From 1bf6b0c4f45b0fe77248440c52375c3a82891db8 Mon Sep 17 00:00:00 2001 From: eric-forte-elastic Date: Thu, 9 Jul 2026 12:42:16 -0400 Subject: [PATCH] Use ephemeral tokens --- .github/workflows/backport.yml | 12 +++++++++++- .github/workflows/kibana-mitre-update.yml | 10 +++++++++- .github/workflows/manual-backport.yml | 10 +++++++++- .github/workflows/react-tests-dispatcher.yml | 10 +++++++++- .github/workflows/release-docs.yml | 19 +++++++++++++++++-- .github/workflows/release-fleet.yml | 19 +++++++++++++++++-- 6 files changed, 72 insertions(+), 8 deletions(-) diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index b9c2fb8838e..83bc7e2ff13 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -61,6 +61,9 @@ jobs: ) needs: get-branches runs-on: ubuntu-latest + permissions: + contents: read + id-token: write strategy: max-parallel: 1 matrix: @@ -68,10 +71,17 @@ jobs: target_branch: ${{ fromJSON(needs.get-branches.outputs.branches) }} steps: + - name: Fetch ephemeral GitHub token + id: fetch-ephemeral-token + uses: elastic/ci-gh-actions/fetch-github-token@v1 + with: + vault-instance: "ci-prod" + vault-role: "token-policy-3994dc276a5d" + - name: Checkout repo uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: - token: ${{ secrets.WRITE_TRADEBOT_DETECTION_RULES_TOKEN }} + token: ${{ steps.fetch-ephemeral-token.outputs.token }} ref: main fetch-depth: 100 diff --git a/.github/workflows/kibana-mitre-update.yml b/.github/workflows/kibana-mitre-update.yml index 7090f06195d..c2d117addfa 100644 --- a/.github/workflows/kibana-mitre-update.yml +++ b/.github/workflows/kibana-mitre-update.yml @@ -10,6 +10,7 @@ on: permissions: contents: read pull-requests: read + id-token: write jobs: create_issue: @@ -17,6 +18,13 @@ jobs: env: KIBANA_ISSUE_NUMBER: 166152 # Define the Kibana issue number as a variable steps: + - name: Fetch ephemeral GitHub token + id: fetch-ephemeral-token + uses: elastic/ci-gh-actions/fetch-github-token@v1 + with: + vault-instance: "ci-prod" + vault-role: "token-policy-a213e9ca741c" + - name: Checkout code uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 @@ -41,7 +49,7 @@ jobs: curl -L \ -X POST \ -H "Accept: application/vnd.github.v3+json" \ - -H "Authorization: token ${{ secrets.WRITE_KIBANA_DETECTION_RULES_TOKEN }}" \ + -H "Authorization: token ${{ steps.fetch-ephemeral-token.outputs.token }}" \ https://api.github.com/repos/elastic/kibana/issues/${KIBANA_ISSUE_NUMBER}/comments \ -d '{"body":"The detection rules MITRE ATT&CK version has been updated to ${{ steps.extract_version.outputs.version }} Please help in scheduling the MITRE ATT&CK version upgrade in Kibana accordingly @banderror @approksiu. cc @elastic/threat-research-and-detection-engineering"}' exit $? diff --git a/.github/workflows/manual-backport.yml b/.github/workflows/manual-backport.yml index ade86bfbc71..789fee88059 100644 --- a/.github/workflows/manual-backport.yml +++ b/.github/workflows/manual-backport.yml @@ -14,6 +14,7 @@ on: permissions: contents: read + id-token: write jobs: commit: @@ -21,10 +22,17 @@ jobs: steps: + - name: Fetch ephemeral GitHub token + id: fetch-ephemeral-token + uses: elastic/ci-gh-actions/fetch-github-token@v1 + with: + vault-instance: "ci-prod" + vault-role: "token-policy-3994dc276a5d" + - name: Checkout detection-rules uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: - token: ${{ secrets.WRITE_TRADEBOT_DETECTION_RULES_TOKEN }} + token: ${{ steps.fetch-ephemeral-token.outputs.token }} fetch-depth: 0 - name: Set github config diff --git a/.github/workflows/react-tests-dispatcher.yml b/.github/workflows/react-tests-dispatcher.yml index dbf911d065d..a1c5938b51e 100644 --- a/.github/workflows/react-tests-dispatcher.yml +++ b/.github/workflows/react-tests-dispatcher.yml @@ -26,12 +26,20 @@ on: permissions: contents: read + id-token: write jobs: dispatch: name: Run REACT tests runs-on: ubuntu-latest steps: + - name: Fetch ephemeral GitHub token + id: fetch-ephemeral-token + uses: elastic/ci-gh-actions/fetch-github-token@v1 + with: + vault-instance: "ci-prod" + vault-role: "token-policy-2ed58b010dcf" + - name: Trigger REACT workflow env: REACT_WORKFLOW_ID: "detection-rules-tests.yml" @@ -39,7 +47,7 @@ jobs: curl -X POST \ -H "Accept: application/vnd.github.everest-preview+json" \ -H "Content-Type: application/json" \ - -H "Authorization: token ${{ secrets.WRITE_DETECTION_RULES_REACT_TOKEN }}" \ + -H "Authorization: token ${{ steps.fetch-ephemeral-token.outputs.token }}" \ "https://api.github.com/repos/elastic/react/actions/workflows/$REACT_WORKFLOW_ID/dispatches" \ -d '{"ref": "main", "inputs": {"pr_branch": "${{ github.head_ref || github.ref_name }}", "pr_id": "${{ github.event.number }}"}}' exit $? diff --git a/.github/workflows/release-docs.yml b/.github/workflows/release-docs.yml index 09b994ba849..7fd662d5869 100644 --- a/.github/workflows/release-docs.yml +++ b/.github/workflows/release-docs.yml @@ -19,12 +19,20 @@ on: permissions: contents: read + id-token: write jobs: build-docs: name: Build Security Docs runs-on: ubuntu-latest steps: + - name: Fetch ephemeral GitHub token + id: fetch-ephemeral-token + uses: elastic/ci-gh-actions/fetch-github-token@v1 + with: + vault-instance: "ci-prod" + vault-role: "token-policy-91218203784e" + - name: Checkout detection-rules uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: @@ -34,7 +42,7 @@ jobs: - name: Checkout elastic/security-docs uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: - token: ${{ secrets.WRITE_DOCS_DETECTION_RULES_TOKEN }} + token: ${{ steps.fetch-ephemeral-token.outputs.token }} repository: "elastic/security-docs" path: security-docs fetch-depth: 0 @@ -80,9 +88,16 @@ jobs: git commit -m "Update latest docs" git push --set-upstream origin $UPDATE_BRANCH + - name: Fetch ephemeral GitHub token for PR creation + id: fetch-ephemeral-token-pr + uses: elastic/ci-gh-actions/fetch-github-token@v1 + with: + vault-instance: "ci-prod" + vault-role: "token-policy-91218203784e" + - name: Create PR to elastic/security-docs env: - GITHUB_TOKEN: ${{ secrets.WRITE_DOCS_DETECTION_RULES_TOKEN }} + GITHUB_TOKEN: ${{ steps.fetch-ephemeral-token-pr.outputs.token }} POST_VERSION: "v${{ github.event.inputs.post_version }}" TARGET_BRANCH: "${{ github.event.inputs.target_branch }}" UPDATE_BRANCH: "update-security-docs-prebuilt-rules-${{github.event.inputs.post_version}}" diff --git a/.github/workflows/release-fleet.yml b/.github/workflows/release-fleet.yml index dc7ea2b0994..b5311eeb1b2 100644 --- a/.github/workflows/release-fleet.yml +++ b/.github/workflows/release-fleet.yml @@ -35,6 +35,7 @@ on: permissions: contents: write + id-token: write jobs: fleet-pr: @@ -70,10 +71,17 @@ jobs: echo "Checking out commit hash $COMMIT_HASH" git checkout $COMMIT_HASH + - name: Fetch ephemeral GitHub token + id: fetch-ephemeral-token + uses: elastic/ci-gh-actions/fetch-github-token@v1 + with: + vault-instance: "ci-prod" + vault-role: "token-policy-2926beb44090" + - name: Checkout elastic/integrations uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: - token: ${{ secrets.WRITE_INTEGRATIONS_DETECTION_RULES_TOKEN }} + token: ${{ steps.fetch-ephemeral-token.outputs.token }} repository: ${{github.event.inputs.target_repo}} path: integrations fetch-depth: 0 @@ -188,13 +196,20 @@ jobs: run: | go install github.com/elastic/elastic-package@latest + - name: Fetch ephemeral GitHub token for PR creation + id: fetch-ephemeral-token-pr + uses: elastic/ci-gh-actions/fetch-github-token@v1 + with: + vault-instance: "ci-prod" + vault-role: "token-policy-2926beb44090" + - name: Create the PR to Integrations env: DRAFT_ARGS: "${{startsWith(github.event.inputs.draft,'y') && '--draft' || ' '}}" TARGET_REPO: "${{github.event.inputs.target_repo}}" TARGET_BRANCH: "${{github.event.inputs.target_branch}}" LOCAL_REPO: "../integrations" - GITHUB_TOKEN: "${{ secrets.WRITE_INTEGRATIONS_DETECTION_RULES_TOKEN }}" + GITHUB_TOKEN: "${{ steps.fetch-ephemeral-token-pr.outputs.token }}" run: | cd detection-rules python -m detection_rules dev integrations-pr \