From e92418ce17e885f0dcc3d3c842f531bd24da87ee Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 4 Jul 2023 11:26:29 +0200 Subject: [PATCH 1/3] ci: use bot token for backport This allows GitHub Action workflows to be triggered for the PR created by the bot. As things are now triggered by the bot, elevated permissions of the workflow itself are no longer required. Signed-off-by: Hidde Beydals (cherry picked from commit 80eeff2739ac2de84d26bcea5b1c4af6bfbaa121) --- .github/workflows/backport.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/backport.yaml b/.github/workflows/backport.yaml index 55c1fd1d..4bcca6b1 100644 --- a/.github/workflows/backport.yaml +++ b/.github/workflows/backport.yaml @@ -10,9 +10,6 @@ permissions: jobs: pull-request: runs-on: ubuntu-latest - permissions: - contents: write - pull-requests: write if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name)) steps: - name: Checkout @@ -23,6 +20,8 @@ jobs: uses: korthout/backport-action@bf5fdd624b35f95d5b85991a728bd5744e8c6cf2 # v1.3.1 # xref: https://github.com/korthout/backport-action#inputs with: + # Use token to allow workflows to be triggered for the created PR + github_token: ${{ secrets.BOT_GITHUB_TOKEN }} # Match labels with a pattern `backport:` label_pattern: '^backport:([^ ]+)$' # A bit shorter pull-request title than the default From 6b04b02a6f5ee1ef1ce86190a3c9018da3844360 Mon Sep 17 00:00:00 2001 From: Aurel Canciu Date: Thu, 6 Jul 2023 09:27:06 +0200 Subject: [PATCH 2/3] Fix GHA backport.yaml workflow job perms Fixing backport workflow permissions. Signed-off-by: Aurel Canciu (cherry picked from commit 02c74b0d37f9d34f5c601505e98797693f53a98d) --- .github/workflows/backport.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/backport.yaml b/.github/workflows/backport.yaml index 4bcca6b1..75c7f772 100644 --- a/.github/workflows/backport.yaml +++ b/.github/workflows/backport.yaml @@ -10,6 +10,9 @@ permissions: jobs: pull-request: runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name)) steps: - name: Checkout From 7c84a2cc4f73bc3d63750906d1552b86c4f1fd9c Mon Sep 17 00:00:00 2001 From: Aurel Canciu Date: Thu, 6 Jul 2023 09:48:47 +0200 Subject: [PATCH 3/3] Explicitly echo -E in GHA release.yml Signed-off-by: Aurel Canciu (cherry picked from commit 680843fd698cd78f4834f8e50e93f220bd7d7935) --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 258f523e..c2080c7e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -107,7 +107,7 @@ jobs: env: ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" run: | - hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0) + hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0) echo "hashes=$hashes" >> $GITHUB_OUTPUT image_url=fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}