From a49504172923560cbafb34d24572d68c6d372cf7 Mon Sep 17 00:00:00 2001 From: Ringo De Smet Date: Fri, 4 Oct 2024 17:55:37 +0200 Subject: [PATCH 1/2] Use the standard Github generated token with elevated permissions to publish --- .../pkg/templates/bridged-provider/.github/workflows/main.yml | 2 ++ .../templates/bridged-provider/.github/workflows/prerelease.yml | 2 ++ .../templates/bridged-provider/.github/workflows/publish.yml | 2 +- .../templates/bridged-provider/.github/workflows/release.yml | 2 ++ provider-ci/test-providers/acme/.github/workflows/main.yml | 2 ++ .../test-providers/acme/.github/workflows/prerelease.yml | 2 ++ provider-ci/test-providers/acme/.github/workflows/publish.yml | 2 +- provider-ci/test-providers/acme/.github/workflows/release.yml | 2 ++ provider-ci/test-providers/aws/.github/workflows/master.yml | 2 ++ provider-ci/test-providers/aws/.github/workflows/prerelease.yml | 2 ++ provider-ci/test-providers/aws/.github/workflows/publish.yml | 2 +- provider-ci/test-providers/aws/.github/workflows/release.yml | 2 ++ .../test-providers/cloudflare/.github/workflows/master.yml | 2 ++ .../test-providers/cloudflare/.github/workflows/prerelease.yml | 2 ++ .../test-providers/cloudflare/.github/workflows/publish.yml | 2 +- .../test-providers/cloudflare/.github/workflows/release.yml | 2 ++ provider-ci/test-providers/docker/.github/workflows/master.yml | 2 ++ .../test-providers/docker/.github/workflows/prerelease.yml | 2 ++ provider-ci/test-providers/docker/.github/workflows/publish.yml | 2 +- provider-ci/test-providers/docker/.github/workflows/release.yml | 2 ++ 20 files changed, 35 insertions(+), 5 deletions(-) diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/main.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/main.yml index 6d32eeca2..79d49ed8f 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/main.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/main.yml @@ -82,6 +82,8 @@ jobs: publish: name: publish + permissions: + contents: write needs: - prerequisites - build_provider diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerelease.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerelease.yml index 2fecad9af..34d5eaea1 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerelease.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerelease.yml @@ -41,6 +41,8 @@ jobs: publish: name: publish + permissions: + contents: write needs: - prerequisites - build_provider diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/publish.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/publish.yml index 636282c61..428e76548 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/publish.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/publish.yml @@ -93,7 +93,7 @@ jobs: generate_release_notes: true files: dist/* env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} publish_sdk: name: publish_sdk diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml index 636a49155..0f660bb08 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml @@ -49,6 +49,8 @@ jobs: publish: name: publish + permissions: + contents: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/acme/.github/workflows/main.yml b/provider-ci/test-providers/acme/.github/workflows/main.yml index 0d0bb7f9d..751021e99 100644 --- a/provider-ci/test-providers/acme/.github/workflows/main.yml +++ b/provider-ci/test-providers/acme/.github/workflows/main.yml @@ -90,6 +90,8 @@ jobs: publish: name: publish + permissions: + contents: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/acme/.github/workflows/prerelease.yml b/provider-ci/test-providers/acme/.github/workflows/prerelease.yml index df0e21c45..8ea1d556a 100644 --- a/provider-ci/test-providers/acme/.github/workflows/prerelease.yml +++ b/provider-ci/test-providers/acme/.github/workflows/prerelease.yml @@ -53,6 +53,8 @@ jobs: publish: name: publish + permissions: + contents: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/acme/.github/workflows/publish.yml b/provider-ci/test-providers/acme/.github/workflows/publish.yml index ea1b024f9..f74b5851f 100644 --- a/provider-ci/test-providers/acme/.github/workflows/publish.yml +++ b/provider-ci/test-providers/acme/.github/workflows/publish.yml @@ -88,7 +88,7 @@ jobs: generate_release_notes: true files: dist/* env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} publish_sdk: name: publish_sdk diff --git a/provider-ci/test-providers/acme/.github/workflows/release.yml b/provider-ci/test-providers/acme/.github/workflows/release.yml index 9cb4ba5b1..1d9d2bb95 100644 --- a/provider-ci/test-providers/acme/.github/workflows/release.yml +++ b/provider-ci/test-providers/acme/.github/workflows/release.yml @@ -58,6 +58,8 @@ jobs: publish: name: publish + permissions: + contents: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/aws/.github/workflows/master.yml b/provider-ci/test-providers/aws/.github/workflows/master.yml index 994a8e621..6ae11b745 100644 --- a/provider-ci/test-providers/aws/.github/workflows/master.yml +++ b/provider-ci/test-providers/aws/.github/workflows/master.yml @@ -91,6 +91,8 @@ jobs: publish: name: publish + permissions: + contents: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/aws/.github/workflows/prerelease.yml b/provider-ci/test-providers/aws/.github/workflows/prerelease.yml index 2953868d4..0f56e6690 100644 --- a/provider-ci/test-providers/aws/.github/workflows/prerelease.yml +++ b/provider-ci/test-providers/aws/.github/workflows/prerelease.yml @@ -52,6 +52,8 @@ jobs: publish: name: publish + permissions: + contents: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/aws/.github/workflows/publish.yml b/provider-ci/test-providers/aws/.github/workflows/publish.yml index d35d7b9cd..1b909fab9 100644 --- a/provider-ci/test-providers/aws/.github/workflows/publish.yml +++ b/provider-ci/test-providers/aws/.github/workflows/publish.yml @@ -105,7 +105,7 @@ jobs: generate_release_notes: true files: dist/* env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} publish_sdk: name: publish_sdk diff --git a/provider-ci/test-providers/aws/.github/workflows/release.yml b/provider-ci/test-providers/aws/.github/workflows/release.yml index e702fe253..a29834e6e 100644 --- a/provider-ci/test-providers/aws/.github/workflows/release.yml +++ b/provider-ci/test-providers/aws/.github/workflows/release.yml @@ -57,6 +57,8 @@ jobs: publish: name: publish + permissions: + contents: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/master.yml b/provider-ci/test-providers/cloudflare/.github/workflows/master.yml index f1ad1e446..3c72f29e6 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/master.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/master.yml @@ -92,6 +92,8 @@ jobs: publish: name: publish + permissions: + contents: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/prerelease.yml b/provider-ci/test-providers/cloudflare/.github/workflows/prerelease.yml index d065bee01..77d066b03 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/prerelease.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/prerelease.yml @@ -55,6 +55,8 @@ jobs: publish: name: publish + permissions: + contents: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/publish.yml b/provider-ci/test-providers/cloudflare/.github/workflows/publish.yml index d50726b1f..3cc3d3d15 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/publish.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/publish.yml @@ -102,7 +102,7 @@ jobs: generate_release_notes: true files: dist/* env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} publish_sdk: name: publish_sdk diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/release.yml b/provider-ci/test-providers/cloudflare/.github/workflows/release.yml index 5fecd7b51..932a11914 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/release.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/release.yml @@ -60,6 +60,8 @@ jobs: publish: name: publish + permissions: + contents: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/docker/.github/workflows/master.yml b/provider-ci/test-providers/docker/.github/workflows/master.yml index e6f30d1e3..d5a6681f6 100644 --- a/provider-ci/test-providers/docker/.github/workflows/master.yml +++ b/provider-ci/test-providers/docker/.github/workflows/master.yml @@ -105,6 +105,8 @@ jobs: publish: name: publish + permissions: + contents: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/docker/.github/workflows/prerelease.yml b/provider-ci/test-providers/docker/.github/workflows/prerelease.yml index dac351df2..40fc22da4 100644 --- a/provider-ci/test-providers/docker/.github/workflows/prerelease.yml +++ b/provider-ci/test-providers/docker/.github/workflows/prerelease.yml @@ -68,6 +68,8 @@ jobs: publish: name: publish + permissions: + contents: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/docker/.github/workflows/publish.yml b/provider-ci/test-providers/docker/.github/workflows/publish.yml index 4556c032a..1a8eaf107 100644 --- a/provider-ci/test-providers/docker/.github/workflows/publish.yml +++ b/provider-ci/test-providers/docker/.github/workflows/publish.yml @@ -115,7 +115,7 @@ jobs: generate_release_notes: true files: dist/* env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} publish_sdk: name: publish_sdk diff --git a/provider-ci/test-providers/docker/.github/workflows/release.yml b/provider-ci/test-providers/docker/.github/workflows/release.yml index e8fdff91e..6328f0c59 100644 --- a/provider-ci/test-providers/docker/.github/workflows/release.yml +++ b/provider-ci/test-providers/docker/.github/workflows/release.yml @@ -73,6 +73,8 @@ jobs: publish: name: publish + permissions: + contents: write needs: - prerequisites - build_provider From 0d3e4792f80e8f3589a616383ccaf0d23ab0d787 Mon Sep 17 00:00:00 2001 From: Ringo De Smet Date: Tue, 15 Oct 2024 13:23:23 +0200 Subject: [PATCH 2/2] Required to clean up release labels after publish --- .../pkg/templates/bridged-provider/.github/workflows/release.yml | 1 + provider-ci/test-providers/acme/.github/workflows/release.yml | 1 + provider-ci/test-providers/aws/.github/workflows/release.yml | 1 + .../test-providers/cloudflare/.github/workflows/release.yml | 1 + provider-ci/test-providers/docker/.github/workflows/release.yml | 1 + 5 files changed, 5 insertions(+) diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml index 0f660bb08..cbe2c632e 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml @@ -51,6 +51,7 @@ jobs: name: publish permissions: contents: write + pull-requests: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/acme/.github/workflows/release.yml b/provider-ci/test-providers/acme/.github/workflows/release.yml index 1d9d2bb95..eb1327d31 100644 --- a/provider-ci/test-providers/acme/.github/workflows/release.yml +++ b/provider-ci/test-providers/acme/.github/workflows/release.yml @@ -60,6 +60,7 @@ jobs: name: publish permissions: contents: write + pull-requests: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/aws/.github/workflows/release.yml b/provider-ci/test-providers/aws/.github/workflows/release.yml index a29834e6e..39ad9db5a 100644 --- a/provider-ci/test-providers/aws/.github/workflows/release.yml +++ b/provider-ci/test-providers/aws/.github/workflows/release.yml @@ -59,6 +59,7 @@ jobs: name: publish permissions: contents: write + pull-requests: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/release.yml b/provider-ci/test-providers/cloudflare/.github/workflows/release.yml index 932a11914..f76a2992c 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/release.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/release.yml @@ -62,6 +62,7 @@ jobs: name: publish permissions: contents: write + pull-requests: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/docker/.github/workflows/release.yml b/provider-ci/test-providers/docker/.github/workflows/release.yml index 6328f0c59..014f734c5 100644 --- a/provider-ci/test-providers/docker/.github/workflows/release.yml +++ b/provider-ci/test-providers/docker/.github/workflows/release.yml @@ -75,6 +75,7 @@ jobs: name: publish permissions: contents: write + pull-requests: write needs: - prerequisites - build_provider