security(actions): declare least-privilege permissions on remaining w… #547
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| push: | |
| # Sequence of patterns matched against refs/tags | |
| tags: | |
| - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10 | |
| name: Create Release | |
| # Least-privilege default for the whole workflow — jobs that need more | |
| # override at the job level. Matches the convention used by | |
| # cleanup-jp.yml / nonregression-jp.yml. | |
| permissions: | |
| contents: read | |
| jobs: | |
| build: | |
| name: Create Release | |
| runs-on: ubuntu-22.04 | |
| # actions/create-release@v1 needs contents: write to publish a Release. | |
| permissions: | |
| contents: write | |
| outputs: | |
| release_url: ${{ steps.create_release.outputs.html_url }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v2 | |
| - name: Get Release Changes | |
| id: recentCommits | |
| run: | | |
| echo ::set-output name=release_body::$(git log --no-merges --pretty=format:'%s' $(git describe --abbrev=0 --tags)...HEAD) | |
| - name: Create Release | |
| id: create_release | |
| uses: actions/create-release@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token | |
| with: | |
| tag_name: ${{ github.ref }} | |
| release_name: Release ${{ github.ref }} | |
| body: ${{steps.recentCommits.outputs.release_body}} | |
| draft: false | |
| prerelease: false | |
| zip-recipes: | |
| runs-on: ubuntu-22.04 | |
| needs: build | |
| # actions/upload-release-asset needs contents: write to attach recipes.zip. | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v2 | |
| - name: Get release | |
| id: get_release | |
| uses: bruceadams/get-release@v1.2.2 | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| - name: Write version | |
| uses: DamianReeves/write-file-action@v1.0 | |
| with: | |
| path: recipes/version.txt | |
| contents: ${{ steps.get_release.outputs.tag_name }} | |
| write-mode: overwrite | |
| - name: Zip recipes | |
| uses: vimtor/action-zip@v1 | |
| with: | |
| files: recipes/ version.txt | |
| dest: recipes.zip | |
| - name: Upload recipes zip file to GitHub | |
| uses: actions/upload-release-asset@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ steps.get_release.outputs.upload_url }} | |
| asset_path: ${{ github.workspace }}/recipes.zip | |
| asset_name: recipes.zip | |
| asset_content_type: application/octet-stream | |
| - name: Install aws cli | |
| run: | | |
| sudo apt-get update -y | |
| sudo apt-get install awscli -y | |
| - name: Write config 1 | |
| uses: DamianReeves/write-file-action@v1.0 | |
| with: | |
| path: /home/runner/.aws/credentials | |
| contents: | | |
| [virtuoso_user] | |
| aws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| write-mode: overwrite | |
| - name: Write config 2 | |
| uses: DamianReeves/write-file-action@v1.0 | |
| with: | |
| path: /home/runner/.aws/config | |
| contents: | | |
| [profile virtuoso] | |
| role_arn = ${{ secrets.AWS_ROLE_ARN }} | |
| region = ${{ secrets.AWS_DEFAULT_REGION }} | |
| source_profile = virtuoso_user | |
| write-mode: overwrite | |
| - name: Upload recipes zip file to S3 (download.newrelic.com) | |
| id: upload-recipes-s3 | |
| run: | | |
| aws s3 cp ${{ github.workspace }}/recipes.zip s3://nr-downloads-main/install/open-install-library/${{ steps.get_release.outputs.tag_name }}/recipes.zip --profile virtuoso | |
| - name: Upload currentVersion.txt to S3 | |
| id: upload-current-version-s3 | |
| run: | | |
| aws s3 cp recipes/version.txt s3://nr-downloads-main/install/open-install-library/currentVersion.txt --profile virtuoso --cache-control no-cache | |
| - name: Cleanup configs | |
| run: | | |
| rm -rf /home/runner/.aws/credentials | |
| rm -rf /home/runner/.aws/config | |
| commit-release-notes: | |
| name: Record release on main | |
| runs-on: ubuntu-22.04 | |
| needs: build | |
| # No override needed — the push uses secrets.RELEASE_TOKEN (a PAT), not | |
| # the default GITHUB_TOKEN, so this job only needs the workflow-level | |
| # `contents: read` (for actions/checkout). | |
| steps: | |
| - name: Checkout main | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: main | |
| fetch-depth: 0 | |
| # RELEASE_TOKEN (PAT) is required because main is protected — rules | |
| # forbid direct pushes and require FOSSA to pass. The default | |
| # GITHUB_TOKEN cannot bypass those rules. RELEASE_TOKEN is the same | |
| # PAT the CLI's OIL→CLI workflow already uses to push tags into OIL. | |
| token: ${{ secrets.RELEASE_TOKEN }} | |
| - name: Commit release marker to main | |
| env: | |
| RELEASE_URL: ${{ needs.build.outputs.release_url }} | |
| run: | | |
| set -euo pipefail | |
| # Strip refs/tags/ → e.g. v0.82.0 | |
| TAG="${GITHUB_REF#refs/tags/}" | |
| RELEASE_DATE=$(date -u +'%-d %B %Y') | |
| # Previous release tag = second-newest v* tag by semver sort. | |
| # `git tag --sort=-v:refname` puts the newest first; filter out the just-released tag. | |
| PREV=$(git tag --list 'v*' --sort=-v:refname | grep -v "^${TAG}$" | head -1 || true) | |
| # Compact subject: `chore(release): OIL <tag>, <date>`. | |
| # | |
| # Change list excludes prior release-marker commits so a release | |
| # doesn't list its predecessors. --extended-regexp matches both the | |
| # current shorter format ("OIL v...") and the legacy longer one | |
| # ("Open Install Library Release v...") so older markers on main | |
| # stay filtered too. | |
| # | |
| # `[skip ci]` at the end tells GitHub Actions not to run | |
| # push-triggered workflows on the marker commit itself — the | |
| # release just built the artifacts, there's nothing to re-verify. | |
| { | |
| printf 'chore(release): OIL %s, %s\n\n' "$TAG" "$RELEASE_DATE" | |
| if [ -n "$PREV" ]; then | |
| printf 'Changes since %s:\n\n' "$PREV" | |
| git log \ | |
| --no-merges \ | |
| --invert-grep \ | |
| --extended-regexp \ | |
| --grep='^chore\(release\): (OIL|Open Install Library Release) v[0-9]' \ | |
| --pretty=format:'- %s (%h)' \ | |
| "${PREV}..${TAG}" | |
| printf '\n\n' | |
| fi | |
| printf 'Release: %s\n\n' "${RELEASE_URL}" | |
| printf '[skip ci]\n' | |
| } > /tmp/commit-msg.txt | |
| echo "----- Commit message preview -----" | |
| cat /tmp/commit-msg.txt | |
| echo "----------------------------------" | |
| git config user.name 'github-actions[bot]' | |
| git config user.email '41898282+github-actions[bot]@users.noreply.github.com' | |
| git commit --allow-empty -F /tmp/commit-msg.txt | |
| # Retry once on race (someone else pushed to main between checkout and push). | |
| if ! git push origin main; then | |
| echo "push rejected; refetching and rebasing before retry" | |
| git pull --rebase origin main | |
| git push origin main | |
| fi |