From 8b6314fde3fbc1dada75bcd5d64c4999e78b35cc Mon Sep 17 00:00:00 2001
From: Michel Hollands <michel.hollands@gmail.com>
Date: Fri, 31 May 2024 14:03:07 +0100
Subject: [PATCH 1/7] Add loki-squad as PR reviewers

Signed-off-by: Michel Hollands <michel.hollands@gmail.com>
---
 .github/workflows/check-for-dependency-updates.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/check-for-dependency-updates.yaml b/.github/workflows/check-for-dependency-updates.yaml
index b003377..8b8b1d9 100644
--- a/.github/workflows/check-for-dependency-updates.yaml
+++ b/.github/workflows/check-for-dependency-updates.yaml
@@ -79,6 +79,7 @@ jobs:
                 labels: dependencies
                 branch: chore/update-dependencies
                 delete-branch: true
+                reviewers: loki-squad
 
     updateGrafana:
         name: Update the Grafana version
@@ -111,3 +112,4 @@ jobs:
                 labels: dependencies
                 branch: chore/update-minio
                 delete-branch: true
+                reviewers: loki-squad

From f6b72897cd92b761aff1342dc4f59e53ad80beca Mon Sep 17 00:00:00 2001
From: Michel Hollands <michel.hollands@gmail.com>
Date: Fri, 31 May 2024 14:06:06 +0100
Subject: [PATCH 2/7] Use other form

Signed-off-by: Michel Hollands <michel.hollands@gmail.com>
---
 .github/workflows/check-for-dependency-updates.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/check-for-dependency-updates.yaml b/.github/workflows/check-for-dependency-updates.yaml
index 8b8b1d9..a20cbc7 100644
--- a/.github/workflows/check-for-dependency-updates.yaml
+++ b/.github/workflows/check-for-dependency-updates.yaml
@@ -79,7 +79,7 @@ jobs:
                 labels: dependencies
                 branch: chore/update-dependencies
                 delete-branch: true
-                reviewers: loki-squad
+                reviewers: grafana/loki-squad
 
     updateGrafana:
         name: Update the Grafana version
@@ -112,4 +112,4 @@ jobs:
                 labels: dependencies
                 branch: chore/update-minio
                 delete-branch: true
-                reviewers: loki-squad
+                reviewers: grafana/loki-squad

From 952c3e85d91bb5f5530709439bd40f7c1e65d157 Mon Sep 17 00:00:00 2001
From: Michel Hollands <michel.hollands@gmail.com>
Date: Fri, 31 May 2024 14:29:24 +0100
Subject: [PATCH 3/7] Use @

Signed-off-by: Michel Hollands <michel.hollands@gmail.com>
---
 .github/workflows/check-for-dependency-updates.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/check-for-dependency-updates.yaml b/.github/workflows/check-for-dependency-updates.yaml
index a20cbc7..b580ece 100644
--- a/.github/workflows/check-for-dependency-updates.yaml
+++ b/.github/workflows/check-for-dependency-updates.yaml
@@ -79,7 +79,7 @@ jobs:
                 labels: dependencies
                 branch: chore/update-dependencies
                 delete-branch: true
-                reviewers: grafana/loki-squad
+                reviewers: "@grafana/loki-squad"
 
     updateGrafana:
         name: Update the Grafana version
@@ -112,4 +112,4 @@ jobs:
                 labels: dependencies
                 branch: chore/update-minio
                 delete-branch: true
-                reviewers: grafana/loki-squad
+                reviewers: "@grafana/loki-squad"

From c5f1daf8f0382726244cd22f1cfe8cdeeb20adf2 Mon Sep 17 00:00:00 2001
From: Michel Hollands <michel.hollands@gmail.com>
Date: Fri, 31 May 2024 14:36:05 +0100
Subject: [PATCH 4/7] Use team-reviewers

Signed-off-by: Michel Hollands <michel.hollands@gmail.com>
---
 .github/workflows/check-for-dependency-updates.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/check-for-dependency-updates.yaml b/.github/workflows/check-for-dependency-updates.yaml
index b580ece..70cd955 100644
--- a/.github/workflows/check-for-dependency-updates.yaml
+++ b/.github/workflows/check-for-dependency-updates.yaml
@@ -79,7 +79,7 @@ jobs:
                 labels: dependencies
                 branch: chore/update-dependencies
                 delete-branch: true
-                reviewers: "@grafana/loki-squad"
+                team-reviewers: "@grafana/loki-squad"
 
     updateGrafana:
         name: Update the Grafana version
@@ -112,4 +112,4 @@ jobs:
                 labels: dependencies
                 branch: chore/update-minio
                 delete-branch: true
-                reviewers: "@grafana/loki-squad"
+                team-reviewers: "@grafana/loki-squad"

From 71462a9f93a6fd3b10007fb2ccb24f8844cadfd6 Mon Sep 17 00:00:00 2001
From: Michel Hollands <michel.hollands@gmail.com>
Date: Fri, 31 May 2024 14:49:41 +0100
Subject: [PATCH 5/7] Use other token

Signed-off-by: Michel Hollands <michel.hollands@gmail.com>
---
 .../workflows/check-for-dependency-updates.yaml    | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/.github/workflows/check-for-dependency-updates.yaml b/.github/workflows/check-for-dependency-updates.yaml
index 70cd955..de90ee5 100644
--- a/.github/workflows/check-for-dependency-updates.yaml
+++ b/.github/workflows/check-for-dependency-updates.yaml
@@ -66,6 +66,12 @@ jobs:
                   echo "changed=true" >> "${GITHUB_OUTPUT}"
                 fi
 
+            - uses: actions/create-github-app-token@v1
+              id: app-token
+              with:
+                app-id: ${{ env.APP_ID }}
+                private-key: ${{ env.PRIVATE_KEY }}
+
             - name: Create pull request
               if: steps.update-loki.outputs.changed == 'true' || steps.update-grafana-alloy.outputs.changed == 'true' || steps.update-mimir-distributed.outputs.changed == 'true' || steps.update-tempo-distributed.outputs.changed == 'true' || steps.update-minio.outputs.changed == 'true'
               uses: peter-evans/create-pull-request@v5
@@ -80,6 +86,7 @@ jobs:
                 branch: chore/update-dependencies
                 delete-branch: true
                 team-reviewers: "@grafana/loki-squad"
+                token: ${{ steps.app-token.outputs.token }}
 
     updateGrafana:
         name: Update the Grafana version
@@ -99,6 +106,12 @@ jobs:
                   echo "changed=true" >> "${GITHUB_OUTPUT}"
                 fi
 
+            - uses: actions/create-github-app-token@v1
+              id: app-token
+              with:
+                app-id: ${{ env.APP_ID }}
+                private-key: ${{ env.PRIVATE_KEY }}
+
             - name: Create pull request
               if: steps.update-grafana.outputs.changed == 'true'
               uses: peter-evans/create-pull-request@v5
@@ -113,3 +126,4 @@ jobs:
                 branch: chore/update-minio
                 delete-branch: true
                 team-reviewers: "@grafana/loki-squad"
+                token: ${{ steps.app-token.outputs.token }}

From c91a819e77d4a297aff73ff6b2cce03b887fe27f Mon Sep 17 00:00:00 2001
From: Michel Hollands <michel.hollands@gmail.com>
Date: Fri, 31 May 2024 14:53:22 +0100
Subject: [PATCH 6/7] Add secret step

Signed-off-by: Michel Hollands <michel.hollands@gmail.com>
---
 .../workflows/check-for-dependency-updates.yaml  | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/.github/workflows/check-for-dependency-updates.yaml b/.github/workflows/check-for-dependency-updates.yaml
index de90ee5..77cf4c9 100644
--- a/.github/workflows/check-for-dependency-updates.yaml
+++ b/.github/workflows/check-for-dependency-updates.yaml
@@ -66,6 +66,14 @@ jobs:
                   echo "changed=true" >> "${GITHUB_OUTPUT}"
                 fi
 
+            - id: get-secrets
+              uses: grafana/shared-workflows/actions/get-vault-secrets@main
+              with:
+                # Secrets placed in the ci/repo/grafana/<repo>/<path> path in Vault
+                repo_secrets: |
+                  APP_ID=github-app:app-id
+                  PRIVATE_KEY=github-app:private-key
+
             - uses: actions/create-github-app-token@v1
               id: app-token
               with:
@@ -106,6 +114,14 @@ jobs:
                   echo "changed=true" >> "${GITHUB_OUTPUT}"
                 fi
 
+            - id: get-secrets
+              uses: grafana/shared-workflows/actions/get-vault-secrets@main
+              with:
+                # Secrets placed in the ci/repo/grafana/<repo>/<path> path in Vault
+                repo_secrets: |
+                  APP_ID=github-app:app-id
+                  PRIVATE_KEY=github-app:private-key
+
             - uses: actions/create-github-app-token@v1
               id: app-token
               with:

From 0ef850e96c5831dc9db35bd6e0391a9ede142879 Mon Sep 17 00:00:00 2001
From: Michel Hollands <michel.hollands@gmail.com>
Date: Fri, 31 May 2024 14:56:32 +0100
Subject: [PATCH 7/7] Add permissions

Signed-off-by: Michel Hollands <michel.hollands@gmail.com>
---
 .github/workflows/check-for-dependency-updates.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/check-for-dependency-updates.yaml b/.github/workflows/check-for-dependency-updates.yaml
index 77cf4c9..a91a7a5 100644
--- a/.github/workflows/check-for-dependency-updates.yaml
+++ b/.github/workflows/check-for-dependency-updates.yaml
@@ -19,6 +19,9 @@ jobs:
     updateVersions:
         name: Update the subcharts
         runs-on: "ubuntu-latest"
+        permissions:
+          contents: write
+          id-token: write
         steps:
             - name: Checkout
               uses: actions/checkout@v2
@@ -99,6 +102,9 @@ jobs:
     updateGrafana:
         name: Update the Grafana version
         runs-on: "ubuntu-latest"
+        permissions:
+          contents: write
+          id-token: write
         steps:
             - name: Checkout
               uses: actions/checkout@v2