From fc50479c1eb7095cdf4858b3be616113603cf756 Mon Sep 17 00:00:00 2001
From: E M <5089238+emizzle@users.noreply.github.com>
Date: Fri, 10 Apr 2026 22:32:15 +1000
Subject: [PATCH] Create static kubeconfig with bearer token

Replace the use of doctl as a credential manager for executing k8s calls with a freshly created bearer token (expires after 2h). Avoids passing a DO personal access token to the cs-dist-tests runner pod.
---
 .github/release/kubeconfig-template.yaml | 17 +++++++++++++++++
 .github/workflows/release.yml            | 11 ++++++++++-
 2 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 .github/release/kubeconfig-template.yaml

diff --git a/.github/release/kubeconfig-template.yaml b/.github/release/kubeconfig-template.yaml
new file mode 100644
index 00000000..5dd36976
--- /dev/null
+++ b/.github/release/kubeconfig-template.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Config
+clusters:
+- cluster:
+    certificate-authority-data: ${CA}
+    server: ${SERVER}
+  name: release-tests
+contexts:
+- context:
+    cluster: release-tests
+    user: release-tests-runner
+  name: release-tests
+current-context: release-tests
+users:
+- name: release-tests-runner
+  user:
+    token: ${TOKEN}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f186de2d..2f4731a7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -245,8 +245,17 @@ jobs:
 
       - name: Create in-cluster app kubeconfig secret
         run: |
+          kubectl create serviceaccount release-tests-runner -n default
+          kubectl create clusterrolebinding release-tests-runner \
+            --clusterrole=cluster-admin \
+            --serviceaccount=default:release-tests-runner
+
+          TOKEN=$(kubectl create token release-tests-runner -n default --duration=2h)
+          SERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
+          CA=$(kubectl config view --minify --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}')
+
           kubectl create secret generic codex-dist-tests-app-kubeconfig \
-            --from-file=kubeconfig.yaml=$HOME/.kube/config \
+            --from-file=kubeconfig.yaml=<(envsubst < .github/release/kubeconfig-template.yaml) \
             -n default
 
       - name: Set run variables