From 30a07b8ab1bd87d63cf74ff9d4a48aced0603240 Mon Sep 17 00:00:00 2001
From: Matt Trachier <matt.trachier@suse.com>
Date: Wed, 20 Aug 2025 22:01:18 -0500
Subject: [PATCH] fix: try setting permissions at job level (#59)

* fix: try setting permissions at job level
* fix: use release label
* fix: only search open issues
* fix: link backport pr to sub issue
---------

Signed-off-by: matttrach <matt.trachier@suse.com>
(cherry picked from commit aa517700c1772c027df28ed603b8f9612093a1ee)
---
 .github/workflows/backport-prs.yml |  7 ++++---
 .github/workflows/main-issue.yml   |  2 +-
 .github/workflows/release.yml      | 32 +++++++++++++++++-------------
 3 files changed, 23 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/backport-prs.yml b/.github/workflows/backport-prs.yml
index 0c211fc..d4936e5 100644
--- a/.github/workflows/backport-prs.yml
+++ b/.github/workflows/backport-prs.yml
@@ -44,7 +44,7 @@ jobs:
             // https://docs.github.com/en/rest/search/search?apiVersion=2022-11-28#search-issues-and-pull-requests
             core.info(`Searching for 'internal/main' issue linked to PR #${pr.number}`);
             const { data: searchResults } = await github.request('GET /search/issues', {
-              q: `is:issue label:"internal/main" repo:${owner}/${repo} in:body #${pr.number}`,
+              q: `is:issue state:open label:"internal/main" repo:${owner}/${repo} in:body #${pr.number}`,
               advanced_search: true,
               headers: {
                 'X-GitHub-Api-Version': '2022-11-28'
@@ -99,8 +99,9 @@ jobs:
                 head: newBranchName,
                 base: targetBranch,
                 body: "This pull request cherry-picks the changes from #" + pr.number + " into " + targetBranch + "\n" +
-                  "WARNING!: to avoid having to resolve merge conflicts this PR is generated with `git cherry-pick -X theirs`.\n" +
-                  "Please make sure to carefully inspect this PR so that you don't revert anything!",
+                  "Addresses #" + subIssueNumber + "for #" + mainIssue.number + " \n\n" +
+                  "**WARNING!**: to avoid having to resolve merge conflicts this PR is generated with `git cherry-pick -X theirs`.\n" +
+                  "Please make sure to carefully inspect this PR so that you don't accidentally revert anything!",
                 assignees: ['terraform-maintainers']
               });
             }
diff --git a/.github/workflows/main-issue.yml b/.github/workflows/main-issue.yml
index 6e7eb40..5ca0bd9 100644
--- a/.github/workflows/main-issue.yml
+++ b/.github/workflows/main-issue.yml
@@ -39,7 +39,7 @@ jobs:
               labels: newLabels,
               assignees: ['matttrach']
             });
-            if (versionLabel) {
+            if (releaseLabel) {
               // if version label detected, then add appropriate sub-issues
               const parentIssue = newIssue.data;
               const parentIssueTitle = parentIssue.title;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 53c293c..ade2da1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,25 +6,26 @@ on:
     - release/v0
     - release/v1
 
-permissions:
-  contents: write
-  id-token: write
-  issues: write
-  pull-requests: write
-  actions: read
-
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      issues: write
+      pull-requests: write
+      actions: read
     outputs:
       release_pr: ${{ steps.release-please.outputs.pr }}
     steps:
       - uses: googleapis/release-please-action@a02a34c4d625f9be7cb89156071d8567266a2445 # v4.2.0 https://github.com/googleapis/release-please-action/commits/main/
+        name: release-please
         id: release-please
         with:
           release-type: go
       # These run only if a release PR was opened or modified, so not when the PR is merged
       - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/commits/main
+        name: wait-for-e2e
         if: steps.release-please.outputs.pr
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
@@ -61,6 +62,7 @@ jobs:
         shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
         run: make testacc
       - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/commits/main
+        name: report-tests-passed
         if: steps.release-please.outputs.pr && always() && (steps.run-unit-tests.conclusion == 'success') && (steps.run-acc-tests.conclusion == 'success')
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
@@ -72,6 +74,7 @@ jobs:
               body: "Tests Passed!"
             })
       - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/commits/main
+        name: report-tests-failed
         if: steps.release-please.outputs.pr && always() && ((steps.run-unit-tests.conclusion == 'failure') || (steps.run-acc-tests.conclusion == 'failure'))
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
@@ -83,14 +86,15 @@ jobs:
               body: "Tests Failed!"
             })
       - name: retrieve GPG Credentials
+        if: steps.release-please.outputs.pr && (steps.run-unit-tests.conclusion == 'success')
         uses: rancher-eio/read-vault-secrets@main
         with:
           secrets: |
-            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg passphrase | GPG_PASSPHRASE;
-            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID;
-            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKey | GPG_KEY;
+            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg passphrase | GPG_PASSPHRASE ;
+            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID ;
+            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKey | GPG_KEY
       - name: import_gpg_key
-        if: steps.release-please.outputs.pr && (steps.run-unit-tests.conclusion == 'success') && (steps.run-acc-tests.conclusion == 'success')
+        if: steps.release-please.outputs.pr && (steps.run-unit-tests.conclusion == 'success')
         env:
           GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}
           GPG_KEY_ID: ${{ env.GPG_KEY_ID }}
@@ -110,7 +114,7 @@ jobs:
           echo "Importing gpg key"
           echo "${GPG_KEY}" | gpg --import --batch > /dev/null || { echo "Failed to import GPG key"; exit 1; }
       - name: Run GoReleaser
-        if: steps.release-please.outputs.pr && (steps.run-unit-tests.conclusion == 'success') && (steps.run-acc-tests.conclusion == 'success')
+        if: steps.release-please.outputs.pr && (steps.run-unit-tests.conclusion == 'success')
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 https://github.com/goreleaser/goreleaser-action
         with:
           args: release --snapshot --clean
@@ -134,8 +138,8 @@ jobs:
         with:
           secrets: |
             secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg passphrase | GPG_PASSPHRASE ;
-            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID;
-            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKey | GPG_KEY;
+            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID ;
+            secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKey | GPG_KEY
       - name: import_gpg_key
         if: steps.release-please.outputs.version
         env: