-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
github: fix workflow permissions error (#58)
currently, the publish job, although not used at all by the release workflow, is imported as part of the build.yaml import (for the side effect of importing lint, tests and build jobs). however, this is causing an issue since we switched the default permissions to contents/packages read instead of write. as the publish job requires the write permission, however, build.yaml is imported with the standard permissions, causing the following error: The workflow is not valid. .github/workflows/release.yml (Line: 9, Col: 3): Error calling workflow 'DataDog/otel-profiling-agent/.github/workflows/build.yml@5d1ecca'. The nested job 'publish' is requesting 'contents: write, packages: write', but is only allowed 'contents: read, packages: read'. To fix this, we create a new workflow, pre-release, that contains the publish job, this way common build, lint, tests jobs can be imported by both release and pre-release without causing any issue
- Loading branch information
Showing
2 changed files
with
63 additions
and
55 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| name: CI | ||
|
|
||
| on: | ||
| push: | ||
| branches: [main] | ||
| pull_request: | ||
| types: [opened, synchronize, reopened, labeled] | ||
| branches: ["**"] | ||
|
|
||
| jobs: | ||
| build: | ||
| name: Build | ||
| uses: ./.github/workflows/build.yml | ||
|
|
||
| publish: | ||
| env: | ||
| RELEASE_VERSION: ${{ github.event_name == 'pull_request' && 'dev-test' || 'dev' }} | ||
| if: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'publish-dev-test') )}} | ||
| name: Publish pre-release | ||
| needs: [build] | ||
| runs-on: ubuntu-24.04 | ||
| permissions: | ||
| contents: write | ||
| packages: write | ||
| steps: | ||
| - name: Download artifacts | ||
| uses: actions/download-artifact@v4 | ||
| - name: Create assets | ||
| run: | | ||
| tar czf otel-profiling-agent-${RELEASE_VERSION}-aarch64.tar.gz -C agent-aarch64 . | ||
| tar czf otel-profiling-agent-${RELEASE_VERSION}-x86_64.tar.gz -C agent-x86_64 . | ||
| sha256sum otel-profiling-agent-${RELEASE_VERSION}-aarch64.tar.gz otel-profiling-agent-${RELEASE_VERSION}-x86_64.tar.gz > sha256sums.txt | ||
| - name: Create or move previous dev tag | ||
| continue-on-error: true | ||
| uses: actions/github-script@v7 | ||
| with: | ||
| script: | | ||
| github.rest.git.createRef({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| ref: 'refs/tags/${{ env.RELEASE_VERSION }}', | ||
| sha: context.sha | ||
| }).catch(err => { | ||
| if (err.status !== 422) throw err; | ||
| github.rest.git.updateRef({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| ref: 'tags/${{ env.RELEASE_VERSION }}', | ||
| sha: context.sha | ||
| }) | ||
| }); | ||
| - name: Create pre-release | ||
| uses: ncipollo/release-action@v1 | ||
| with: | ||
| artifacts: "otel-profiling-agent-${{ env.RELEASE_VERSION }}-*.tar.gz,sha256sums.txt" | ||
| allowUpdates: true | ||
| removeArtifacts: true | ||
| omitBody: true | ||
| omitDraftDuringUpdate: true | ||
| prerelease: true | ||
| draft: false | ||
| tag: ${{ env.RELEASE_VERSION }} |