From a3b3e1e2b76a8a226b587a28bded7bfb066012ff Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 31 Oct 2023 10:05:41 -0700 Subject: [PATCH 1/5] Grant action permission --- .github/workflows/build-release.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index 61e87b86..dac27889 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -12,6 +12,10 @@ jobs: build-base: runs-on: ubuntu-latest name: product-base-build-${{ matrix.config.os }}-r${{ matrix.config.r-primary }}_${{ matrix.config.r-alternate }}-py${{ matrix.config.py-primary }}_${{ matrix.config.py-alternate }} + + permissions: + packages: write + concurrency: group: base-build-${{ matrix.config.os }}-r${{ matrix.config.r-primary }}_${{ matrix.config.r-alternate }}-py${{ matrix.config.py-primary }}_${{ matrix.config.py-alternate }}-${{ github.ref }} cancel-in-progress: true @@ -81,7 +85,8 @@ jobs: product: product-base image-tags: ${{ steps.get-tags.outputs.IMAGE_TAGS }} build-args: ${{ steps.get-build-args.outputs.BUILD_ARGS }} - push-image: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' || github.event.schedule == '0 12 * * 1' }} + #push-image: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' || github.event.schedule == '0 12 * * 1' }} + push-image: true snyk-token: ${{ secrets.SNYK_TOKEN }} snyk-org-id: ${{ secrets.SNYK_ORG_ID }} ghcr-token: ${{ secrets.BUILD_PAT }} From 3fd3e79701e6bc3a31c69e6e06b8e56ae2e1259a Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 31 Oct 2023 11:45:22 -0700 Subject: [PATCH 2/5] Try new action update --- .../actions/build-test-scan-push/action.yaml | 44 +++++++++++++------ .github/workflows/build-release.yaml | 12 ++--- 2 files changed, 36 insertions(+), 20 deletions(-) diff --git a/.github/actions/build-test-scan-push/action.yaml b/.github/actions/build-test-scan-push/action.yaml index 6e120ff2..73dfc462 100644 --- a/.github/actions/build-test-scan-push/action.yaml +++ b/.github/actions/build-test-scan-push/action.yaml @@ -63,33 +63,49 @@ runs: sudo rm -rf /usr/share/dotnet # will release about 20GB - name: Login to ghcr.io - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ inputs.ghcr-token }} - name: Login to Docker Hub - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: username: ${{ inputs.dockerhub-username }} password: ${{ inputs.dockerhub-token }} - - name: Authenticate to Google Cloud + - name: Login to GCAR us-central1 continue-on-error: true - uses: google-github-actions/auth@v1 + uses: docker/login-action@v3 with: - credentials_json: '${{ inputs.gcp-json }}' + registry: us-central1-docker.pkg.dev + username: _json_key + password: '${{ inputs.gcp-json }}' - - name: Authenticate GCAR - shell: bash - run: | - if [[ "${{ inputs.gcp-json != '' }}" == "true" ]]; then - gcloud auth configure-docker -q us-central1-docker.pkg.dev - gcloud auth configure-docker -q us-docker.pkg.dev - gcloud auth configure-docker -q asia-docker.pkg.dev - gcloud auth configure-docker -q europe-docker.pkg.dev - fi + - name: Login to GCAR us + continue-on-error: true + uses: docker/login-action@v3 + with: + registry: us-docker.pkg.dev + username: _json_key + password: '${{ inputs.gcp-json }}' + + - name: Login to GCAR asia + continue-on-error: true + uses: docker/login-action@v3 + with: + registry: asia-docker.pkg.dev + username: _json_key + password: '${{ inputs.gcp-json }}' + + - name: Login to GCAR europe + continue-on-error: true + uses: docker/login-action@v3 + with: + registry: europe-docker.pkg.dev + username: _json_key + password: '${{ inputs.gcp-json }}' - name: Build id: image-build diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index dac27889..1b3ee176 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -89,7 +89,7 @@ jobs: push-image: true snyk-token: ${{ secrets.SNYK_TOKEN }} snyk-org-id: ${{ secrets.SNYK_ORG_ID }} - ghcr-token: ${{ secrets.BUILD_PAT }} + ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} @@ -112,7 +112,7 @@ jobs: push-image: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' || github.event.schedule == '0 12 * * 1' }} snyk-token: ${{ secrets.SNYK_TOKEN }} snyk-org-id: ${{ secrets.SNYK_ORG_ID }} - ghcr-token: ${{ secrets.BUILD_PAT }} + ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} @@ -195,7 +195,7 @@ jobs: push-image: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' || github.event.schedule == '0 12 * * 1' }} snyk-token: ${{ secrets.SNYK_TOKEN }} snyk-org-id: ${{ secrets.SNYK_ORG_ID }} - ghcr-token: ${{ secrets.BUILD_PAT }} + ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} @@ -218,7 +218,7 @@ jobs: push-image: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' || github.event.schedule == '0 12 * * 1' }} snyk-token: ${{ secrets.SNYK_TOKEN }} snyk-org-id: ${{ secrets.SNYK_ORG_ID }} - ghcr-token: ${{ secrets.BUILD_PAT }} + ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} @@ -316,7 +316,7 @@ jobs: push-image: ${{ github.ref == 'refs/heads/main' || github.event.schedule == '0 12 * * 1' }} snyk-token: ${{ secrets.SNYK_TOKEN }} snyk-org-id: ${{ secrets.SNYK_ORG_ID }} - ghcr-token: ${{ secrets.BUILD_PAT }} + ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} @@ -339,7 +339,7 @@ jobs: push-image: ${{ github.ref == 'refs/heads/main' || github.event.schedule == '0 12 * * 1' }} snyk-token: ${{ secrets.SNYK_TOKEN }} snyk-org-id: ${{ secrets.SNYK_ORG_ID }} - ghcr-token: ${{ secrets.BUILD_PAT }} + ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} From 5cfac6a3e5461d06db261f33cfa40e8913140998 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 31 Oct 2023 12:43:03 -0700 Subject: [PATCH 3/5] Upgrade build action --- .github/actions/build-test-scan-push/action.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/build-test-scan-push/action.yaml b/.github/actions/build-test-scan-push/action.yaml index 73dfc462..ebd4b1fe 100644 --- a/.github/actions/build-test-scan-push/action.yaml +++ b/.github/actions/build-test-scan-push/action.yaml @@ -109,7 +109,7 @@ runs: - name: Build id: image-build - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: load: true context: ${{ inputs.context }} @@ -166,7 +166,7 @@ runs: command: ${{ steps.eval-snyk-command.outputs.SNYK_COMMAND }} - name: Push - ${{ inputs.push-image }} - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: push: ${{ inputs.push-image }} context: ${{ inputs.context }} From fd2ba6e0c1681c3bb4105e37ed0df997d4ac13f1 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 31 Oct 2023 12:45:18 -0700 Subject: [PATCH 4/5] Append gcp creds to all builds to silence errors --- .github/workflows/build-content.yaml | 4 ++++ .github/workflows/build-manual.yaml | 1 + .github/workflows/build-prerelease.yaml | 2 ++ .github/workflows/build-release.yaml | 9 +++++++-- 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-content.yaml b/.github/workflows/build-content.yaml index bd841db1..3a6fc0b8 100644 --- a/.github/workflows/build-content.yaml +++ b/.github/workflows/build-content.yaml @@ -84,6 +84,7 @@ jobs: ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # Begin retry logic @@ -108,6 +109,7 @@ jobs: ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # End retry logic @@ -178,6 +180,7 @@ jobs: ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # Begin retry logic @@ -202,5 +205,6 @@ jobs: ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # End retry logic diff --git a/.github/workflows/build-manual.yaml b/.github/workflows/build-manual.yaml index 8fa68cc7..3868dcf7 100644 --- a/.github/workflows/build-manual.yaml +++ b/.github/workflows/build-manual.yaml @@ -133,4 +133,5 @@ jobs: ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' diff --git a/.github/workflows/build-prerelease.yaml b/.github/workflows/build-prerelease.yaml index dc828c76..7c2787c0 100644 --- a/.github/workflows/build-prerelease.yaml +++ b/.github/workflows/build-prerelease.yaml @@ -112,6 +112,7 @@ jobs: ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # Begin retry logic @@ -135,5 +136,6 @@ jobs: ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # End retry logic diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index 1b3ee176..3eba6f4f 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -85,13 +85,13 @@ jobs: product: product-base image-tags: ${{ steps.get-tags.outputs.IMAGE_TAGS }} build-args: ${{ steps.get-build-args.outputs.BUILD_ARGS }} - #push-image: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' || github.event.schedule == '0 12 * * 1' }} - push-image: true + push-image: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' || github.event.schedule == '0 12 * * 1' }} snyk-token: ${{ secrets.SNYK_TOKEN }} snyk-org-id: ${{ secrets.SNYK_ORG_ID }} ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # Begin retry logic @@ -115,6 +115,7 @@ jobs: ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # End retry logic @@ -198,6 +199,7 @@ jobs: ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # Begin retry logic @@ -221,6 +223,7 @@ jobs: ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # End retry logic @@ -319,6 +322,7 @@ jobs: ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # Begin retry logic @@ -342,6 +346,7 @@ jobs: ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # End retry logic From 85d52c2d73dde247969a78e3261c78282bd1153e Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 31 Oct 2023 12:49:13 -0700 Subject: [PATCH 5/5] Explicitly define action permissions --- .github/workflows/build-content.yaml | 5 +++++ .github/workflows/build-manual.yaml | 4 ++++ .github/workflows/build-prerelease.yaml | 4 ++++ .github/workflows/build-release.yaml | 13 +++++++++++++ 4 files changed, 26 insertions(+) diff --git a/.github/workflows/build-content.yaml b/.github/workflows/build-content.yaml index 3a6fc0b8..4b7db4e1 100644 --- a/.github/workflows/build-content.yaml +++ b/.github/workflows/build-content.yaml @@ -22,6 +22,11 @@ jobs: runs-on: ubuntu-latest needs: matrix name: content-base-${{ matrix.config.os }}-r${{ matrix.config.r }}-py${{ matrix.config.py }}--${{ github.ref }} + + permissions: + contents: read + packages: write + concurrency: group: content-base-${{ matrix.config.os }}-r${{ matrix.config.r }}-py${{ matrix.config.py }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/build-manual.yaml b/.github/workflows/build-manual.yaml index 3868dcf7..5525f677 100644 --- a/.github/workflows/build-manual.yaml +++ b/.github/workflows/build-manual.yaml @@ -59,6 +59,10 @@ jobs: runs-on: ubuntu-latest name: manual-build + permissions: + contents: read + packages: write + steps: - name: Check Out Repo uses: actions/checkout@v3 diff --git a/.github/workflows/build-prerelease.yaml b/.github/workflows/build-prerelease.yaml index 7c2787c0..fed12d32 100644 --- a/.github/workflows/build-prerelease.yaml +++ b/.github/workflows/build-prerelease.yaml @@ -18,6 +18,10 @@ jobs: runs-on: ubuntu-latest name: build-${{ matrix.config.type }}-${{ matrix.config.product }}-${{ matrix.config.os }} + permissions: + contents: read + packages: write + strategy: fail-fast: false matrix: diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index 3eba6f4f..d48dbc99 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -14,6 +14,7 @@ jobs: name: product-base-build-${{ matrix.config.os }}-r${{ matrix.config.r-primary }}_${{ matrix.config.r-alternate }}-py${{ matrix.config.py-primary }}_${{ matrix.config.py-alternate }} permissions: + contents: read packages: write concurrency: @@ -124,6 +125,10 @@ jobs: runs-on: ubuntu-latest name: product-base-pro-build-${{ matrix.config.os }}-r${{ matrix.config.r-primary }}_${{ matrix.config.r-alternate }}-py${{ matrix.config.py-primary }}_${{ matrix.config.py-alternate }} + permissions: + contents: read + packages: write + strategy: fail-fast: false matrix: @@ -232,6 +237,10 @@ jobs: runs-on: ubuntu-latest name: build-${{ matrix.config.product }}-${{ matrix.config.os }} + permissions: + contents: read + packages: write + strategy: fail-fast: false matrix: @@ -355,6 +364,10 @@ jobs: runs-on: ubuntu-latest name: build-workbench-for-google-cloud-workstations + permissions: + contents: read + packages: write + concurrency: group: build-products-${{ matrix.config.product }}-${{ matrix.config.os }}-${{ github.ref }} cancel-in-progress: true