[CI] Use buildkite plugin to set github token (#935)

mrodm · web-flow · commit 69f3a8bd718b · 2025-07-22T16:38:54.000+02:00
Use https://github.com/elastic/vault-github-token-buildkite-plugin instead of using pre-command hooks with complicated conditions. This helps to know what Buildkite step uses VAULT_GITHUB_TOKEN and self-document those sensitive details as it's a declarative syntax.
diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command
@@ -4,17 +4,8 @@ source .buildkite/scripts/tooling.sh
 
 set -euo pipefail
 
-GO_VERSION=$(cat .go-version)
-export GO_VERSION
-
 # Secrets must be redacted
 # https://buildkite.com/docs/pipelines/managing-log-output#redacted-environment-variables
 
-if [[ "$BUILDKITE_PIPELINE_SLUG" == "package-spec-test-with-integrations" && "$BUILDKITE_STEP_KEY" == "pr-integrations" ]]; then
-    # required to set the git commit information
-    GITHUB_USERNAME_SECRET="elasticmachine"
-    export GITHUB_USERNAME_SECRET=$GITHUB_USERNAME_SECRET
-    export GITHUB_EMAIL_SECRET="elasticmachine@elastic.co"
-    # required by `gh` commands
-    export GITHUB_TOKEN=$VAULT_GITHUB_TOKEN
-fi
+GO_VERSION=$(cat .go-version)
+export GO_VERSION
diff --git a/.buildkite/pipeline.test-with-integrations-repo.yml b/.buildkite/pipeline.test-with-integrations-repo.yml
@@ -26,6 +26,12 @@ steps:
   - label: ":hammer: Create PR in integrations"
     key: pr-integrations
     command: ".buildkite/scripts/test-with-integrations.sh"
+    env:
+      GITHUB_EMAIL: "elasticmachine@elastic.co"
+      GITHUB_USERNAME: "elastic-vault-github-plugin-prod"
+    plugins:
+      # Required to push branches, create PRs and post comments on PRs
+      - elastic/vault-github-token#v0.1.0:
     agents:
       provider: "gcp"
     depends_on:
diff --git a/.buildkite/scripts/test-with-integrations.sh b/.buildkite/scripts/test-with-integrations.sh
@@ -54,8 +54,8 @@ get_source_commit_link() {
 }
 
 set_git_config() {
-    git config user.name "${GITHUB_USERNAME_SECRET}"
-    git config user.email "${GITHUB_EMAIL_SECRET}"
+    git config user.name "${GITHUB_USERNAME}"
+    git config user.email "${GITHUB_EMAIL}"
 }
 
 git_push() {
@@ -117,7 +117,7 @@ update_dependency() {
     # allow not to commit if there are no changes
     # previous execution could fail and just pushed the branch but PR is not created
     if ! git diff-index --quiet HEAD ; then
-        git commit -m "Test elastic-package from PR ${BUILDKITE_PULL_REQUEST} - ${GITHUB_PR_HEAD_SHA}"
+        git commit -m "Test package-spec from PR ${BUILDKITE_PULL_REQUEST} - ${GITHUB_PR_HEAD_SHA}"
     fi
 
     echo ""
