From 7e65a96422ebabb8a7fdaa03644c8822bfb2449b Mon Sep 17 00:00:00 2001 From: Nathan Wasson Date: Thu, 2 Jan 2025 15:21:57 -0600 Subject: [PATCH] Implement KSM to pull a PAT for commits in format.yml --- .github/workflows/format.yml | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index 45ebb521b6..dbf9a78bbe 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -3,7 +3,7 @@ name: "Code formatting" on: push: branches: - - "**" + - "**" env: python_version: "3.9" @@ -12,16 +12,25 @@ jobs: format-code: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Retrieve secrets from Keeper + id: ksecrets + uses: Keeper-Security/ksm-action@master + with: + keeper-secret-config: ${{ secrets.KSM_CONFIG }} + secrets: |- + v2h4jKiZlJywDSoKzRMnRw/field/Access Token > env:PAT # Fetch PAT and store in environment variable + + - name: Checkout code + uses: actions/checkout@v4 with: fetch-depth: 0 - ssh-key: ${{ secrets.DEPLOY_KEY }} + - name: Set up Python ${{ env.python_version }} uses: actions/setup-python@v3 with: python-version: ${{ env.python_version }} - - name: Format modified python files + - name: Format modified Python files env: filter: ${{ github.event.before }} run: | @@ -49,6 +58,8 @@ jobs: done - name: Commit and push changes + env: + PAT: ${{ env.PAT }} # Use PAT fetched from Keeper run: | HAS_CHANGES=$(git diff --staged --name-only) if [ ${#HAS_CHANGES} -gt 0 ]; then @@ -56,5 +67,6 @@ jobs: git config --global user.email "mlcommons-bot@users.noreply.github.com" # Commit changes git commit -m '[Automated Commit] Format Codebase' - git push - fi + # Use the PAT to push changes + git push https://x-access-token:${PAT}@github.com/${{ github.repository }} HEAD:${{ github.ref_name }} + fi