From 7b30ab9be289a5161d9b425408bd4e31437dd091 Mon Sep 17 00:00:00 2001
From: Josh Mock <joshua.mock@elastic.co>
Date: Thu, 4 Dec 2025 13:47:52 -0600
Subject: [PATCH] Use ephemeral Github token

---
 .github/workflows/backport.yml    | 9 +++++++--
 .github/workflows/npm-publish.yml | 7 ++++++-
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 56d4f328a..c368dbcc3 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -22,6 +22,11 @@ jobs:
         )
       )
     steps:
-      - uses: tibdex/backport@9565281eda0731b1d20c4025c43339fb0a23812e  # v2.0.4
+      - name: Fetch ephemeral GitHub token
+        id: fetch-token
+        uses: elastic/ci-gh-actions/fetch-github-token@8a7604dfdd4e7fe21f969bfe9ff96e17635ea577 # v1.0.0
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          vault-instance: "ci-prod"
+      - uses: tibdex/backport@9565281eda0731b1d20c4025c43339fb0a23812e # v2.0.4
+        with:
+          github_token: ${{ steps.fetch-token.outputs.token }}
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 8798b473a..56673e9bc 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -44,6 +44,11 @@ jobs:
             tag=$(echo "$tag_meta" | cut -d '.' -f1)
             npm publish --provenance --access public --tag "$tag"
           fi
+      - name: Fetch ephemeral GitHub token
+        id: fetch-token
+        uses: elastic/ci-gh-actions/fetch-github-token@8a7604dfdd4e7fe21f969bfe9ff96e17635ea577 # v1.0.0
+        with:
+          vault-instance: "ci-prod"
       - name: Publish version on GitHub
         run: |
           version=$(jq -r .version package.json)
@@ -66,4 +71,4 @@ jobs:
           fi
         env:
           BRANCH_NAME: ${{ github.event.inputs.branch }}
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.fetch-token.outputs.token }}