Skip to content

build(ci): specify top level permissions for github workflows #6560

build(ci): specify top level permissions for github workflows

build(ci): specify top level permissions for github workflows #6560

Workflow file for this run

name: Build and test
permissions:
contents: read
on:
push:
branches:
- master
pull_request:
jobs:
## Make sure go.mod and go.sum files are up-to-date with the code
## TODO: make this fail if they're not up-to-date to inform the committer to udpate them
gomod:
runs-on: ubuntu-20.04
outputs:
gomod: ${{ steps.gomod.outputs.gomod }}
gosum: ${{ steps.gosum.outputs.gosum }}
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- run: make go-mod-tidy
- id: gomod
run: |
{
echo 'gomod<<FILE'
cat go.mod
echo
echo FILE
} >> "$GITHUB_OUTPUT"
- id: gosum
run: |
{
echo 'gosum<<FILE'
cat go.sum
echo
echo FILE
} >> "$GITHUB_OUTPUT"
lint:
runs-on: ubuntu-20.04
needs: gomod
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
## Sync go.mod and go.sum files from gomod job
- name: restore_gomod
run: echo "${{needs.gomod.outputs.gomod}}" > go.mod
- name: restore_gosum
run: echo "${{needs.gomod.outputs.gosum}}" > go.sum
- run: make golint
reno_lint:
runs-on: ubuntu-20.04
needs: gomod
steps:
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
fetch-depth: 0
- name: reset_git_extension
run: git config --unset-all extensions.worktreeconfig
- name: reno_lint
run: make reno-lint
## Reno lint does not catch some errors which make reno report fail
- name: reno_report_check
run: make reno-report
test:
runs-on: ubuntu-20.04
needs: gomod
strategy:
fail-fast: false
matrix:
testSuite: [test, integration-test, helm-test]
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
## Sync go.mod and go.sum files from gomod job
- name: restore_gomod
run: echo "${{needs.gomod.outputs.gomod}}" > go.mod
- name: restore_gosum
run: echo "${{needs.gomod.outputs.gosum}}" > go.sum
- uses: helm/[email protected]
- run: |
make install-csi-hostpath-driver
make install-minio
if: matrix.testSuite == 'integration-test' || matrix.testSuite == 'helm-test'
# A test (CRDSuite) that runs as part of `make test` requies atleast one CRD to
# be present on the cluster. That's why we are only installing csi-hostpath-driver
# before running `make test`, to create some CRDs on the cluster.
- run: |
make install-csi-hostpath-driver
make install-minio
if: matrix.testSuite == 'test'
- run: make ${{ matrix.testSuite }}
build:
runs-on: ubuntu-20.04
needs: gomod
strategy:
matrix:
bin: [controller, kanctl, kando]
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
## Sync go.mod and go.sum files from gomod job
- name: restore_gomod
run: echo "${{needs.gomod.outputs.gomod}}" > go.mod
- name: restore_gosum
run: echo "${{needs.gomod.outputs.gosum}}" > go.sum
- run: make build BIN=${{ matrix.bin }} GOBORING=true
docs:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- run: make docs
release:
runs-on: ubuntu-20.04
needs: [lint, test, build, docs]
if: github.ref_name == 'master' || startsWith(github.ref, 'refs/tags')
permissions:
packages: write
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- run: make go-mod-tidy
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- run: sudo rm -rf /usr/share/dotnet
- run: sudo rm -rf "$AGENT_TOOLSDIRECTORY"
- run: docker image prune -af
- run: docker builder prune -af
- run: make release-snapshot
- run: COMMIT_SHA=${{ github.sha }} ./build/push_images.sh
image_tags:
runs-on: ubuntu-latest
outputs:
tag_short: ${{ steps.image_tags.outputs.tag_short }}
tag_long: ${{ steps.image_tags.outputs.tag_long }}
steps:
- id: image_tags
env:
COMMIT_SHA: ${{ github.sha }}
run: |
echo "tag_short=short-commit-${COMMIT_SHA::12}" >> $GITHUB_OUTPUT
echo "tag_long=commit-${COMMIT_SHA}" >> $GITHUB_OUTPUT
release_example_docker_images:

Check failure on line 142 in .github/workflows/main.yaml

View workflow run for this annotation

GitHub Actions / Build and test

Invalid workflow file

The workflow is not valid. .github/workflows/main.yaml (Line: 142, Col: 3): Error calling workflow 'kanisterio/kanister/.github/workflows/build_example_images.yaml@30f50d04ca4c3f4bd1ea2b88e6bc5d3bfe47c0f3'. The workflow is requesting 'contents: read', but is only allowed 'contents: none'.
needs: [release, image_tags]
permissions:
packages: write
uses: ./.github/workflows/build_example_images.yaml
with:
image_tag: v9.99.9-dev
ref: ${{ github.ref }}
extra_tags: |
${{ needs.image_tags.outputs.tag_short }}
${{ needs.image_tags.outputs.tag_long }}