Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: update workflows and github token permissions #579

Merged
merged 1 commit into from
Jun 19, 2023
Merged

ci: update workflows and github token permissions #579

merged 1 commit into from
Jun 19, 2023

Conversation

tbouffard
Copy link
Member

@tbouffard tbouffard commented Jun 19, 2023
edited
Loading

This update lets reduce the GITHUB_TOKEN default permissions to READ:

  • publish to production: no need to update the commit status with a deployment status information. In addition, the GH Token didn't have the permission to update the commit status. Some errors were displayed in the GH Actions logs
  • update theme bundle: give write permissions to create the PR

Covers #497

Notes

This PR applies to this repository the same configuration as we already did for documentation content repositories: see #443

Documentation of the actions that miss some permissions

Previous error with the netlify actions

The error was logged but didn't fail the build

RequestError [HttpError]: Resource not accessible by integration
at /home/runner/work/_actions/nwtgck/actions-netlify/v2.0/dist/index.js:10385:21
at processTicksAndRejections (node:internal/process/task_queues:96:5) {
status: 403,
response: {
url: 'https://api.github.com/repos/bonitasoft/bonita-documentation-site/statuses/88a43d0b02af8bab6f942a20792f39bd45b57c8e',
status: 403,
…
},
data: {
message: 'Resource not accessible by integration',
documentation_url: 'https://docs.github.com/rest/commits/statuses#create-a-commit-status'
}
},
request: {
method: 'POST',
url: 'https://api.github.com/repos/bonitasoft/bonita-documentation-site/statuses/88a43d0b02af8bab6f942a20792f39bd45b57c8e',
headers: {
accept: 'application/vnd.github.v3+json',
'user-agent': 'octokit-core.js/3.6.0 Node.js/16.16.0 (linux; x64)',
authorization: 'token [REDACTED]',
'content-type': 'application/json; charset=utf-8'
},
body: '{"context":"Netlify","description":"Netlify deployment","state":"success","target_url":"https://documentation.bonitasoft.com/"}',
request: { agent: [Agent], hook: [Function: bound bound register] }
}

@tbouffard
ci: update workflows and github token permissions
54cdc86 
publish to production: no need to update the commit status with a deployment status information. In
addition, the GH Token didn't have the permission to update the commit status. Some errors were
displayed in the GH Actions logs

update theme bundle: give write permissions to create the PR
@sonarcloud
Copy link

sonarcloud bot commented Jun 19, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@benjaminParisel benjaminParisel merged commit 37398e6 into master Jun 19, 2023
5 checks passed
@benjaminParisel benjaminParisel deleted the ci/gh_wf_permissions branch June 19, 2023 12:56
@tbouffard tbouffard mentioned this pull request Jun 19, 2023
Merged
benjaminParisel pushed a commit to bonitasoft/bonita-documentation-theme that referenced this pull request Jun 19, 2023
@tbouffard
ci: update workflows and github token permissions (#194)
3f439db 
- create-release.yml: add a comment to explain why the write permission
is set
- create-tag.yml: remove permission declaration as we use a PAT to
create the tag
- publish-online-example.yml: push to the `gh-pages` branch

### Notes

This PR applies to this repository the same configuration as we already
did for documentation content repositories: see
bonitasoft/bonita-documentation-site#443.
See also
bonitasoft/bonita-documentation-site#579

Documentation of the actions whose permissions changed
- https://github.com/anothrNick/github-tag-action
- https://github.com/ncipollo/release-action
- https://github.com/peaceiris/actions-gh-pages
@tbouffard tbouffard mentioned this pull request Jun 26, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benjaminParisel benjaminParisel benjaminParisel approved these changes

Assignees
No one assigned
Labels
CI ⚙️
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tbouffard @benjaminParisel