Tweak

aknuds1 · aknuds1 · commit 570ee91f9fda · 2025-11-04T09:39:53.000+01:00
Signed-off-by: Arve Knudsen &lt;arve.knudsen@gmail.com&gt;
diff --git a/.github/workflows/push-mimir-build-image.yml b/.github/workflows/push-mimir-build-image.yml
@@ -19,24 +19,6 @@ jobs:
       # Necessary to authenticate with Vault which happens in dockerhub-login
       id-token: write
     steps:
-      # Retrieve GitHub App credentials to get a token with org member read permissions.
-      # GITHUB_TOKEN doesn't have org-level permissions, so we use the mimir-github-bot GitHub App.
-      - name: Retrieve GitHub App Credentials from Vault
-        id: get-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760 # v1.1.0
-        with:
-          repo_secrets: |
-            APP_ID=mimir-github-bot:app_id
-            PRIVATE_KEY=mimir-github-bot:private_key
-
-      - name: Generate GitHub App Token
-        id: app-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ env.APP_ID }}
-          private-key: ${{ env.PRIVATE_KEY }}
-          owner: ${{ github.repository_owner }}
-
       - name: Checkout Repository
         uses: actions/checkout@v4
         with:
@@ -64,6 +46,24 @@ jobs:
           echo "::error::This workflow only excecutes when mimir-build-image/Dockerfile has been modified"
           exit 1
 
+      # Retrieve GitHub App credentials to get a token with org member read permissions.
+      # GITHUB_TOKEN doesn't have org-level permissions, so we use the mimir-github-bot GitHub App.
+      - name: Retrieve GitHub App Credentials from Vault
+        id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760 # v1.1.0
+        with:
+          repo_secrets: |
+            APP_ID=mimir-github-bot:app_id
+            PRIVATE_KEY=mimir-github-bot:private_key
+
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ env.APP_ID }}
+          private-key: ${{ env.PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+
       # Check if PR author is a Grafana organization member using the GitHub API.
       # This is more reliable than author_association which depends on public membership visibility.
       # Uses the GitHub App token because GITHUB_TOKEN doesn't have org-level permissions.
