Create static kubeconfig with bearer token

Replace the use of doctl as a credential manager for executing k8s calls with a freshly created bearer token (expires after 2h). Avoids passing a DO personal access token to the cs-dist-tests runner pod.

.github/release/kubeconfig-template.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Config
+clusters:
+- cluster:
+    certificate-authority-data: ${CA}
+    server: ${SERVER}
+  name: release-tests
+contexts:
+- context:
+    cluster: release-tests
+    user: release-tests-runner
+  name: release-tests
+current-context: release-tests
+users:
+- name: release-tests-runner
+  user:
+    token: ${TOKEN}

.github/workflows/release.yml

@@ -245,8 +245,17 @@ jobs:
 
       - name: Create in-cluster app kubeconfig secret
         run: |
+          kubectl create serviceaccount release-tests-runner -n default
+          kubectl create clusterrolebinding release-tests-runner \
+            --clusterrole=cluster-admin \
+            --serviceaccount=default:release-tests-runner
+
+          TOKEN=$(kubectl create token release-tests-runner -n default --duration=2h)
+          SERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
+          CA=$(kubectl config view --minify --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}')
+
           kubectl create secret generic codex-dist-tests-app-kubeconfig \
-            --from-file=kubeconfig.yaml=$HOME/.kube/config \
+            --from-file=kubeconfig.yaml=<(envsubst < .github/release/kubeconfig-template.yaml) \
             -n default
 
       - name: Set run variables