Skip to content

Commit f55bd08

Browse files
committed
ci(e2e): use GITHUB_TOKEN for GHCR e2e
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
1 parent 1d0c110 commit f55bd08

3 files changed

Lines changed: 14 additions & 9 deletions

File tree

.github/workflows/.e2e-run.yml

Lines changed: 2 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,6 @@
11
# reusable workflow
22
name: .e2e-run
33

4-
permissions:
5-
contents: read
6-
74
on:
85
workflow_call:
96
inputs:
@@ -117,8 +114,8 @@ jobs:
117114
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
118115
with:
119116
registry: ${{ env.REGISTRY_FQDN || inputs.registry }}
120-
username: ${{ env.REGISTRY_USER || secrets.registry_username }}
121-
password: ${{ env.REGISTRY_PASSWORD || secrets.registry_password }}
117+
username: ${{ env.REGISTRY_USER || secrets.registry_username || (inputs.registry == 'ghcr.io' && github.actor) || '' }}
118+
password: ${{ env.REGISTRY_PASSWORD || secrets.registry_password || (inputs.registry == 'ghcr.io' && secrets.GITHUB_TOKEN) || '' }}
122119
scope: ${{ inputs.type == 'remote' && inputs.registry == '' && '@push' || '' }}
123120
-
124121
name: Build and push

.github/workflows/e2e.yml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,9 @@ on:
2020
jobs:
2121
build:
2222
uses: ./.github/workflows/.e2e-run.yml
23+
permissions:
24+
contents: read
25+
packages: write # to push image to GHCR
2326
strategy:
2427
fail-fast: false
2528
matrix:
@@ -38,7 +41,7 @@ jobs:
3841
-
3942
name: GitHub
4043
registry: ghcr.io
41-
slug: ghcr.io/docker-ghactiontest/test
44+
slug: ghcr.io/docker/build-push-action-test
4245
auth: ghcr
4346
type: remote
4447
-
@@ -100,11 +103,11 @@ jobs:
100103
registry: ${{ matrix.registry }}
101104
slug: ${{ matrix.slug }}
102105
secrets:
103-
# Pass only the two secrets needed by each matrix entry.
106+
# Pass only the registry-specific secrets needed by each matrix entry.
107+
# GHCR uses the called workflow's GITHUB_TOKEN fallback.
104108
registry_username: >-
105109
${{
106110
matrix.auth == 'dockerhub' && secrets.DOCKERHUB_USERNAME ||
107-
matrix.auth == 'ghcr' && secrets.GHCR_USERNAME ||
108111
matrix.auth == 'gitlab' && secrets.GITLAB_USERNAME ||
109112
matrix.auth == 'aws' && secrets.AWS_ACCESS_KEY_ID ||
110113
matrix.auth == 'gar' && secrets.GAR_USERNAME ||
@@ -116,7 +119,6 @@ jobs:
116119
registry_password: >-
117120
${{
118121
matrix.auth == 'dockerhub' && secrets.DOCKERHUB_TOKEN ||
119-
matrix.auth == 'ghcr' && secrets.GHCR_PAT ||
120122
matrix.auth == 'gitlab' && secrets.GITLAB_TOKEN ||
121123
matrix.auth == 'aws' && secrets.AWS_SECRET_ACCESS_KEY ||
122124
matrix.auth == 'gar' && secrets.GAR_JSON_KEY ||

.github/zizmor.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
rules:
2+
# rule does not apply to reusable worfklows where permissions are defined by
3+
# the caller workflow and not the reusable workflow itself
4+
excessive-permissions:
5+
ignore:
6+
- .e2e-run.yml

0 commit comments

Comments
 (0)