy:
     name: 🐳 Deploy PreProd on Kubernetes
@@ -26,11 +29,18 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Get GitHub App Token
+        id: token
+        uses: SocialGouv/token-bureau@main
+        with:
+          token-bureau-url: https://token-bureau.fabrique.social.gouv.fr
+          audience: socialgouv
+
       - uses: socialgouv/workflows/actions/deployment-starting@v1
         id: deployment-starting
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
+          pat: ${{ steps.token.outputs.token }}
           environment-scope: preproduction
           github-env-enabled: true
 
@@ -50,7 +60,7 @@ jobs:
       - uses: socialgouv/workflows/actions/deployment-ending@v1
         id: deployment-ending
         with:
-          pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
+          pat: ${{ steps.token.outputs.token }}
           token: ${{ secrets.GITHUB_TOKEN }}
           deployment-id: ${{ steps.deployment-starting.outputs.deployment-id }}
           deployment-name:

.github/workflows/use-ks-gh-with-env-production.yaml

@@ -15,6 +15,9 @@ on:
         required: false
         type: string
 
+permissions:
+  id-token: write  # Required for OIDC token generation
+
 jobs:
   deploy:
     name: 🐳 Deploy Production on Kubernetes
@@ -26,11 +29,18 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Get GitHub App Token
+        id: token
+        uses: SocialGouv/token-bureau@main
+        with:
+          token-bureau-url: https://token-bureau.fabrique.social.gouv.fr
+          audience: socialgouv
+
       - uses: socialgouv/workflows/actions/deployment-starting@v1
         id: deployment-starting
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
+          pat: ${{ steps.token.outputs.token }}
           environment-scope: production
           github-env-enabled: true
 
@@ -50,7 +60,7 @@ jobs:
       - uses: socialgouv/workflows/actions/deployment-ending@v1
         id: deployment-ending
         with:
-          pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
+          pat: ${{ steps.token.outputs.token }}
           token: ${{ secrets.GITHUB_TOKEN }}
           deployment-id: ${{ steps.deployment-starting.outputs.deployment-id }}
           deployment-name:

.github/workflows/use-ks-gh-with-env-review-auto.yaml

@@ -15,6 +15,9 @@ on:
         required: false
         type: string
 
+permissions:
+  id-token: write  # Required for OIDC token generation
+
 jobs:
   deploy:
     name: 🐳 Deploy Review on Kubernetes
@@ -26,11 +29,18 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Get GitHub App Token
+        id: token
+        uses: SocialGouv/token-bureau@main
+        with:
+          token-bureau-url: https://token-bureau.fabrique.social.gouv.fr
+          audience: socialgouv
+
       - uses: socialgouv/workflows/actions/deployment-starting@v1
         id: deployment-starting
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
+          pat: ${{ steps.token.outputs.token }}
           environment-scope: review
           github-env-enabled: true
 
@@ -50,7 +60,7 @@ jobs:
       - uses: socialgouv/workflows/actions/deployment-ending@v1
         id: deployment-ending
         with:
-          pat: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
+          pat: ${{ steps.token.outputs.token }}
           token: ${{ secrets.GITHUB_TOKEN }}
           deployment-id: ${{ steps.deployment-starting.outputs.deployment-id }}
           deployment-name: