feat(ci): replaced GHCR_PR_TOKEN with GITHUB_TOKEN (#635)

* replaced GHCR_PR_TOKEN with GITHUB_TOKEN * Added permissions * removed extra space
cryostatio · Oct 3, 2023 · bbe5d48 · bbe5d48
1 parent 5373bbc
commit bbe5d48
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 15 deletions.
diff --git a/.github/workflows/dependent-issues.yml b/.github/workflows/dependent-issues.yml
@@ -12,14 +12,17 @@ on:
       - edited
       - reopened
       - synchronize
-
   # Schedule a daily check. Used in referencing cross-repository
   # issues or pull requests
   schedule:
     - cron: '0 0 * * *'
 
 jobs:
   check:
+    permissions:
+      issues: write
+      pull-requests: write
+      statuses: write
     runs-on: ubuntu-latest
     steps:
       - uses: z0al/dependent-issues@v1

diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -15,6 +15,9 @@ on:
 
 jobs:
   update_release_draft:
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       # Drafts your next Release notes as Pull Requests are merged into "main"

diff --git a/.github/workflows/semantic-pr.yml b/.github/workflows/semantic-pr.yml
@@ -10,6 +10,10 @@ on:
 
 jobs:
   main:
+    permissions:
+      pull-requests: read
+      statuses: write
+
     runs-on: ubuntu-latest
     steps:
       - uses: amannn/action-semantic-pull-request@v3.4.0

diff --git a/.github/workflows/test-ci-command.yml b/.github/workflows/test-ci-command.yml
@@ -16,7 +16,7 @@ jobs:
       pull-requests: write
     if: github.repository_owner == 'cryostatio' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/build_test')
     steps:
-    - name: Fail if needs-triage label applied 
+    - name: Fail if needs-triage label applied
       if: ${{ contains(github.event.issue.labels.*.name, 'needs-triage') }}
       run: exit 1
     - name: Show warning if permission is denied
@@ -43,14 +43,14 @@ jobs:
               repo,
               comment_id: context.payload.comment.id,
               content: "+1",
-            });  
+            });
 
-  checkout-branch: 
+  checkout-branch:
     runs-on: ubuntu-latest
     needs: [check-before-test]
     permissions:
       pull-requests: read
-    outputs: 
+    outputs:
       PR_head_ref: ${{ fromJSON(steps.comment-branch.outputs.result).ref }}
       PR_num: ${{ fromJSON(steps.comment-branch.outputs.result).num }}
       PR_repo: ${{ fromJSON(steps.comment-branch.outputs.result).repo }}
@@ -86,6 +86,8 @@ jobs:
   run-test-jobs:
     uses: ./.github/workflows/test-ci-reusable.yml
     needs: [get-test-image-tag, checkout-branch]
+    permissions:
+      packages: write
     with:
       repository: ${{ needs.checkout-branch.outputs.PR_repo }}
       ref: ${{ needs.checkout-branch.outputs.PR_head_ref }}

diff --git a/.github/workflows/test-ci-reusable.yml b/.github/workflows/test-ci-reusable.yml
@@ -2,16 +2,16 @@ on:
   workflow_call:
     inputs:
       tag:
-        required: true 
+        required: true
         type: string
       repository:
         required: false
         type: string
       ref:
-        required: false 
+        required: false
         type: string
 
-env: 
+env:
   OPENSUSE_UNOFFICIAL_LIBCONTAINERS_KEY_URL: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_22.04/Release.key"
   OPENSUSE_UNOFFICIAL_LIBCONTAINERS_SOURCE_URL: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_22.04"
 
@@ -27,7 +27,7 @@ jobs:
       with:
         owner: ${{ github.repository_owner }}
         name: ${{ matrix.image }}
-        token: ${{ secrets.GHCR_PR_TOKEN }}
+        token: ${{ secrets.GITHUB_TOKEN }}
         ignore-missing-package: true
         tag-regex: ${{ inputs.tag }}
         tagged-keep-latest: 0
@@ -80,7 +80,7 @@ jobs:
         tags: ${{ inputs.tag }}
         registry: ghcr.io/${{ github.repository_owner }}
         username: ${{ github.repository_owner }}
-        password: ${{ secrets.GHCR_PR_TOKEN }}
+        password: ${{ secrets.GITHUB_TOKEN }}
     - name: Build operator image for test
       run: |
         OPERATOR_IMG=ghcr.io/${{ github.repository_owner }}/cryostat-operator:${{ inputs.tag }} \
@@ -94,7 +94,7 @@ jobs:
         tags: ${{ inputs.tag }}
         registry: ghcr.io/${{ github.repository_owner }}
         username: ${{ github.repository_owner }}
-        password: ${{ secrets.GHCR_PR_TOKEN }}
+        password: ${{ secrets.GITHUB_TOKEN }}
     - name: Build bundle image for test
       run: |
         yq -i '.spec.template.spec.imagePullSecrets = [{"name": "registry-key"}]' config/manager/manager.yaml
@@ -109,7 +109,7 @@ jobs:
         tags: ${{ inputs.tag }}
         registry: ghcr.io/${{ github.repository_owner }}
         username: ${{ github.repository_owner }}
-        password: ${{ secrets.GHCR_PR_TOKEN }}
+        password: ${{ secrets.GITHUB_TOKEN }}
     - name: Set up Kind cluster
       run: |
         kind create cluster --config=".github/kind-config.yaml" -n ci-${{ github.run_id }}
@@ -124,14 +124,14 @@ jobs:
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
-        password: ${{ secrets.GHCR_PR_TOKEN }}
+        password: ${{ secrets.GITHUB_TOKEN }}
         auth_file_path: $HOME/.docker/config.json
     - name: Run scorecard tests
       run: |
         SCORECARD_REGISTRY_SERVER="ghcr.io" \
         SCORECARD_REGISTRY_USERNAME="${{ github.repository_owner }}" \
-        SCORECARD_REGISTRY_PASSWORD="${{ secrets.GHCR_PR_TOKEN }}" \
+        SCORECARD_REGISTRY_PASSWORD="${{ secrets.GITHUB_TOKEN }}" \
         BUNDLE_IMG="${{ steps.push-bundle-to-ghcr.outputs.registry-path }}" \
         make test-scorecard
-    - name: Clean up Kind cluster 
+    - name: Clean up Kind cluster
       run: kind delete cluster -n ci-${{ github.run_id }}