Merge branch 'main' into plengauer-patch-5

plengauer · web-flow · commit ca626b460c24 · 2026-01-06T17:59:17.000+01:00
diff --git a/.github/workflows/autoapprove.yml b/.github/workflows/autoapprove.yml
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -74,19 +74,20 @@ jobs:
     steps:
       - uses: plengauer/opentelemetry-github/actions/instrument/job@v5.41.0
         with:
-          secrets_to_redact: '["${{ github.token }}","${{ secrets.ACTIONS_GITHUB_TOKEN }}"]'
+          secrets_to_redact: '["${{ github.token }}","${{ secrets.PACKAGES_GITHUB_TOKEN }}"]'
         env:
           OTEL_EXPORTER_OTLP_ENDPOINT: '${{ secrets.OTEL_EXPORTER_OTLP_ENDPOINT }}'
           OTEL_EXPORTER_OTLP_HEADERS: '${{ secrets.OTEL_EXPORTER_OTLP_HEADERS }}'
+
       - uses: actions/checkout@v6.0.1
         with:
-          token: ${{ secrets.ACTIONS_GITHUB_TOKEN }} # need to use this token for later pushes of tags
           ref: ${{ matrix.ref }}
       - run: echo "version=$(cat VERSION)" >> "$GITHUB_OUTPUT"
         id: version
       - uses: actions/download-artifact@v7.0.0
         with:
           name: packages_${{ matrix.ref }}
+
       - uses: actions/attest-build-provenance@v3.1.0
         with:
           subject-path: ./package.deb
@@ -102,12 +103,13 @@ jobs:
       - uses: actions/download-artifact@v7.0.0
         with:
           name: images_${{ matrix.ref }}
+
       - run: |
           version="${{ steps.version.outputs.version }}"
           major=$(echo "$version" | cut -d . -f 1)
           minor=$(echo "$version" | cut -d . -f 2)
           patch=$(echo "$version" | cut -d . -f 3)
-          echo ${{ secrets.ACTIONS_GITHUB_TOKEN }} | sudo docker login ghcr.io -u "$(GH_TOKEN=${{ secrets.ACTIONS_GITHUB_TOKEN }} gh api user -q .login)" --password-stdin
+          echo ${{ secrets.PACKAGES_GITHUB_TOKEN }} | sudo docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
           find . -iname '*.image' | while read -r image_file; do
             sudo docker load < "$image_file"
             image_name="$image_file"
@@ -120,6 +122,7 @@ jobs:
             sudo docker image remove "$image_name"
             sudo docker push "ghcr.io/${GITHUB_REPOSITORY%/*}/$image_name" --all-tags
           done
+
       - run: |
           gh release create "v${{ steps.version.outputs.version }}" \
             --title "Release v${{ steps.version.outputs.version }}" \
@@ -130,34 +133,35 @@ jobs:
           echo "upload_url=$(gh api repos/${{ github.repository }}/releases | jq '.[] | select(.tag_name == "v${{ steps.version.outputs.version }}") | .upload_url' -r)" >> "$GITHUB_OUTPUT"
         id: create_release
         env:
-          GH_TOKEN: ${{ secrets.ACTIONS_GITHUB_TOKEN }}
+          GH_TOKEN: ${{ github.token }}
+
       - uses: actions/upload-release-asset@v1.0.2
         env:
-          GITHUB_TOKEN: ${{ secrets.ACTIONS_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
         with:
           upload_url: ${{ steps.create_release.outputs.upload_url }}
           asset_path: ./package.deb
           asset_name: opentelemetry-shell_${{ steps.version.outputs.version }}.deb
           asset_content_type: application/octet-stream
       - uses: actions/upload-release-asset@v1.0.2
         env:
-          GITHUB_TOKEN: ${{ secrets.ACTIONS_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
         with:
           upload_url: ${{ steps.create_release.outputs.upload_url }}
           asset_path: ./package.rpm
           asset_name: opentelemetry-shell_${{ steps.version.outputs.version }}.rpm
           asset_content_type: application/octet-stream
       - uses: actions/upload-release-asset@v1.0.2
         env:
-          GITHUB_TOKEN: ${{ secrets.ACTIONS_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
         with:
           upload_url: ${{ steps.create_release.outputs.upload_url }}
           asset_path: ./package.apk
           asset_name: opentelemetry-shell_${{ steps.version.outputs.version }}.apk
           asset_content_type: application/octet-stream
       - uses: eregon/publish-release@v1.0.6
         env:
-          GITHUB_TOKEN: ${{ secrets.ACTIONS_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
         with:
           release_id: ${{ steps.create_release.outputs.id }}
       - run: |
diff --git a/.github/workflows/test_github.yml b/.github/workflows/test_github.yml
@@ -671,6 +671,7 @@ jobs:
     needs: deploy-smoke
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       actions: read
     strategy:
       matrix:
@@ -723,7 +724,7 @@ jobs:
           nohup node -e "require('http').createServer(function (req, res) { console.log(req.method, req.url); res.writeHead(200); res.end(); }).listen(8080);" 1> /tmp/http.log 2> /dev/null &
       - run: |
           printf '%s' '${{ secrets.TEST_GITHUB_TOKEN }}' | GH_TOKEN='${{ secrets.TEST_GITHUB_TOKEN }}' gh secret set DEPLOY_OBSERVABILITY_TOKEN --repo ${{ steps.config.outputs.user }}/${{ steps.config.outputs.repository }}
-          wget --header "Authorization: Bearer ${{ secrets.ACTIONS_GITHUB_TOKEN }}" https://raw.githubusercontent.com/${{ github.repository }}/${{ github.sha }}/README.md -O - | sed -n '/```yaml/,/```/p' | grep -v '```yaml' | sed '/```/,$d' > .github/workflows/deploy_otel.yml
+          wget --header "Authorization: Bearer ${{ github.token }}" https://raw.githubusercontent.com/${{ github.repository }}/${{ github.sha }}/README.md -O - | sed -n '/```yaml/,/```/p' | grep -v '```yaml' | sed '/```/,$d' > .github/workflows/deploy_otel.yml
           cat .github/workflows/deploy_otel.yml | yq .jobs.deploy.steps[0].uses | grep -q '/actions/instrument/deploy@'
           cat .github/workflows/deploy_otel.yml | yq .jobs.deploy.steps[0].with.github_token | grep -q secrets.DEPLOY_OBSERVABILITY_TOKEN
           yq -i 'del(.jobs.deploy.steps[0].env)' .github/workflows/deploy_otel.yml
