From cbd6950e4a608dc68b0357295738df364d15669d Mon Sep 17 00:00:00 2001
From: Joey Orlando <joseph.t.orlando@gmail.com>
Date: Tue, 24 Sep 2024 16:17:59 -0400
Subject: [PATCH] debugging helm pr merged workflow

---
 .../workflows/on-helm-release-pr-merged.yml   | 40 +++++--------------
 1 file changed, 11 insertions(+), 29 deletions(-)

diff --git a/.github/workflows/on-helm-release-pr-merged.yml b/.github/workflows/on-helm-release-pr-merged.yml
index 9c0a33a5..4d1dde59 100644
--- a/.github/workflows/on-helm-release-pr-merged.yml
+++ b/.github/workflows/on-helm-release-pr-merged.yml
@@ -8,38 +8,20 @@ on:
       - helm/oncall/Chart.yaml
 
 jobs:
-  get-irm-app-token:
-    runs-on: ubuntu-latest
-    outputs:
-      token: ${{ steps.generate-token.outputs.token }}
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      - name: Get Vault secrets
-        id: get-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          repo_secrets: |
-            GH_APP_ID=github-app:app-id
-            GH_APP_PRIVATE_KEY=github-app:private-key
-
-      - name: Generate Github App token
-        id: generate-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ env.GH_APP_ID }}
-          private-key: ${{ env.GH_APP_PRIVATE_KEY }}
-          owner: grafana
-          repositories: "helm-charts"
-
+  # NOTE: unfortunately we need to store GH_APP_ID and GH_APP_PRIVATE_KEY as repository secrets
+  # (even though we already store them in Vault), because GitHub does not allow passing the `token` output
+  # of the `actions/create-github-app-token` action ACROSS jobs.
+  #
+  # Because grafana/helm-charts/.github/workflows/update-helm-repo.yaml is a reusable workflow, and not a composite
+  # action, there is no way to run job steps before the reusable workflow to do so within the same job.
+  #
+  # see https://github.com/actions/create-github-app-token/issues/66 for more details
   call-update-helm-repo:
-    uses: grafana/helm-charts/.github/workflows/update-helm-repo.yaml@bda5b059ac617d46bbdacca0167e3b694d304519
-    needs:
-      - get-irm-app-token
+    uses: grafana/helm-charts/.github/workflows/update-helm-repo.yaml@main
     with:
       charts_dir: helm
       cr_configfile: helm/cr.yaml
       ct_configfile: helm/ct.yaml
     secrets:
-      github_app_token: ${{ needs.get-irm-app-token.outputs.token }}
+      github_app_id: ${{ secrets.GH_APP_ID }}
+      github_app_pem: ${{ secrets.GH_APP_PRIVATE_KEY }}