From 2b64f7bfb7ddfb93da5c0d0ebdcb55bbf1a8b16a Mon Sep 17 00:00:00 2001 From: Thomas Thorogood Date: Mon, 4 Apr 2022 13:30:34 -0700 Subject: [PATCH] Add correct permissions to create a release. (#134) * Add correct permissions to create a release. * Remove in-repo action and use shared action to configure gcloud and docker --- .github/actions/configure-docker/action.yml | 27 --------------------- .github/workflows/create-release.yml | 8 +++--- .github/workflows/deploy.yml | 4 +-- .github/workflows/pull-request.yml | 4 +-- .github/workflows/scheduled-maintenance.yml | 4 +-- 5 files changed, 11 insertions(+), 36 deletions(-) delete mode 100644 .github/actions/configure-docker/action.yml diff --git a/.github/actions/configure-docker/action.yml b/.github/actions/configure-docker/action.yml deleted file mode 100644 index 754f20c..0000000 --- a/.github/actions/configure-docker/action.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Authenticate with gcloud - -inputs: - project-name: - description: The GCR project name (gcr.io//) - required: true - gcr-token: - description: The Base-64 encoded service account token - required: true - -runs: - using: composite - steps: - - uses: google-github-actions/auth@v0 - with: - credentials_json: ${{ inputs.gcr-token }} - - uses: google-github-actions/setup-gcloud@v0 - with: - # This version has to stay pinned in order - # to work with docker-compose; there is a bug - # either in Docker's or Google's software. - # Ref: https://stackoverflow.com/questions/65295958/docker-compose-not-working-with-gcloud-cannot-find-openssl - version: 297.0.1 - - run: | - gcloud auth activate-service-account --key-file=${GOOGLE_APPLICATION_CREDENTIALS} - cat ${GOOGLE_APPLICATION_CREDENTIALS} | docker login -u _json_key --password-stdin https://gcr.io - shell: bash diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml index 83738d4..12b9ad8 100644 --- a/.github/workflows/create-release.yml +++ b/.github/workflows/create-release.yml @@ -32,12 +32,14 @@ jobs: cancel-in-progress: false permissions: id-token: write - contents: read + # https://docs.github.com/en/rest/reference/releases#create-a-release + # Creating "Release" artifacts falls under "contents: write" + contents: write steps: - uses: actions/checkout@v3 - - uses: ./.github/actions/configure-docker + - uses: UWIT-IAM/actions/configure-gcloud-docker@0.1 with: - gcr-token: ${{ secrets.GCR_TOKEN }} + gcloud-token: ${{ secrets.GCR_TOKEN }} - name: Install poetry uses: abatilo/actions-poetry@v2.1.0 - run: | diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 2679951..27563ba 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -35,9 +35,9 @@ jobs: steps: - uses: actions/checkout@v3 - uses: abatilo/actions-poetry@v2.1.4 - - uses: ./.github/actions/configure-docker + - uses: UWIT-IAM/actions/configure-gcloud-docker@0.1 with: - gcr-token: ${{ secrets.GCR_TOKEN }} + gcloud-token: ${{ secrets.GCR_TOKEN }} - run: ./scripts/install-build-scripts.sh name: Install common-build-scripts diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index fb7dd61..e659d9c 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -49,9 +49,9 @@ jobs: - uses: abatilo/actions-poetry@v2.1.4 - - uses: ./.github/actions/configure-docker + - uses: UWIT-IAM/actions/configure-gcloud-docker@0.1 with: - gcr-token: ${{ secrets.GCR_TOKEN }} + gcloud-token: ${{ secrets.GCR_TOKEN }} - run: | poetry run pip install tox uw-it-build-fingerprinter diff --git a/.github/workflows/scheduled-maintenance.yml b/.github/workflows/scheduled-maintenance.yml index 0d54ce2..4e7295d 100644 --- a/.github/workflows/scheduled-maintenance.yml +++ b/.github/workflows/scheduled-maintenance.yml @@ -18,9 +18,9 @@ jobs: steps: - uses: actions/checkout@v3 - uses: abatilo/actions-poetry@v2.1.3 - - uses: ./.github/actions/configure-docker + - uses: UWIT-IAM/actions/configure-gcloud-docker@0.1 with: - gcr-token: ${{ secrets.GCR_TOKEN }} + gcloud-token: ${{ secrets.GCR_TOKEN }} - run: poetry update --lock id: poetry-update - run: poetry run tox