lts work

Signed-off-by: Brian Downs <[email protected]>

.github/workflows/build.yml

@@ -7,6 +7,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
   security-events: write # upload Sarif results
 
 name: Build
@@ -17,10 +18,26 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@v4
 
+    - name: "Read secrets"
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/repo/${{ github.repository }}/github/release-app-credentials appId | APP_ID ;
+          secret/data/github/repo/${{ github.repository }}/github/release-app-credentials privateKey | PRIVATE_KEY
+  
+    - name: Create App Token
+      uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        repositories: release-node-feature-discovery
+        app-id: ${{ env.APP_ID }}
+        private-key: ${{ env.PRIVATE_KEY }}
+
     - name: Set the TAG value
       id: get-TAG
       run: |
         echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
+
     - name: Build container image
       uses: docker/build-push-action@v6
       with:
@@ -30,6 +47,7 @@ jobs:
         file: Dockerfile
         build-args: |
           TAG=${{ env.TAG }}
+          SRC=x-access-token:${{ steps.app-token.outputs.token }}@github.com/rancher/release-node-feature-discovery
 
     - name: Run Trivy vulnerability scanner
       uses: aquasecurity/[email protected]
@@ -52,6 +70,21 @@ jobs:
     - name: Check out code
       uses: actions/checkout@v4
 
+    - name: "Read secrets"
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/repo/${{ github.repository }}/github/release-app-credentials appId | APP_ID ;
+          secret/data/github/repo/${{ github.repository }}/github/release-app-credentials privateKey | PRIVATE_KEY
+    
+    - name: Create App Token
+      uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        repositories: release-multus-cni
+        app-id: ${{ env.APP_ID }}
+        private-key: ${{ env.PRIVATE_KEY }}
+
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v3
 
@@ -62,6 +95,7 @@ jobs:
       id: get-TAG
       run: |
         echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
+
     - name: Build container image
       uses: docker/build-push-action@v6
       with:
@@ -73,3 +107,4 @@ jobs:
         platforms: linux/arm64
         build-args: |
           TAG=${{ env.TAG }}
+          SRC=x-access-token:${{ steps.app-token.outputs.token }}@github.com/rancher/release-node-feature-discovery

.github/workflows/release.yml

@@ -27,14 +27,16 @@ jobs:
       uses: rancher-eio/read-vault-secrets@main
       with:
         secrets: |
-          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
-          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ;
           secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
           secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
-          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD ;
+          secret/data/github/repo/${{ github.repository }}/github/release-app-credentials appId | APP_ID ;
+          secret/data/github/repo/${{ github.repository }}/github/release-app-credentials privateKey | PRIVATE_KEY
 
     - name: Build and push image
       uses: rancher/ecm-distro-tools/actions/publish-image@master
+      env:
+        SRC: x-access-token:${{ steps.app-token.outputs.token }}@github.com/rancher/release-node-feature-discovery
       with:
         image: rancher/hardened-node-feature-discovery
         tag: ${{ github.event.release.tag_name }}

Dockerfile

@@ -17,8 +17,9 @@ RUN go-assert-boring.sh bin/*
 # Build node feature discovery
 ARG ARCH="amd64"
 ARG TAG=v0.15.7
+ARG SRC="github.com/rancher/release-node-feature-discovery"
 ARG PKG="github.com/kubernetes-sigs/node-feature-discovery"
-RUN git clone --depth=1 https://${PKG}.git $GOPATH/src/${PKG}
+RUN git clone --depth=1 https://${SRC}.git $GOPATH/src/${PKG}
 WORKDIR $GOPATH/src/${PKG}
 RUN git fetch --all --tags --prune
 RUN git checkout tags/${TAG} -b ${TAG}