-
Notifications
You must be signed in to change notification settings - Fork 34
feat: add publish workflow based on the fixed fork #252
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
+26
−0
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| name: Publish Provider Package Alt | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| version: | ||
| description: "Version string to use while publishing the package (e.g. v1.0.0-alpha.1)" | ||
| default: "" | ||
| required: false | ||
| go-version: | ||
| description: "Go version to use if building needs to be done" | ||
| default: "1.24" | ||
| required: false | ||
|
|
||
| jobs: | ||
| publish-provider-package: | ||
| uses: hmlkao/provider-workflows/.github/workflows/publish-provider.yml@/upgrade-build-module | ||
| with: | ||
| repository: provider-upjet-github | ||
| version: ${{ github.event.inputs.version }} | ||
| go-version: ${{ github.event.inputs.go-version }} | ||
| cleanup-disk: true | ||
| secrets: | ||
| GHCR_PAT: ${{ secrets.GITHUB_TOKEN }} | ||
| XPKG_MIRROR_TOKEN: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_PSW }} | ||
| XPKG_MIRROR_ACCESS_ID: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }} | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Copilot Autofix
AI about 2 months ago
In general, the fix is to add an explicit
permissions:block that grants only the minimum scopes required to run the workflow. Since this job only calls a reusable workflow and passes secrets, the least-privilege starting point is usuallycontents: read. If the reusable workflow needs to push commits, create releases, or modify other resources, it should request those explicitly in its own file; the caller should not over‑grant by default.The single best change here, without altering existing functionality, is to add a root‑level
permissions:block just under thename:(or underon:), applying to all jobs in this workflow. As we don’t see any direct write operations in this snippet, we will setcontents: read, which is safe and aligns with the recommended minimal starting point. If later turns out that the called workflow needs additional token scopes, they should be added explicitly there, not here.Concretely, edit
.github/workflows/publish-provider-package-alt.ymland insert:between the
name:and theon:block (or equivalently betweenon:andjobs:), ensuring indentation is correct for a root‑level key.