ci(permissions): set explicit write permission requests with restrictive GITHUB_TOKEN

[tthvo]

Welcome to Cryostat! 👋

Before contributing, make sure you have:

• Read the contributing guidelines
• Linked a relevant issue which this PR resolves
• Linked any other relevant issues, PR's, or documentation, if any
• Resolved all conflicts, if any
• Rebased your branch PR on top of the latest upstream main branch
• Attached at least one of the following labels to the PR: [chore, ci, docs, feat, fix, test]
• Signed all commits using a GPG signature

To recreate commits with GPG signature git fetch upstream && git rebase --force --gpg-sign upstream/main

---

Related to #1599

Description of the change:

Explicitly specify package:write (for push) permission. This would also mean other permissions that are listed for this job are denied.

We should implement strict permission requests in #1634 after taking in consideration of third-party actions. Also, some scope might enclose other scopes.

[tthvo]

I think forks are using permissive mode on the GITHUB_TOKEN so we was not able to catch this. This is what I am seeing my default on my fork.

As for uploading/downloading artifacts, it does not look like an permission is needed. Perhaps, its something actions are allowed to do by default.

[tthvo]

Opps I spoke too soon :(( From this run, seems like we are also using permissive mode and the token already has packages:write permission.

Seems like we need some more work to migrate from PAT to GITHUB_TOKEN?

https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#upgrading-a-workflow-that-accesses-a-registry-using-a-personal-access-token

[tthvo]

If the above is true, should we also change the default scope of GITHUB_TOKEN to ready-only? If not, I think this PR can be used to specify permissions and limit the token scopes.

[andrewazores]

Okay, I updated the package settings so that the Actions runners within this source repo should also have access to the corresponding container registry repo. The token should be read-only unless it's being used specifically by an action/workflow step that actually requires write access to something (like the final push step).

[tthvo]

Sounds good! I will do some more research into actions and figure out the permissions. Marked as draft.

[tthvo]

Sample runs: tthvo#36
Actions: https://github.com/tthvo/cryostat/actions/workflows/release-drafter.yml

No changes to push event except release drafter. All pull request workflows seem to work fine.

I also remove autolabel option for release-drafter since it does not seem to work (perhaps because of the custom .github/labeler.yaml). Tho, we just have to add it ourselves as always.

Some workflows:

• .github/workflows/pr-labeled.yml
• .github/workflows/semantic-pr.yml
• .github/workflows/linked-issue.yml)

need to run pull_request_target in order to comment on the PR.

After this, we can select Read Only option as seen here: https://user-images.githubusercontent.com/68053619/263415796-2bd41f11-cc3d-418c-9f11-2fe37bff890b.png

[mergify]

Pull Request blocked. web-client submodule updates are performed automatically by CI when that repository is updated. Please revert or drop all changes to the web-client submodule from this PR and perform any required frontend work by opening and merging a PR against cryostat-web.

[mergify]

Pull Request blocked. web-client submodule updates are performed automatically by CI when that repository is updated. Please revert or drop all changes to the web-client submodule from this PR and perform any required frontend work by opening and merging a PR against cryostat-web.

[tthvo]

Image cleanup is silently failing due "Not found" error (tho, already added packages:write). Investigating...

[tthvo]

It failed silently while trying to find all images that match the expression (i.e. 404). Tried setting all permissions to write here but the action cannot find the images: https://github.com/tthvo/cryostat/actions/runs/6032732709/job/16368343556

I believe if the credentials are invalid, we will see Error ignored - HttpError: Bad credentials: https://github.com/aali309/cryostat-operator/actions/runs/6004228245

There are issues:

• Support user owner  bots-house/ghcr-delete-image-action#5
• Getting Error: Package not found. with GITHUB_TOKEN bots-house/ghcr-delete-image-action#105. Someone said they were able to get GITHUB_TOKEN to work. I think the repo has to be added as admin in packages too.

So, I can't verify the use of GITHUB_TOKEN on my fork. Lets try it first on main and if it failed, we can fall back to PAT for this action @andrewazores ?

[tthvo]

This run uses a PAT that has packages:delete but stills failed (i.e. passed but 404 ignored) on my fork: https://github.com/tthvo/cryostat-operator/actions/runs/6033226424/job/16369823264. Maybe its really only supporting organization packages?

stale

[andrewazores]

We can try merging this to main and see how it behaves. Worst case scenario is we just revert it.

[andrewazores]

Needs a rebase first.

[tthvo]

Sounds good!!

[tthvo]

Looks good here! https://github.com/cryostatio/cryostat/actions/runs/6041751746/job/16395384777