Skip to content
This repository was archived by the owner on Feb 13, 2025. It is now read-only.

Commit 3bd4633

Browse files
vutkinvutkin
authored
fix: fix GitHub release failed with status: 403 (#282)
1 parent c4aaa9d commit 3bd4633

File tree

4 files changed

+43
-16
lines changed

4 files changed

+43
-16
lines changed

.github/workflows/pull-request-cleanup-manual.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,10 @@ concurrency:
1414
group: ${{ github.workflow }}
1515
cancel-in-progress: false
1616

17+
permissions:
18+
contents: write
19+
packages: write
20+
1721
env:
1822
PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
1923
PULL_REQUEST_BRANCH: ${{ github.head_ref }}

.github/workflows/pull-request-cleanup.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,10 @@ env:
1616
PACKAGE_TYPE: container
1717
USERNAME: ${{ github.repository_owner }}
1818

19+
permissions:
20+
contents: write
21+
packages: write
22+
1923
jobs:
2024
cleanup-ghcr:
2125
runs-on: ubuntu-latest

.github/workflows/pull-request.yml

Lines changed: 28 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@ jobs:
3636
deploy-sign-docker-image: ${{ fromJson(steps.config.outputs.config).deploy.sign-docker-image }}
3737
deploy-pre-release-matrix: ${{ steps.pre-release-matrix.outputs.matrix }}
3838
deploy-release-matrix: ${{ steps.release-matrix.outputs.matrix }}
39+
is-forked: ${{ github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name }}
3940
steps:
4041
- name: Checkout
4142
uses: actions/checkout@v3
@@ -149,6 +150,8 @@ jobs:
149150

150151
release:
151152
runs-on: ubuntu-latest
153+
permissions:
154+
contents: write
152155
needs:
153156
- config
154157
- build
@@ -175,6 +178,7 @@ jobs:
175178
run: mv application.tar.gz ${{ github.event.repository.name }}.tar.gz
176179

177180
- name: Create release
181+
if: ${{ env.FORKED == 'false' }}
178182
uses: softprops/action-gh-release@v1
179183
id: create-release
180184
with:
@@ -190,6 +194,10 @@ jobs:
190194

191195
deploy:
192196
name: deploy-[${{ matrix.name }}]
197+
permissions:
198+
contents: write
199+
packages: write
200+
pull-requests: write
193201
runs-on: ubuntu-latest
194202
strategy:
195203
max-parallel: 1
@@ -224,28 +232,33 @@ jobs:
224232
make oci.pc download-rpms
225233
226234
- name: Build image
235+
id: docker-meta
227236
env:
228237
VERSION: "${{ needs.release.outputs.version }}"
229-
run: make ${{ matrix.name }}-image
238+
run: |
239+
make ${{ matrix.name }}-image
240+
TAG_SUFFIX=$(echo "-${{ matrix.name }}" | sed s/-ubuntu//)
241+
echo "image-id=$IMAGE_NAME" >> $GITHUB_OUTPUT
242+
echo "image-version=${VERSION}${TAG_SUFFIX}" >> $GITHUB_OUTPUT
230243
231244
- name: Log in to registry
245+
if: ${{ env.FORKED == 'false' }}
232246
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ${{ env.REGISTRY }} -u $ --password-stdin
233247

234248
- name: Push image
235-
id: docker-meta
249+
if: ${{ env.FORKED == 'false' }}
236250
env:
237251
VERSION: "${{ needs.release.outputs.version }}"
238252
run: |
239253
make push-${{ matrix.name }}-image
240-
TAG_SUFFIX=$(echo "-${{ matrix.name }}" | sed s/-ubuntu//)
241-
echo "image-id=$IMAGE_NAME" >> $GITHUB_OUTPUT
242-
echo "image-version=${VERSION}${TAG_SUFFIX}" >> $GITHUB_OUTPUT
243254
244255
- name: Format current time
256+
if: ${{ env.FORKED == 'false' }}
245257
id: time_now
246258
run: echo "time_now_formatted=$(date +'%Y-%m-%d %H:%M:%S')" >> "$GITHUB_OUTPUT"
247259

248260
- name: Find releases comment
261+
if: ${{ env.FORKED == 'false' }}
249262
uses: peter-evans/find-comment@v2
250263
id: find_comment
251264
with:
@@ -255,7 +268,7 @@ jobs:
255268

256269
- name: Create releases comment
257270
uses: peter-evans/create-or-update-comment@v2
258-
if: ${{ steps.find_comment.outputs.comment-id == '' }}
271+
if: ${{ steps.find_comment.outputs.comment-id == '' && env.FORKED == 'false' }}
259272
with:
260273
comment-id: ${{ steps.find_comment.outputs.comment-id }}
261274
issue-number: ${{ github.event.pull_request.number }}
@@ -269,7 +282,7 @@ jobs:
269282
270283
- name: Append releases comment
271284
uses: peter-evans/create-or-update-comment@v2
272-
if: ${{ steps.find_comment.outputs.comment-id != '' }}
285+
if: ${{ steps.find_comment.outputs.comment-id != '' && env.FORKED == 'false' }}
273286
with:
274287
comment-id: ${{ steps.find_comment.outputs.comment-id }}
275288
issue-number: ${{ github.event.pull_request.number }}
@@ -278,16 +291,16 @@ jobs:
278291
| ${{ steps.time_now.outputs.time_now_formatted }} | **${{ steps.docker-meta.outputs.image-version }}** |
279292
280293
- name: Setup cosign
281-
if: ${{ needs.config.outputs.deploy-sign-docker-image == 'true' }}
294+
if: ${{ needs.config.outputs.deploy-sign-docker-image == 'true' && env.FORKED == 'false' }}
282295
uses: sigstore/cosign-installer@main
283296

284297
- name: Write signing key to disk (only needed for `cosign sign --key`)
285-
if: ${{ needs.config.outputs.deploy-sign-docker-image == 'true' }}
298+
if: ${{ needs.config.outputs.deploy-sign-docker-image == 'true' && env.FORKED == 'false' }}
286299
continue-on-error: true
287300
run: echo "${{ secrets.SIGNING_SECRET }}" > cosign.key
288301

289302
- name: Sign the published Docker image
290-
if: ${{ needs.config.outputs.deploy-sign-docker-image == 'true' }}
303+
if: ${{ needs.config.outputs.deploy-sign-docker-image == 'true' && env.FORKED == 'false' }}
291304
continue-on-error: true
292305
env:
293306
COSIGN_PASSWORD: ""
@@ -314,7 +327,12 @@ jobs:
314327

315328
comments:
316329
runs-on: ubuntu-latest
330+
if: ${{ needs.config.outputs.is-forked == 'false' }}
331+
permissions:
332+
contents: write
333+
pull-requests: write
317334
needs:
335+
- config
318336
- release
319337
steps:
320338
- name: Format current time

.github/workflows/release.yml

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ env:
2222

2323
jobs:
2424
config:
25-
if: github.triggering_actor != 'dependabot[bot]'
25+
if: github.triggering_actor != 'dependabot[bot]' && github.event.pull_request.merged == true
2626
runs-on: ubuntu-latest
2727
outputs:
2828
go-version: ${{ fromJson(steps.config.outputs.config).go-version }}
@@ -206,22 +206,23 @@ jobs:
206206
make oci.pc download-rpms
207207
208208
- name: Build image
209+
id: docker-meta
209210
env:
210211
VERSION: "${{ needs.release.outputs.version }}"
211-
run: make ${{ matrix.name }}-image
212+
run: |
213+
make ${{ matrix.name }}-image
214+
TAG_SUFFIX=$(echo "-${{ matrix.name }}" | sed s/-ubuntu//)
215+
echo "image-id=$IMAGE_NAME" >> $GITHUB_OUTPUT
216+
echo "image-version=${VERSION}${TAG_SUFFIX}" >> $GITHUB_OUTPUT
212217
213218
- name: Log in to registry
214219
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ${{ env.REGISTRY }} -u $ --password-stdin
215220

216221
- name: Push image
217-
id: docker-meta
218222
env:
219223
VERSION: "${{ needs.release.outputs.version }}"
220224
run: |
221225
make push-${{ matrix.name }}-image
222-
TAG_SUFFIX=$(echo "-${{ matrix.name }}" | sed s/-ubuntu//)
223-
echo "image-id=$IMAGE_NAME" >> $GITHUB_OUTPUT
224-
echo "image-version=${VERSION}${TAG_SUFFIX}" >> $GITHUB_OUTPUT
225226
226227
- name: Setup cosign
227228
if: ${{ needs.config.outputs.deploy-sign-docker-image == 'true' }}

0 commit comments

Comments
 (0)