Take advantage of Octo STS to publish homebrew updates.

Once the trust policy lands here: chainguard-dev/homebrew-tap#53 This change will enable the release workflow to federate with the Octo STS app to create tokens in accordance with the trust policy and avoid the use of PATs. Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
mattmoor · Jan 23, 2024 · 12b2a63 · 12b2a63
1 parent eb44fc3
commit 12b2a63
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -30,11 +30,18 @@ jobs:
           version: latest
           install-only: true
 
+      # Federate to create a token to authenticate with the homebrew-tap repository.
+      - uses: chainguard-dev/actions/octo-sts@main
+        id: octo-sts
+        with:
+          scope: chainguard-dev/homebrew-tap
+          identity: melange
+
       - name: Release
         run: make release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
+          HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
 
   ko-build:
     name: Release melange image