mirror of
https://github.com/ivuorinen/actions.git
synced 2026-03-07 15:56:27 +00:00
40f722ec18
Set `permissions: {}` at the top level of all workflow files to deny all
permissions by default, then grant only the minimum required permissions at
the job level. This fixes the Docker push failure caused by missing
`packages: write` permission being scoped incorrectly.
Changes per workflow:
- build-testing-image.yml: add contents: read + packages: write to job
- action-security.yml: consolidate contents: read, actions: read,
pull-requests: read into the analyze job
- codeql-new.yml: add actions: read to the analyze job
- dependency-review.yml: add contents: read to the dependency-review job
- issue-stats.yml: top-level only (no checkout, existing job perms sufficient)
- new-release.yml: was read-all; job already has contents: write
- pr-lint.yml: was contents: read + packages: read; job already has full perms
- release.yml: job already has contents: write
- security-suite.yml: move all perms to job level
- stale.yml: top-level only (no checkout, existing job perms sufficient)
- sync-labels.yml: was read-all; add contents: read to job for checkout
- version-maintenance.yml: move all perms to job level
Co-authored-by: ivuorinen <11024+ivuorinen@users.noreply.github.com>
112 lines
3.9 KiB
YAML
112 lines
3.9 KiB
YAML
---
|
|
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
|
|
name: Build Testing Docker Image
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
paths:
|
|
- '_tools/docker-testing-tools/**'
|
|
- '.github/workflows/build-testing-image.yml'
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
paths:
|
|
- '_tools/docker-testing-tools/**'
|
|
- '.github/workflows/build-testing-image.yml'
|
|
workflow_dispatch:
|
|
inputs:
|
|
tag:
|
|
description: 'Docker image tag'
|
|
required: false
|
|
default: 'latest'
|
|
type: string
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
build-and-push:
|
|
name: Build and Push Testing Image
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 20
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
|
|
|
|
- name: Log in to GitHub Container Registry
|
|
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Extract metadata
|
|
id: meta
|
|
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
|
|
with:
|
|
images: ghcr.io/${{ github.repository_owner }}/actions
|
|
tags: |
|
|
type=ref,event=branch,suffix=-testing-tools
|
|
type=ref,event=pr,suffix=-testing-tools
|
|
type=raw,value=testing-tools,enable={{is_default_branch}}
|
|
type=raw,value=${{ github.event.inputs.tag }},enable=${{ github.event.inputs.tag != '' }}
|
|
|
|
- name: Build and push Docker image
|
|
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
|
|
with:
|
|
context: _tools/docker-testing-tools
|
|
file: _tools/docker-testing-tools/Dockerfile
|
|
push: ${{ github.event_name != 'pull_request' }}
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
platforms: linux/amd64,linux/arm64
|
|
|
|
- name: Test image
|
|
if: github.event_name != 'pull_request'
|
|
run: |
|
|
# Test the built image works correctly
|
|
docker run --rm ghcr.io/${{ github.repository_owner }}/actions:testing-tools shellspec --version
|
|
docker run --rm ghcr.io/${{ github.repository_owner }}/actions:testing-tools act --version
|
|
docker run --rm ghcr.io/${{ github.repository_owner }}/actions:testing-tools trivy --version
|
|
|
|
- name: Generate image summary
|
|
if: github.event_name != 'pull_request'
|
|
run: |
|
|
{
|
|
echo "## 🐋 Docker Image Built Successfully"
|
|
echo ""
|
|
echo "**Image**: \`ghcr.io/${{ github.repository_owner }}/actions:testing-tools\`"
|
|
echo "**Tags**: ${{ steps.meta.outputs.tags }}"
|
|
echo ""
|
|
echo "### Usage in GitHub Actions"
|
|
echo ""
|
|
echo "\`\`\`yaml"
|
|
echo "jobs:"
|
|
echo " test:"
|
|
echo " runs-on: ubuntu-latest"
|
|
echo " container: ghcr.io/${{ github.repository_owner }}/actions:testing-tools"
|
|
echo " steps:"
|
|
echo " - uses: actions/checkout@v5"
|
|
echo " - run: shellspec _tests/unit/your-action/"
|
|
echo "\`\`\`"
|
|
echo ""
|
|
echo "### Pre-installed Tools"
|
|
echo "- ShellSpec"
|
|
echo "- nektos/act (latest)"
|
|
echo "- Trivy security scanner (latest)"
|
|
echo "- TruffleHog secrets scanner (latest)"
|
|
echo "- actionlint (latest)"
|
|
echo "- shellcheck, jq, kcov, GitHub CLI"
|
|
echo "- Node.js LTS, Python 3, build tools"
|
|
} >> "$GITHUB_STEP_SUMMARY"
|