Skip to content

Commit

Permalink
Set permissions on the calling side. (#1233)
Browse files Browse the repository at this point in the history
The `permissions` block in a reusable workflow doesn't grant these
permissions. These are more used as an early indication of the
permissions required by the reusable workflow. The correct permissions
still need to be set on the calling side.

See `Reusable workflows` in [this blog
article](https://www.kenmuse.com/blog/github-actions-workflow-permissions/).

Follow up to #1214.

Without setting the `permissions` on the calling side, the reusable
workflow will not have the correct permissions.

The Pulumiverse runs failed without the required `permissions` block:
https://github.com/pulumiverse/pulumi-acme/actions/runs/12365788538
After adding the `permissions` block on the calling side:
https://github.com/pulumiverse/pulumi-acme/actions/runs/12369028130

pulumiverse/pulumi-acme#98

For Pulumiverse, this fails because the organization wide workflow
settings are configured to `Read repository contents and packages
permissions`.
  • Loading branch information
ringods authored Dec 17, 2024
1 parent aeb1679 commit 47628ee
Show file tree
Hide file tree
Showing 22 changed files with 66 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Expand Down
3 changes: 3 additions & 0 deletions provider-ci/test-providers/acme/.github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Expand Down
3 changes: 3 additions & 0 deletions provider-ci/test-providers/acme/.github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Expand Down
3 changes: 3 additions & 0 deletions provider-ci/test-providers/aws/.github/workflows/master.yml
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Expand Down
3 changes: 3 additions & 0 deletions provider-ci/test-providers/aws/.github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,9 @@ jobs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
Expand Down

0 comments on commit 47628ee

Please sign in to comment.