debugging helm pr merged workflow

.github/workflows/on-helm-release-pr-merged.yml

@@ -8,38 +8,20 @@ on:
       - helm/oncall/Chart.yaml
 
 jobs:
-  get-irm-app-token:
-    runs-on: ubuntu-latest
-    outputs:
-      token: ${{ steps.generate-token.outputs.token }}
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      - name: Get Vault secrets
-        id: get-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          repo_secrets: |
-            GH_APP_ID=github-app:app-id
-            GH_APP_PRIVATE_KEY=github-app:private-key
-
-      - name: Generate Github App token
-        id: generate-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ env.GH_APP_ID }}
-          private-key: ${{ env.GH_APP_PRIVATE_KEY }}
-          owner: grafana
-          repositories: "helm-charts"
-
+  # NOTE: unfortunately we need to store GH_APP_ID and GH_APP_PRIVATE_KEY as repository secrets
+  # (even though we already store them in Vault), because GitHub does not allow passing the `token` output
+  # of the `actions/create-github-app-token` action ACROSS jobs.
+  #
+  # Because grafana/helm-charts/.github/workflows/update-helm-repo.yaml is a reusable workflow, and not a composite
+  # action, there is no way to run job steps before the reusable workflow to do so within the same job.
+  #
+  # see https://github.com/actions/create-github-app-token/issues/66 for more details
   call-update-helm-repo:
-    uses: grafana/helm-charts/.github/workflows/update-helm-repo.yaml@bda5b059ac617d46bbdacca0167e3b694d304519
-    needs:
-      - get-irm-app-token
+    uses: grafana/helm-charts/.github/workflows/update-helm-repo.yaml@main
     with:
       charts_dir: helm
       cr_configfile: helm/cr.yaml
       ct_configfile: helm/ct.yaml
     secrets:
-      github_app_token: ${{ needs.get-irm-app-token.outputs.token }}
+      github_app_id: ${{ secrets.GH_APP_ID }}
+      github_app_pem: ${{ secrets.GH_APP_PRIVATE_KEY }}