Merge pull request #652 from rstudio/action-permissions

Action permissions and usage cleanup

.github/actions/build-test-scan-push/action.yaml

@@ -63,37 +63,53 @@ runs:
         sudo rm -rf /usr/share/dotnet # will release about 20GB
 
     - name: Login to ghcr.io
-      uses: docker/login-action@v2
+      uses: docker/login-action@v3
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
         password: ${{ inputs.ghcr-token }}
 
     - name: Login to Docker Hub
-      uses: docker/login-action@v2
+      uses: docker/login-action@v3
       with:
         username: ${{ inputs.dockerhub-username }}
         password: ${{ inputs.dockerhub-token }}
 
-    - name: Authenticate to Google Cloud
+    - name: Login to GCAR us-central1
       continue-on-error: true
-      uses: google-github-actions/auth@v1
+      uses: docker/login-action@v3
       with:
-        credentials_json: '${{ inputs.gcp-json }}'
+        registry: us-central1-docker.pkg.dev
+        username: _json_key
+        password: '${{ inputs.gcp-json }}'
 
-    - name: Authenticate GCAR
-      shell: bash
-      run: |
-        if [[ "${{ inputs.gcp-json != '' }}" == "true" ]]; then
-          gcloud auth configure-docker -q us-central1-docker.pkg.dev
-          gcloud auth configure-docker -q us-docker.pkg.dev
-          gcloud auth configure-docker -q asia-docker.pkg.dev
-          gcloud auth configure-docker -q europe-docker.pkg.dev
-        fi
+    - name: Login to GCAR us
+      continue-on-error: true
+      uses: docker/login-action@v3
+      with:
+        registry: us-docker.pkg.dev
+        username: _json_key
+        password: '${{ inputs.gcp-json }}'
+
+    - name: Login to GCAR asia
+      continue-on-error: true
+      uses: docker/login-action@v3
+      with:
+        registry: asia-docker.pkg.dev
+        username: _json_key
+        password: '${{ inputs.gcp-json }}'
+
+    - name: Login to GCAR europe
+      continue-on-error: true
+      uses: docker/login-action@v3
+      with:
+        registry: europe-docker.pkg.dev
+        username: _json_key
+        password: '${{ inputs.gcp-json }}'
 
     - name: Build
       id: image-build
-      uses: docker/build-push-action@v4
+      uses: docker/build-push-action@v5
       with:
         load: true
         context: ${{ inputs.context }}
@@ -150,7 +166,7 @@ runs:
         command: ${{ steps.eval-snyk-command.outputs.SNYK_COMMAND }}
 
     - name: Push - ${{ inputs.push-image }}
-      uses: docker/build-push-action@v4
+      uses: docker/build-push-action@v5
       with:
         push: ${{ inputs.push-image }}
         context: ${{ inputs.context }}

.github/workflows/build-content.yaml

@@ -22,6 +22,11 @@ jobs:
     runs-on: ubuntu-latest
     needs: matrix
     name: content-base-${{ matrix.config.os }}-r${{ matrix.config.r }}-py${{ matrix.config.py }}--${{ github.ref }}
+
+    permissions:
+      contents: read
+      packages: write
+
     concurrency:
       group: content-base-${{ matrix.config.os }}-r${{ matrix.config.r }}-py${{ matrix.config.py }}-${{ github.ref }}
       cancel-in-progress: true
@@ -84,6 +89,7 @@ jobs:
           ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}'
 
       # Begin retry logic
 
@@ -108,6 +114,7 @@ jobs:
           ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}'
 
       # End retry logic
 
@@ -178,6 +185,7 @@ jobs:
           ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}'
 
       # Begin retry logic
 
@@ -202,5 +210,6 @@ jobs:
           ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}'
 
       # End retry logic

.github/workflows/build-manual.yaml

@@ -59,6 +59,10 @@ jobs:
     runs-on: ubuntu-latest
     name: manual-build
 
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - name: Check Out Repo
         uses: actions/checkout@v3
@@ -133,4 +137,5 @@ jobs:
           ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}'
 

.github/workflows/build-prerelease.yaml

@@ -18,6 +18,10 @@ jobs:
     runs-on: ubuntu-latest
     name: build-${{ matrix.config.type }}-${{ matrix.config.product }}-${{ matrix.config.os }}
 
+    permissions:
+      contents: read
+      packages: write
+
     strategy:
       fail-fast: false
       matrix:
@@ -112,6 +116,7 @@ jobs:
           ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}'
 
       # Begin retry logic
 
@@ -135,5 +140,6 @@ jobs:
           ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}'
 
       # End retry logic

.github/workflows/build-release.yaml

@@ -12,6 +12,11 @@ jobs:
   build-base:
     runs-on: ubuntu-latest
     name: product-base-build-${{ matrix.config.os }}-r${{ matrix.config.r-primary }}_${{ matrix.config.r-alternate }}-py${{ matrix.config.py-primary }}_${{ matrix.config.py-alternate }}
+
+    permissions:
+      contents: read
+      packages: write
+
     concurrency:
       group: base-build-${{ matrix.config.os }}-r${{ matrix.config.r-primary }}_${{ matrix.config.r-alternate }}-py${{ matrix.config.py-primary }}_${{ matrix.config.py-alternate }}-${{ github.ref }}
       cancel-in-progress: true
@@ -84,9 +89,10 @@ jobs:
           push-image: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' || github.event.schedule == '0 12 * * 1' }}
           snyk-token: ${{ secrets.SNYK_TOKEN }}
           snyk-org-id: ${{ secrets.SNYK_ORG_ID }}
-          ghcr-token: ${{ secrets.BUILD_PAT }}
+          ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}'
 
       # Begin retry logic
 
@@ -107,9 +113,10 @@ jobs:
           push-image: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' || github.event.schedule == '0 12 * * 1' }}
           snyk-token: ${{ secrets.SNYK_TOKEN }}
           snyk-org-id: ${{ secrets.SNYK_ORG_ID }}
-          ghcr-token: ${{ secrets.BUILD_PAT }}
+          ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}'
 
       # End retry logic
 
@@ -118,6 +125,10 @@ jobs:
     runs-on: ubuntu-latest
     name: product-base-pro-build-${{ matrix.config.os }}-r${{ matrix.config.r-primary }}_${{ matrix.config.r-alternate }}-py${{ matrix.config.py-primary }}_${{ matrix.config.py-alternate }}
 
+    permissions:
+      contents: read
+      packages: write
+
     strategy:
       fail-fast: false
       matrix:
@@ -190,9 +201,10 @@ jobs:
           push-image: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' || github.event.schedule == '0 12 * * 1' }}
           snyk-token: ${{ secrets.SNYK_TOKEN }}
           snyk-org-id: ${{ secrets.SNYK_ORG_ID }}
-          ghcr-token: ${{ secrets.BUILD_PAT }}
+          ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}'
 
       # Begin retry logic
 
@@ -213,9 +225,10 @@ jobs:
           push-image: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' || github.event.schedule == '0 12 * * 1' }}
           snyk-token: ${{ secrets.SNYK_TOKEN }}
           snyk-org-id: ${{ secrets.SNYK_ORG_ID }}
-          ghcr-token: ${{ secrets.BUILD_PAT }}
+          ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}'
 
       # End retry logic
 
@@ -224,6 +237,10 @@ jobs:
     runs-on: ubuntu-latest
     name: build-${{ matrix.config.product }}-${{ matrix.config.os }}
 
+    permissions:
+      contents: read
+      packages: write
+
     strategy:
       fail-fast: false
       matrix:
@@ -311,9 +328,10 @@ jobs:
           push-image: ${{ github.ref == 'refs/heads/main' || github.event.schedule == '0 12 * * 1' }}
           snyk-token: ${{ secrets.SNYK_TOKEN }}
           snyk-org-id: ${{ secrets.SNYK_ORG_ID }}
-          ghcr-token: ${{ secrets.BUILD_PAT }}
+          ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}'
 
       # Begin retry logic
 
@@ -334,9 +352,10 @@ jobs:
           push-image: ${{ github.ref == 'refs/heads/main' || github.event.schedule == '0 12 * * 1' }}
           snyk-token: ${{ secrets.SNYK_TOKEN }}
           snyk-org-id: ${{ secrets.SNYK_ORG_ID }}
-          ghcr-token: ${{ secrets.BUILD_PAT }}
+          ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}'
 
       # End retry logic
 
@@ -345,6 +364,10 @@ jobs:
     runs-on: ubuntu-latest
     name: build-workbench-for-google-cloud-workstations
 
+    permissions:
+      contents: read
+      packages: write
+
     concurrency:
       group: build-products-${{ matrix.config.product }}-${{ matrix.config.os }}-${{ github.ref }}
       cancel-in-progress: true