The bearer token will expire in October. If we need a long term solution we either need to keep rotating bearer tokens or better implement OIDC (which would be about a 6-8h lift to do on both staging and prod workflows).
Given the unknown timeline for transition of CASEI to ESDS, it is worth making this change so prevent having to continually updated the tokens in the next year.
Notes
OIDC stands for open ID connect in github https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
It is a way to grant permissions to outside applications in the deployment workflow itself. So, Github creates a token when it deploys the MI that allows it to connect to CASEI. Next time we deploy the MI Github automatically creates a new token and stores it. The benefits of that is that the token doesn't need to be stored in a secret somewhere. The second benefit is that there is automatic renewal of the tokens with each deployment.
Context
We fixed a bug related to deploying content from db to prod UI (revisit deploying content from db to prod UI #963) and then further fixed a credential error (Credentials error when triggered db to prod UI workflow #618).
Issue
The bearer token will expire in October. If we need a long term solution we either need to keep rotating bearer tokens or better implement OIDC (which would be about a 6-8h lift to do on both staging and prod workflows).
Given the unknown timeline for transition of CASEI to ESDS, it is worth making this change so prevent having to continually updated the tokens in the next year.
Notes
OIDC stands for open ID connect in github https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect It is a way to grant permissions to outside applications in the deployment workflow itself. So, Github creates a token when it deploys the MI that allows it to connect to CASEI. Next time we deploy the MI Github automatically creates a new token and stores it. The benefits of that is that the token doesn't need to be stored in a secret somewhere. The second benefit is that there is automatic renewal of the tokens with each deployment.