From 6ecf3782ac83b104c2073d6ccc4ff7d52c5fc674 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 4 Apr 2024 07:36:44 -0700 Subject: [PATCH] document the github-releases credential (#9925) --- .../templates/stages/release-deploy-stage.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.azure-pipelines/templates/stages/release-deploy-stage.yml b/.azure-pipelines/templates/stages/release-deploy-stage.yml index f21c50d52..063010595 100644 --- a/.azure-pipelines/templates/stages/release-deploy-stage.yml +++ b/.azure-pipelines/templates/stages/release-deploy-stage.yml @@ -14,6 +14,23 @@ stages: path: '$(Pipeline.Workspace)' - task: GitHubRelease@1 inputs: + # this "github-releases" credential is what azure pipelines calls a + # "service connection". it was created using the instructions at + # https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#github-service-connection + # with a fine-grained personal access token from github to limit + # the permissions given to azure pipelines. the connection on azure + # needs permissions for the "release" pipeline (and maybe the + # "full-test-suite" pipeline to simplify testing it). information + # on how to set up these permissions can be found at + # https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#secure-a-service-connection. + # the github token that is used needs "contents:write" and + # "workflows:write" permissions for the certbot repo + # + # as of writing this, the current token will expire on 3/15/2025. + # when recreating it, you may also want to create it using the + # shared "certbotbot" github account so the credentials aren't tied + # to any one dev's github account and their access to the certbot + # repo gitHubConnection: github-releases title: ${{ format('Certbot {0}', replace(variables['Build.SourceBranchName'], 'v', '')) }} releaseNotesFilePath: '$(Pipeline.Workspace)/release_notes.md'