From 8460c384731548e00825ae32d83c7cb61b5da682 Mon Sep 17 00:00:00 2001 From: Guinevere Saenger Date: Fri, 31 Jan 2025 09:07:41 -0800 Subject: [PATCH] Unconditional id-token permissions (#1333) If we limit permissions via template conditionals, it means that our test proivder xyz cannot validate that code path, leading us to guess in the dark at valid workflow configurations. This pull request implements the suggestion from here: https://github.com/pulumi/ci-mgmt/pull/1332#discussion_r1935180350. - **Set contents: write and id-token: write unconditionally, so we can validate the workflows** - **test providers** --- .../pkg/templates/bridged-provider/.github/workflows/main.yml | 2 -- .../bridged-provider/.github/workflows/prerelease.yml | 2 -- .../templates/bridged-provider/.github/workflows/publish.yml | 3 +-- .../templates/bridged-provider/.github/workflows/release.yml | 2 -- .../templates/provider/.github/workflows/verify-release.yml | 2 +- provider-ci/test-providers/acme/.github/workflows/main.yml | 1 + .../test-providers/acme/.github/workflows/prerelease.yml | 1 + provider-ci/test-providers/acme/.github/workflows/publish.yml | 3 +++ provider-ci/test-providers/acme/.github/workflows/release.yml | 1 + provider-ci/test-providers/aws/.github/workflows/master.yml | 1 + .../test-providers/aws/.github/workflows/prerelease.yml | 1 + provider-ci/test-providers/aws/.github/workflows/publish.yml | 3 +++ provider-ci/test-providers/aws/.github/workflows/release.yml | 1 + .../test-providers/aws/.github/workflows/verify-release.yml | 3 +++ .../test-providers/cloudflare/.github/workflows/master.yml | 1 + .../test-providers/cloudflare/.github/workflows/prerelease.yml | 1 + .../test-providers/cloudflare/.github/workflows/publish.yml | 3 +++ .../test-providers/cloudflare/.github/workflows/release.yml | 1 + .../test-providers/docker/.github/workflows/publish.yml | 1 + provider-ci/test-providers/eks/.github/workflows/master.yml | 1 + .../test-providers/eks/.github/workflows/prerelease.yml | 1 + provider-ci/test-providers/eks/.github/workflows/publish.yml | 3 +++ provider-ci/test-providers/eks/.github/workflows/release.yml | 1 + 23 files changed, 30 insertions(+), 9 deletions(-) diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/main.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/main.yml index f50fe8241e..738dbcbc1c 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/main.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/main.yml @@ -87,9 +87,7 @@ jobs: name: publish permissions: contents: write - #{{- if .Config.GCP }}# id-token: write - #{{- end }}# needs: - prerequisites - build_provider diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerelease.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerelease.yml index 479ceff603..0c93acef26 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerelease.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerelease.yml @@ -43,9 +43,7 @@ jobs: name: publish permissions: contents: write - #{{- if .Config.GCP }}# id-token: write - #{{- end }}# needs: - prerequisites - build_provider diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/publish.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/publish.yml index 68cc4e7fd8..2e53900719 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/publish.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/publish.yml @@ -206,10 +206,9 @@ jobs: verify_release: name: verify_release needs: publish_sdk - #{{- if .Config.GCP }}# permissions: + contents: write id-token: write - #{{- end }}# uses: ./.github/workflows/verify-release.yml secrets: inherit with: diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml index 61fdc73151..3c6478c8a5 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml @@ -52,9 +52,7 @@ jobs: permissions: contents: write pull-requests: write - #{{- if .Config.GCP }}# id-token: write - #{{- end }}# needs: - prerequisites - build_provider diff --git a/provider-ci/internal/pkg/templates/provider/.github/workflows/verify-release.yml b/provider-ci/internal/pkg/templates/provider/.github/workflows/verify-release.yml index 64b0ad803f..73a9a67163 100644 --- a/provider-ci/internal/pkg/templates/provider/.github/workflows/verify-release.yml +++ b/provider-ci/internal/pkg/templates/provider/.github/workflows/verify-release.yml @@ -70,7 +70,7 @@ jobs: runner: ["ubuntu-latest"] #{{- end }}# runs-on: ${{ matrix.runner }} -#{{- if and .Config.ReleaseVerification .Config.GCP }}# +#{{- if .Config.ReleaseVerification }}# permissions: contents: 'read' id-token: 'write' diff --git a/provider-ci/test-providers/acme/.github/workflows/main.yml b/provider-ci/test-providers/acme/.github/workflows/main.yml index 6249694dad..8d811b2c98 100644 --- a/provider-ci/test-providers/acme/.github/workflows/main.yml +++ b/provider-ci/test-providers/acme/.github/workflows/main.yml @@ -94,6 +94,7 @@ jobs: name: publish permissions: contents: write + id-token: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/acme/.github/workflows/prerelease.yml b/provider-ci/test-providers/acme/.github/workflows/prerelease.yml index 8736a9f2ff..0884bd7c5d 100644 --- a/provider-ci/test-providers/acme/.github/workflows/prerelease.yml +++ b/provider-ci/test-providers/acme/.github/workflows/prerelease.yml @@ -55,6 +55,7 @@ jobs: name: publish permissions: contents: write + id-token: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/acme/.github/workflows/publish.yml b/provider-ci/test-providers/acme/.github/workflows/publish.yml index 8e131487d8..5e908862a2 100644 --- a/provider-ci/test-providers/acme/.github/workflows/publish.yml +++ b/provider-ci/test-providers/acme/.github/workflows/publish.yml @@ -174,6 +174,9 @@ jobs: verify_release: name: verify_release needs: publish_sdk + permissions: + contents: write + id-token: write uses: ./.github/workflows/verify-release.yml secrets: inherit with: diff --git a/provider-ci/test-providers/acme/.github/workflows/release.yml b/provider-ci/test-providers/acme/.github/workflows/release.yml index 3720ee2f4d..c1df66f287 100644 --- a/provider-ci/test-providers/acme/.github/workflows/release.yml +++ b/provider-ci/test-providers/acme/.github/workflows/release.yml @@ -61,6 +61,7 @@ jobs: permissions: contents: write pull-requests: write + id-token: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/aws/.github/workflows/master.yml b/provider-ci/test-providers/aws/.github/workflows/master.yml index afa1a65d07..e4d4fdcdf9 100644 --- a/provider-ci/test-providers/aws/.github/workflows/master.yml +++ b/provider-ci/test-providers/aws/.github/workflows/master.yml @@ -94,6 +94,7 @@ jobs: name: publish permissions: contents: write + id-token: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/aws/.github/workflows/prerelease.yml b/provider-ci/test-providers/aws/.github/workflows/prerelease.yml index bec419dcaf..6c9e5d7ee7 100644 --- a/provider-ci/test-providers/aws/.github/workflows/prerelease.yml +++ b/provider-ci/test-providers/aws/.github/workflows/prerelease.yml @@ -54,6 +54,7 @@ jobs: name: publish permissions: contents: write + id-token: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/aws/.github/workflows/publish.yml b/provider-ci/test-providers/aws/.github/workflows/publish.yml index 6a6f2715b3..f1912fcace 100644 --- a/provider-ci/test-providers/aws/.github/workflows/publish.yml +++ b/provider-ci/test-providers/aws/.github/workflows/publish.yml @@ -210,6 +210,9 @@ jobs: verify_release: name: verify_release needs: publish_sdk + permissions: + contents: write + id-token: write uses: ./.github/workflows/verify-release.yml secrets: inherit with: diff --git a/provider-ci/test-providers/aws/.github/workflows/release.yml b/provider-ci/test-providers/aws/.github/workflows/release.yml index b66d7cb83b..765f23fc28 100644 --- a/provider-ci/test-providers/aws/.github/workflows/release.yml +++ b/provider-ci/test-providers/aws/.github/workflows/release.yml @@ -60,6 +60,7 @@ jobs: permissions: contents: write pull-requests: write + id-token: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/aws/.github/workflows/verify-release.yml b/provider-ci/test-providers/aws/.github/workflows/verify-release.yml index a1f0b72189..edef0c29bb 100644 --- a/provider-ci/test-providers/aws/.github/workflows/verify-release.yml +++ b/provider-ci/test-providers/aws/.github/workflows/verify-release.yml @@ -73,6 +73,9 @@ jobs: # See the docs for a similar example to this: https://docs.github.com/en/actions/learn-github-actions/expressions#fromjson runner: ${{ fromJSON(format('["ubuntu-latest","windows-latest"{0}]', inputs.enableMacRunner && ',"macos-latest"' || '')) }} runs-on: ${{ matrix.runner }} + permissions: + contents: 'read' + id-token: 'write' steps: - name: Configure Git to checkout files with long names run: git config --global core.longpaths true diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/master.yml b/provider-ci/test-providers/cloudflare/.github/workflows/master.yml index e37f37beba..0ab412a698 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/master.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/master.yml @@ -96,6 +96,7 @@ jobs: name: publish permissions: contents: write + id-token: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/prerelease.yml b/provider-ci/test-providers/cloudflare/.github/workflows/prerelease.yml index 45ddc69d87..efb5b18f3f 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/prerelease.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/prerelease.yml @@ -57,6 +57,7 @@ jobs: name: publish permissions: contents: write + id-token: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/publish.yml b/provider-ci/test-providers/cloudflare/.github/workflows/publish.yml index 14f85953b2..0d74bc6e9c 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/publish.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/publish.yml @@ -207,6 +207,9 @@ jobs: verify_release: name: verify_release needs: publish_sdk + permissions: + contents: write + id-token: write uses: ./.github/workflows/verify-release.yml secrets: inherit with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/release.yml b/provider-ci/test-providers/cloudflare/.github/workflows/release.yml index 6c72112da2..39a225843e 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/release.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/release.yml @@ -63,6 +63,7 @@ jobs: permissions: contents: write pull-requests: write + id-token: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/docker/.github/workflows/publish.yml b/provider-ci/test-providers/docker/.github/workflows/publish.yml index 2fea663200..1a9ce7462d 100644 --- a/provider-ci/test-providers/docker/.github/workflows/publish.yml +++ b/provider-ci/test-providers/docker/.github/workflows/publish.yml @@ -221,6 +221,7 @@ jobs: name: verify_release needs: publish_sdk permissions: + contents: write id-token: write uses: ./.github/workflows/verify-release.yml secrets: inherit diff --git a/provider-ci/test-providers/eks/.github/workflows/master.yml b/provider-ci/test-providers/eks/.github/workflows/master.yml index a27654b45c..79236f8c66 100644 --- a/provider-ci/test-providers/eks/.github/workflows/master.yml +++ b/provider-ci/test-providers/eks/.github/workflows/master.yml @@ -62,6 +62,7 @@ jobs: name: publish permissions: contents: write + id-token: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/eks/.github/workflows/prerelease.yml b/provider-ci/test-providers/eks/.github/workflows/prerelease.yml index 8c10c40bf7..2c4a94254a 100644 --- a/provider-ci/test-providers/eks/.github/workflows/prerelease.yml +++ b/provider-ci/test-providers/eks/.github/workflows/prerelease.yml @@ -62,6 +62,7 @@ jobs: name: publish permissions: contents: write + id-token: write needs: - prerequisites - build_provider diff --git a/provider-ci/test-providers/eks/.github/workflows/publish.yml b/provider-ci/test-providers/eks/.github/workflows/publish.yml index 764aea5f95..56ca33af29 100644 --- a/provider-ci/test-providers/eks/.github/workflows/publish.yml +++ b/provider-ci/test-providers/eks/.github/workflows/publish.yml @@ -212,6 +212,9 @@ jobs: verify_release: name: verify_release needs: publish_sdk + permissions: + contents: write + id-token: write uses: ./.github/workflows/verify-release.yml secrets: inherit with: diff --git a/provider-ci/test-providers/eks/.github/workflows/release.yml b/provider-ci/test-providers/eks/.github/workflows/release.yml index e4f7523dfb..3cd5413430 100644 --- a/provider-ci/test-providers/eks/.github/workflows/release.yml +++ b/provider-ci/test-providers/eks/.github/workflows/release.yml @@ -68,6 +68,7 @@ jobs: permissions: contents: write pull-requests: write + id-token: write needs: - prerequisites - build_provider