Refactor github actions (#4157)

- Pull secrets for docker hub from vault
- Use github token for publishing release

Author: simonswine

.github/workflows/test.yml

@@ -116,6 +116,9 @@ jobs:
 
   build-push:
     if: github.event_name == 'push' && github.repository == 'grafana/pyroscope'
+    permissions:
+      contents: read
+      id-token: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repo
@@ -130,11 +133,18 @@ jobs:
         uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
           go-version: 1.23.8
-      - name: Login to Docker Hub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      # login to docker hub
+      - id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          common_secrets: |
+            DOCKERHUB_USERNAME=dockerhub:username
+            DOCKERHUB_PASSWORD=dockerhub:password
+      - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2
+        name: Login to Docker Hub
+        with:
+          username: ${{ env.DOCKERHUB_USERNAME }}
+          password: ${{ env.DOCKERHUB_PASSWORD }}
       - name: Pyroscope Build & push multi-arch image
         id: build-push
         run: |

.github/workflows/weekly-release.yml

@@ -6,7 +6,9 @@ on:
       - 'weekly/f*'
 
 permissions:
-  contents: read
+  contents: write
+  actions: write
+  id-token: write
 
 jobs:
   goreleaser-weekly:
@@ -40,29 +42,28 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2
       # login to docker hub
+      - id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760
+        with:
+          common_secrets: |
+            DOCKERHUB_USERNAME=dockerhub:username
+            DOCKERHUB_PASSWORD=dockerhub:password
       - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2
         name: Login to Docker Hub
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          username: ${{ env.DOCKERHUB_USERNAME }}
+          password: ${{ env.DOCKERHUB_PASSWORD }}
       - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
         with:
           node-version: 20
       - run: make frontend/build
-      - name: Get github app token (valid for an hour)
-        id: app-goreleaser
-        uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # v1
-        with:
-          app_id: ${{ secrets.APP_ID }}
-          private_key: ${{ secrets.APP_PRIVATE_KEY }}
       - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6
         with:
           # ensure this aligns with the version specified in the /Makefile
           version: v2.7.0
           args: release --clean --skip=publish --timeout 60m
         env:
-          GITHUB_TOKEN: ${{ steps.app-releaser.outputs.token }}
-
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Push per architecture images and create multi-arch manifest
         run: |
           set -eu -o pipefail
@@ -88,11 +89,5 @@ jobs:
 
           docker manifest create "grafana/pyroscope:${WEEKLY_IMAGE_TAG}" "${IMAGE_AMMENDS[@]}"
           docker manifest push "grafana/pyroscope:${WEEKLY_IMAGE_TAG}"
-      - name: Get github app token (valid for an hour)
-        id: app-git-tag
-        uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # v1
-        with:
-          app_id: ${{ secrets.APP_ID }}
-          private_key: ${{ secrets.APP_PRIVATE_KEY }}
       - name: Push git tag for weekly release
-        run: git push "https://x-access-token:${{ steps.app-git-tag.output.token }}@github.com/grafana/pyroscope.git" "${WEEKLY_IMAGE_TAG}" 2> /dev/null
+        run: git push "https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/grafana/pyroscope.git" "${WEEKLY_IMAGE_TAG}" 2> /dev/null