fix: try setting permissions at job level (#59)

* fix: try setting permissions at job level * fix: use release label * fix: only search open issues * fix: link backport pr to sub issue --------- Signed-off-by: matttrach <matt.trachier@suse.com>
2025-08-20 22:01:18 -05:00 · 2025-08-20 22:01:18 -05:00 · aa517700c1
parent 90d32af435
commit aa517700c1
3 changed files with 23 additions and 18 deletions
--- a/.github/workflows/backport-prs.yml
+++ b/.github/workflows/backport-prs.yml
@ -45,7 +45,7 @@ jobs:
            // https://docs.github.com/en/rest/search/search?apiVersion=2022-11-28#search-issues-and-pull-requests
            core.info(`Searching for 'internal/main' issue linked to PR #${pr.number}`);
            const { data: searchResults } = await github.request('GET /search/issues', {
-              q: `is:issue label:"internal/main" repo:${owner}/${repo} in:body #${pr.number}`,
+              q: `is:issue state:open label:"internal/main" repo:${owner}/${repo} in:body #${pr.number}`,
              advanced_search: true,
              headers: {
                'X-GitHub-Api-Version': '2022-11-28'
@ -100,8 +100,9 @@ jobs:
                head: newBranchName,
                base: targetBranch,
                body: "This pull request cherry-picks the changes from #" + pr.number + " into " + targetBranch + "\n" +
-                  "WARNING!: to avoid having to resolve merge conflicts this PR is generated with `git cherry-pick -X theirs`.\n" +
-                  "Please make sure to carefully inspect this PR so that you don't revert anything!",
+                  "Addresses #" + subIssueNumber + "for #" + mainIssue.number + " \n\n" +
+                  "**WARNING!**: to avoid having to resolve merge conflicts this PR is generated with `git cherry-pick -X theirs`.\n" +
+                  "Please make sure to carefully inspect this PR so that you don't accidentally revert anything!",
                assignees: ['terraform-maintainers']
              });
            }
--- a/.github/workflows/main-issue.yml
+++ b/.github/workflows/main-issue.yml
@ -39,7 +39,7 @@ jobs:
              labels: newLabels,
              assignees: ['matttrach']
            });
-            if (versionLabel) {
+            if (releaseLabel) {
              // if version label detected, then add appropriate sub-issues
              const parentIssue = newIssue.data;
              const parentIssueTitle = parentIssue.title;
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -6,25 +6,26 @@ on:
    - release/v0
    - release/v1

-permissions:
-  contents: write
-  id-token: write
-  issues: write
-  pull-requests: write
-  actions: read
-
 jobs:
  release:
    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      issues: write
+      pull-requests: write
+      actions: read
    outputs:
      release_pr: ${{ steps.release-please.outputs.pr }}
    steps:
      - uses: googleapis/release-please-action@a02a34c4d625f9be7cb89156071d8567266a2445 # v4.2.0 https://github.com/googleapis/release-please-action/commits/main/
+        name: release-please
        id: release-please
        with:
          release-type: go
      # These run only if a release PR was opened or modified, so not when the PR is merged
      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/commits/main
+        name: wait-for-e2e
        if: steps.release-please.outputs.pr
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
@ -61,6 +62,7 @@ jobs:
        shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
        run: make testacc
      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/commits/main
+        name: report-tests-passed
        if: steps.release-please.outputs.pr && always() && (steps.run-unit-tests.conclusion == 'success') && (steps.run-acc-tests.conclusion == 'success')
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
@ -72,6 +74,7 @@ jobs:
              body: "Tests Passed!"
            })
      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/commits/main
+        name: report-tests-failed
        if: steps.release-please.outputs.pr && always() && ((steps.run-unit-tests.conclusion == 'failure') || (steps.run-acc-tests.conclusion == 'failure'))
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
@ -83,14 +86,15 @@ jobs:
              body: "Tests Failed!"
            })
      - name: retrieve GPG Credentials
+        if: steps.release-please.outputs.pr && (steps.run-unit-tests.conclusion == 'success')
        uses: rancher-eio/read-vault-secrets@main
        with:
          secrets: |
-            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg passphrase | GPG_PASSPHRASE;
-            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID;
-            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKey | GPG_KEY;
+            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg passphrase | GPG_PASSPHRASE ;
+            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID ;
+            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKey | GPG_KEY
      - name: import_gpg_key
-        if: steps.release-please.outputs.pr && (steps.run-unit-tests.conclusion == 'success') && (steps.run-acc-tests.conclusion == 'success')
+        if: steps.release-please.outputs.pr && (steps.run-unit-tests.conclusion == 'success')
        env:
          GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}
          GPG_KEY_ID: ${{ env.GPG_KEY_ID }}
@ -110,7 +114,7 @@ jobs:
          echo "Importing gpg key"
          echo "${GPG_KEY}" | gpg --import --batch > /dev/null || { echo "Failed to import GPG key"; exit 1; }
      - name: Run GoReleaser
-        if: steps.release-please.outputs.pr && (steps.run-unit-tests.conclusion == 'success') && (steps.run-acc-tests.conclusion == 'success')
+        if: steps.release-please.outputs.pr && (steps.run-unit-tests.conclusion == 'success')
        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 https://github.com/goreleaser/goreleaser-action
        with:
          args: release --snapshot --clean
@ -134,8 +138,8 @@ jobs:
        with:
          secrets: |
            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg passphrase | GPG_PASSPHRASE ;
-            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID;
-            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKey | GPG_KEY;
+            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID ;
+            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKey | GPG_KEY
      - name: import_gpg_key
        if: steps.release-please.outputs.version
        env: