From ab05ad3e7e22d555e7649e4448f7d2dbe27433aa Mon Sep 17 00:00:00 2001 From: Nuru Date: Tue, 18 Jun 2024 15:20:57 -0700 Subject: [PATCH] Use cloudsmith action 0.5.4 -> 0.6.10, new builder hosted by ghcr.io (#4789) --- .github/package-template.yml | 40 ++++++++++--------- .../amazon-ecr-credential-helper.yml | 40 ++++++++++--------- .github/workflows/amtool.yml | 40 ++++++++++--------- .github/workflows/argocd.yml | 40 ++++++++++--------- .github/workflows/assume-role.yml | 40 ++++++++++--------- .github/workflows/atlantis.yml | 40 ++++++++++--------- .github/workflows/atmos.yml | 40 ++++++++++--------- .github/workflows/awless.yml | 40 ++++++++++--------- .github/workflows/aws-copilot-cli.yml | 40 ++++++++++--------- .github/workflows/aws-iam-authenticator.yml | 40 ++++++++++--------- .github/workflows/aws-nuke.yml | 40 ++++++++++--------- .github/workflows/aws-vault.yml | 40 ++++++++++--------- .github/workflows/cfssl.yml | 40 ++++++++++--------- .github/workflows/cfssljson.yml | 40 ++++++++++--------- .github/workflows/chamber.yml | 40 ++++++++++--------- .github/workflows/cilium-cli.yml | 40 ++++++++++--------- .github/workflows/cli53.yml | 40 ++++++++++--------- .github/workflows/cloud-nuke.yml | 40 ++++++++++--------- .github/workflows/cloudflared.yml | 40 ++++++++++--------- .github/workflows/codefresh.yml | 40 ++++++++++--------- .github/workflows/conftest.yml | 40 ++++++++++--------- .github/workflows/consul.yml | 40 ++++++++++--------- .github/workflows/ctop.yml | 40 ++++++++++--------- .github/workflows/direnv.yml | 40 ++++++++++--------- .github/workflows/doctl.yml | 40 ++++++++++--------- .github/workflows/ec2-instance-selector.yml | 40 ++++++++++--------- .github/workflows/ecspresso.yml | 40 ++++++++++--------- .github/workflows/emailcli.yml | 40 ++++++++++--------- .github/workflows/envcli.yml | 40 ++++++++++--------- .github/workflows/fetch.yml | 40 ++++++++++--------- .github/workflows/figurine.yml | 40 ++++++++++--------- .github/workflows/fzf.yml | 40 ++++++++++--------- .github/workflows/gh.yml | 40 ++++++++++--------- .github/workflows/ghr.yml | 40 ++++++++++--------- .github/workflows/github-commenter.yml | 40 ++++++++++--------- .github/workflows/github-release.yml | 40 ++++++++++--------- .github/workflows/github-status-updater.yml | 40 ++++++++++--------- .github/workflows/gitleaks.yml | 40 ++++++++++--------- .github/workflows/go-jsonnet.yml | 40 ++++++++++--------- .github/workflows/gomplate.yml | 40 ++++++++++--------- .github/workflows/gonsul.yml | 40 ++++++++++--------- .github/workflows/goofys.yml | 40 ++++++++++--------- .github/workflows/gosu.yml | 40 ++++++++++--------- .github/workflows/gotop.yml | 40 ++++++++++--------- .github/workflows/grpcurl.yml | 40 ++++++++++--------- .github/workflows/hcledit.yml | 40 ++++++++++--------- .github/workflows/helm.yml | 40 ++++++++++--------- .github/workflows/helm2.yml | 40 ++++++++++--------- .github/workflows/helm3.yml | 40 ++++++++++--------- .github/workflows/helmfile.yml | 40 ++++++++++--------- .github/workflows/htmltest.yml | 40 ++++++++++--------- .github/workflows/hugo.yml | 40 ++++++++++--------- .github/workflows/infracost.yml | 40 ++++++++++--------- .github/workflows/jp.yml | 40 ++++++++++--------- .github/workflows/json2hcl.yml | 40 ++++++++++--------- .github/workflows/jx.yml | 40 ++++++++++--------- .github/workflows/k3d.yml | 40 ++++++++++--------- .github/workflows/k6.yml | 40 ++++++++++--------- .github/workflows/k9s.yml | 40 ++++++++++--------- .github/workflows/katafygio.yml | 40 ++++++++++--------- .github/workflows/kfctl.yml | 40 ++++++++++--------- .github/workflows/kind.yml | 40 ++++++++++--------- .github/workflows/kops.yml | 40 ++++++++++--------- .github/workflows/krew.yml | 40 ++++++++++--------- .github/workflows/kubecron.yml | 40 ++++++++++--------- .github/workflows/kubectl-1.13.yml | 40 ++++++++++--------- .github/workflows/kubectl-1.14.yml | 40 ++++++++++--------- .github/workflows/kubectl-1.15.yml | 40 ++++++++++--------- .github/workflows/kubectl-1.16.yml | 40 ++++++++++--------- .github/workflows/kubectl-1.17.yml | 40 ++++++++++--------- .github/workflows/kubectl-1.18.yml | 40 ++++++++++--------- .github/workflows/kubectl-1.19.yml | 40 ++++++++++--------- .github/workflows/kubectl-1.20.yml | 40 ++++++++++--------- .github/workflows/kubectl-1.21.yml | 40 ++++++++++--------- .github/workflows/kubectl-1.22.yml | 40 ++++++++++--------- .github/workflows/kubectl-1.23.yml | 40 ++++++++++--------- .github/workflows/kubectl-1.24.yml | 40 ++++++++++--------- .github/workflows/kubectl-1.25.yml | 40 ++++++++++--------- .github/workflows/kubectl-1.26.yml | 40 ++++++++++--------- .github/workflows/kubectl-1.27.yml | 40 ++++++++++--------- .github/workflows/kubectl-1.28.yml | 40 ++++++++++--------- .github/workflows/kubectl-1.29.yml | 40 ++++++++++--------- .github/workflows/kubectl-1.30.yml | 40 ++++++++++--------- .github/workflows/kubectl.yml | 40 ++++++++++--------- .github/workflows/kubectx.yml | 40 ++++++++++--------- .github/workflows/kubens.yml | 40 ++++++++++--------- .github/workflows/kubeval.yml | 40 ++++++++++--------- .github/workflows/lazydocker.yml | 40 ++++++++++--------- .github/workflows/lectl.yml | 40 ++++++++++--------- .github/workflows/minikube.yml | 40 ++++++++++--------- .github/workflows/misspell.yml | 40 ++++++++++--------- .github/workflows/opa.yml | 40 ++++++++++--------- .github/workflows/pack.yml | 40 ++++++++++--------- .github/workflows/packer.yml | 40 ++++++++++--------- .github/workflows/pandoc.yml | 40 ++++++++++--------- .github/workflows/pgmetrics.yml | 40 ++++++++++--------- .github/workflows/pluto.yml | 40 ++++++++++--------- .github/workflows/popeye.yml | 40 ++++++++++--------- .github/workflows/promtool.yml | 40 ++++++++++--------- .github/workflows/rainbow-text.yml | 40 ++++++++++--------- .github/workflows/rakkess.yml | 40 ++++++++++--------- .github/workflows/rancher.yml | 40 ++++++++++--------- .github/workflows/rbac-lookup.yml | 40 ++++++++++--------- .github/workflows/saml2aws.yml | 40 ++++++++++--------- .github/workflows/sentry-cli.yml | 40 ++++++++++--------- .github/workflows/shellcheck.yml | 40 ++++++++++--------- .github/workflows/shfmt.yml | 40 ++++++++++--------- .github/workflows/slack-notifier.yml | 40 ++++++++++--------- .github/workflows/sops.yml | 40 ++++++++++--------- .github/workflows/spacectl.yml | 40 ++++++++++--------- .github/workflows/spotctl.yml | 40 ++++++++++--------- .github/workflows/sshm.yml | 40 ++++++++++--------- .github/workflows/stern.yml | 40 ++++++++++--------- .github/workflows/sudosh.yml | 40 ++++++++++--------- .github/workflows/teleport-4.3.yml | 40 ++++++++++--------- .github/workflows/teleport-4.4.yml | 40 ++++++++++--------- .github/workflows/teleport-5.0.yml | 40 ++++++++++--------- .github/workflows/teleport.yml | 40 ++++++++++--------- .github/workflows/terraform-0.11.yml | 40 ++++++++++--------- .github/workflows/terraform-0.12.yml | 40 ++++++++++--------- .github/workflows/terraform-0.13.yml | 40 ++++++++++--------- .github/workflows/terraform-0.14.yml | 40 ++++++++++--------- .github/workflows/terraform-0.15.yml | 40 ++++++++++--------- .github/workflows/terraform-1.yml | 40 ++++++++++--------- .../workflows/terraform-config-inspect.yml | 40 ++++++++++--------- .github/workflows/terraform-docs.yml | 40 ++++++++++--------- .../workflows/terraform-module-versions.yml | 40 ++++++++++--------- .github/workflows/terraform.yml | 40 ++++++++++--------- .github/workflows/terraform_0.11.yml | 40 ++++++++++--------- .github/workflows/terraform_0.12.yml | 40 ++++++++++--------- .github/workflows/terraform_0.13.yml | 40 ++++++++++--------- .github/workflows/terragrunt.yml | 40 ++++++++++--------- .github/workflows/terrahelp.yml | 40 ++++++++++--------- .github/workflows/tflint.yml | 40 ++++++++++--------- .github/workflows/tfschema.yml | 40 ++++++++++--------- .github/workflows/tfsec.yml | 40 ++++++++++--------- .github/workflows/thanos.yml | 40 ++++++++++--------- .github/workflows/trivy.yml | 40 ++++++++++--------- .github/workflows/variant.yml | 40 ++++++++++--------- .github/workflows/variant2.yml | 40 ++++++++++--------- .github/workflows/vault.yml | 40 ++++++++++--------- .github/workflows/velero.yml | 40 ++++++++++--------- .github/workflows/vendir.yml | 40 ++++++++++--------- .github/workflows/venona.yml | 40 ++++++++++--------- .github/workflows/vert.yml | 40 ++++++++++--------- .github/workflows/yajsv.yml | 40 ++++++++++--------- .github/workflows/yq.yml | 40 ++++++++++--------- 147 files changed, 3087 insertions(+), 2793 deletions(-) diff --git a/.github/package-template.yml b/.github/package-template.yml index 406617dbc1..47583fc385 100644 --- a/.github/package-template.yml +++ b/.github/package-template.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/%PACKAGE_NAME%/** - - .github/workflows/%PACKAGE_NAME%.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/%PACKAGE_NAME%.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/%PACKAGE_NAME%/** - .github/workflows/%PACKAGE_NAME%.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: %PACKAGE_NAME%_VERSION: ${{ inputs.package_version_override }} %PACKAGE_NAME%_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-%PACKAGE_JSON_NAME%: needs: matrix-%PACKAGE_JSON_NAME% if: github.event_name != 'schedule' && needs.matrix-%PACKAGE_JSON_NAME%.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/amazon-ecr-credential-helper.yml b/.github/workflows/amazon-ecr-credential-helper.yml index 79e5352388..9040a6f2f0 100644 --- a/.github/workflows/amazon-ecr-credential-helper.yml +++ b/.github/workflows/amazon-ecr-credential-helper.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/amazon-ecr-credential-helper/** - - .github/workflows/amazon-ecr-credential-helper.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/amazon-ecr-credential-helper.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/amazon-ecr-credential-helper/** - .github/workflows/amazon-ecr-credential-helper.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: amazon-ecr-credential-helper_VERSION: ${{ inputs.package_version_override }} amazon-ecr-credential-helper_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-amazon-ecr-credential-helper: needs: matrix-amazon-ecr-credential-helper if: github.event_name != 'schedule' && needs.matrix-amazon-ecr-credential-helper.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/amtool.yml b/.github/workflows/amtool.yml index ea1aa8ac4c..cfb9800e19 100644 --- a/.github/workflows/amtool.yml +++ b/.github/workflows/amtool.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/amtool/** - - .github/workflows/amtool.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/amtool.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/amtool/** - .github/workflows/amtool.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: amtool_VERSION: ${{ inputs.package_version_override }} amtool_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-amtool: needs: matrix-amtool if: github.event_name != 'schedule' && needs.matrix-amtool.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/argocd.yml b/.github/workflows/argocd.yml index 74f0f65b2a..505ec6b806 100644 --- a/.github/workflows/argocd.yml +++ b/.github/workflows/argocd.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/argocd/** - - .github/workflows/argocd.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/argocd.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/argocd/** - .github/workflows/argocd.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: argocd_VERSION: ${{ inputs.package_version_override }} argocd_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-argocd: needs: matrix-argocd if: github.event_name != 'schedule' && needs.matrix-argocd.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/assume-role.yml b/.github/workflows/assume-role.yml index 2829944318..a276e9516d 100644 --- a/.github/workflows/assume-role.yml +++ b/.github/workflows/assume-role.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/assume-role/** - - .github/workflows/assume-role.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/assume-role.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/assume-role/** - .github/workflows/assume-role.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: assume-role_VERSION: ${{ inputs.package_version_override }} assume-role_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-assume-role: needs: matrix-assume-role if: github.event_name != 'schedule' && needs.matrix-assume-role.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/atlantis.yml b/.github/workflows/atlantis.yml index f9070e6a75..48865f0ce6 100644 --- a/.github/workflows/atlantis.yml +++ b/.github/workflows/atlantis.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/atlantis/** - - .github/workflows/atlantis.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/atlantis.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/atlantis/** - .github/workflows/atlantis.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: atlantis_VERSION: ${{ inputs.package_version_override }} atlantis_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-atlantis: needs: matrix-atlantis if: github.event_name != 'schedule' && needs.matrix-atlantis.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/atmos.yml b/.github/workflows/atmos.yml index dda3eec72f..a256e93557 100644 --- a/.github/workflows/atmos.yml +++ b/.github/workflows/atmos.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/atmos/** - - .github/workflows/atmos.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/atmos.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/atmos/** - .github/workflows/atmos.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: atmos_VERSION: ${{ inputs.package_version_override }} atmos_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-atmos: needs: matrix-atmos if: github.event_name != 'schedule' && needs.matrix-atmos.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/awless.yml b/.github/workflows/awless.yml index 86634a44f6..45b6060055 100644 --- a/.github/workflows/awless.yml +++ b/.github/workflows/awless.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/awless/** - - .github/workflows/awless.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/awless.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/awless/** - .github/workflows/awless.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: awless_VERSION: ${{ inputs.package_version_override }} awless_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-awless: needs: matrix-awless if: github.event_name != 'schedule' && needs.matrix-awless.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/aws-copilot-cli.yml b/.github/workflows/aws-copilot-cli.yml index 0f01820527..a9cd8f51fd 100644 --- a/.github/workflows/aws-copilot-cli.yml +++ b/.github/workflows/aws-copilot-cli.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/aws-copilot-cli/** - - .github/workflows/aws-copilot-cli.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/aws-copilot-cli.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/aws-copilot-cli/** - .github/workflows/aws-copilot-cli.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: aws-copilot-cli_VERSION: ${{ inputs.package_version_override }} aws-copilot-cli_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-aws-copilot-cli: needs: matrix-aws-copilot-cli if: github.event_name != 'schedule' && needs.matrix-aws-copilot-cli.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/aws-iam-authenticator.yml b/.github/workflows/aws-iam-authenticator.yml index ff8fcc626f..86014b1689 100644 --- a/.github/workflows/aws-iam-authenticator.yml +++ b/.github/workflows/aws-iam-authenticator.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/aws-iam-authenticator/** - - .github/workflows/aws-iam-authenticator.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/aws-iam-authenticator.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/aws-iam-authenticator/** - .github/workflows/aws-iam-authenticator.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: aws-iam-authenticator_VERSION: ${{ inputs.package_version_override }} aws-iam-authenticator_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-aws-iam-authenticator: needs: matrix-aws-iam-authenticator if: github.event_name != 'schedule' && needs.matrix-aws-iam-authenticator.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/aws-nuke.yml b/.github/workflows/aws-nuke.yml index d77b9d2ed8..67fa57c049 100644 --- a/.github/workflows/aws-nuke.yml +++ b/.github/workflows/aws-nuke.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/aws-nuke/** - - .github/workflows/aws-nuke.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/aws-nuke.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/aws-nuke/** - .github/workflows/aws-nuke.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: aws-nuke_VERSION: ${{ inputs.package_version_override }} aws-nuke_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-aws-nuke: needs: matrix-aws-nuke if: github.event_name != 'schedule' && needs.matrix-aws-nuke.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/aws-vault.yml b/.github/workflows/aws-vault.yml index b9d7391b2d..8c12b6353e 100644 --- a/.github/workflows/aws-vault.yml +++ b/.github/workflows/aws-vault.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/aws-vault/** - - .github/workflows/aws-vault.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/aws-vault.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/aws-vault/** - .github/workflows/aws-vault.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: aws-vault_VERSION: ${{ inputs.package_version_override }} aws-vault_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-aws-vault: needs: matrix-aws-vault if: github.event_name != 'schedule' && needs.matrix-aws-vault.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/cfssl.yml b/.github/workflows/cfssl.yml index db9d9ff78d..2378b5642a 100644 --- a/.github/workflows/cfssl.yml +++ b/.github/workflows/cfssl.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/cfssl/** - - .github/workflows/cfssl.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/cfssl.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/cfssl/** - .github/workflows/cfssl.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: cfssl_VERSION: ${{ inputs.package_version_override }} cfssl_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-cfssl: needs: matrix-cfssl if: github.event_name != 'schedule' && needs.matrix-cfssl.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/cfssljson.yml b/.github/workflows/cfssljson.yml index c2641b4869..60c04ba6f9 100644 --- a/.github/workflows/cfssljson.yml +++ b/.github/workflows/cfssljson.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/cfssljson/** - - .github/workflows/cfssljson.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/cfssljson.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/cfssljson/** - .github/workflows/cfssljson.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: cfssljson_VERSION: ${{ inputs.package_version_override }} cfssljson_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-cfssljson: needs: matrix-cfssljson if: github.event_name != 'schedule' && needs.matrix-cfssljson.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/chamber.yml b/.github/workflows/chamber.yml index af94ecf828..678b06bf25 100644 --- a/.github/workflows/chamber.yml +++ b/.github/workflows/chamber.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/chamber/** - - .github/workflows/chamber.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/chamber.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/chamber/** - .github/workflows/chamber.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: chamber_VERSION: ${{ inputs.package_version_override }} chamber_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-chamber: needs: matrix-chamber if: github.event_name != 'schedule' && needs.matrix-chamber.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/cilium-cli.yml b/.github/workflows/cilium-cli.yml index e90a8505fa..a4dc3acfc8 100644 --- a/.github/workflows/cilium-cli.yml +++ b/.github/workflows/cilium-cli.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/cilium-cli/** - - .github/workflows/cilium-cli.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/cilium-cli.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/cilium-cli/** - .github/workflows/cilium-cli.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: cilium-cli_VERSION: ${{ inputs.package_version_override }} cilium-cli_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-cilium-cli: needs: matrix-cilium-cli if: github.event_name != 'schedule' && needs.matrix-cilium-cli.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/cli53.yml b/.github/workflows/cli53.yml index 44f6ce2f75..4936d3964a 100644 --- a/.github/workflows/cli53.yml +++ b/.github/workflows/cli53.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/cli53/** - - .github/workflows/cli53.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/cli53.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/cli53/** - .github/workflows/cli53.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: cli53_VERSION: ${{ inputs.package_version_override }} cli53_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-cli53: needs: matrix-cli53 if: github.event_name != 'schedule' && needs.matrix-cli53.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/cloud-nuke.yml b/.github/workflows/cloud-nuke.yml index 0b260d59c8..00dae988b8 100644 --- a/.github/workflows/cloud-nuke.yml +++ b/.github/workflows/cloud-nuke.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/cloud-nuke/** - - .github/workflows/cloud-nuke.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/cloud-nuke.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/cloud-nuke/** - .github/workflows/cloud-nuke.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: cloud-nuke_VERSION: ${{ inputs.package_version_override }} cloud-nuke_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-cloud-nuke: needs: matrix-cloud-nuke if: github.event_name != 'schedule' && needs.matrix-cloud-nuke.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/cloudflared.yml b/.github/workflows/cloudflared.yml index e6b9f371ac..ebf770364b 100644 --- a/.github/workflows/cloudflared.yml +++ b/.github/workflows/cloudflared.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/cloudflared/** - - .github/workflows/cloudflared.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/cloudflared.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/cloudflared/** - .github/workflows/cloudflared.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: cloudflared_VERSION: ${{ inputs.package_version_override }} cloudflared_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-cloudflared: needs: matrix-cloudflared if: github.event_name != 'schedule' && needs.matrix-cloudflared.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/codefresh.yml b/.github/workflows/codefresh.yml index 9d62dcb144..680039fd06 100644 --- a/.github/workflows/codefresh.yml +++ b/.github/workflows/codefresh.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/codefresh/** - - .github/workflows/codefresh.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/codefresh.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/codefresh/** - .github/workflows/codefresh.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: codefresh_VERSION: ${{ inputs.package_version_override }} codefresh_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-codefresh: needs: matrix-codefresh if: github.event_name != 'schedule' && needs.matrix-codefresh.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/conftest.yml b/.github/workflows/conftest.yml index 2ae67b22b3..18e3be22e5 100644 --- a/.github/workflows/conftest.yml +++ b/.github/workflows/conftest.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/conftest/** - - .github/workflows/conftest.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/conftest.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/conftest/** - .github/workflows/conftest.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: conftest_VERSION: ${{ inputs.package_version_override }} conftest_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-conftest: needs: matrix-conftest if: github.event_name != 'schedule' && needs.matrix-conftest.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/consul.yml b/.github/workflows/consul.yml index decb82380f..d2bbc6e926 100644 --- a/.github/workflows/consul.yml +++ b/.github/workflows/consul.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/consul/** - - .github/workflows/consul.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/consul.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/consul/** - .github/workflows/consul.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: consul_VERSION: ${{ inputs.package_version_override }} consul_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-consul: needs: matrix-consul if: github.event_name != 'schedule' && needs.matrix-consul.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/ctop.yml b/.github/workflows/ctop.yml index b5d295277d..c716f1cedf 100644 --- a/.github/workflows/ctop.yml +++ b/.github/workflows/ctop.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/ctop/** - - .github/workflows/ctop.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/ctop.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/ctop/** - .github/workflows/ctop.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: ctop_VERSION: ${{ inputs.package_version_override }} ctop_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-ctop: needs: matrix-ctop if: github.event_name != 'schedule' && needs.matrix-ctop.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/direnv.yml b/.github/workflows/direnv.yml index 70d31705db..671dca8ab0 100644 --- a/.github/workflows/direnv.yml +++ b/.github/workflows/direnv.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/direnv/** - - .github/workflows/direnv.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/direnv.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/direnv/** - .github/workflows/direnv.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: direnv_VERSION: ${{ inputs.package_version_override }} direnv_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-direnv: needs: matrix-direnv if: github.event_name != 'schedule' && needs.matrix-direnv.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/doctl.yml b/.github/workflows/doctl.yml index 8f508941a7..33332e1013 100644 --- a/.github/workflows/doctl.yml +++ b/.github/workflows/doctl.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/doctl/** - - .github/workflows/doctl.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/doctl.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/doctl/** - .github/workflows/doctl.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: doctl_VERSION: ${{ inputs.package_version_override }} doctl_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-doctl: needs: matrix-doctl if: github.event_name != 'schedule' && needs.matrix-doctl.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/ec2-instance-selector.yml b/.github/workflows/ec2-instance-selector.yml index 4f4173ad21..7ce1f3206c 100644 --- a/.github/workflows/ec2-instance-selector.yml +++ b/.github/workflows/ec2-instance-selector.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/ec2-instance-selector/** - - .github/workflows/ec2-instance-selector.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/ec2-instance-selector.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/ec2-instance-selector/** - .github/workflows/ec2-instance-selector.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: ec2-instance-selector_VERSION: ${{ inputs.package_version_override }} ec2-instance-selector_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-ec2-instance-selector: needs: matrix-ec2-instance-selector if: github.event_name != 'schedule' && needs.matrix-ec2-instance-selector.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/ecspresso.yml b/.github/workflows/ecspresso.yml index 483216c7ec..244dfc219e 100644 --- a/.github/workflows/ecspresso.yml +++ b/.github/workflows/ecspresso.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/ecspresso/** - - .github/workflows/ecspresso.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/ecspresso.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/ecspresso/** - .github/workflows/ecspresso.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: ecspresso_VERSION: ${{ inputs.package_version_override }} ecspresso_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-ecspresso: needs: matrix-ecspresso if: github.event_name != 'schedule' && needs.matrix-ecspresso.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/emailcli.yml b/.github/workflows/emailcli.yml index 3adcf91f48..12523a9339 100644 --- a/.github/workflows/emailcli.yml +++ b/.github/workflows/emailcli.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/emailcli/** - - .github/workflows/emailcli.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/emailcli.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/emailcli/** - .github/workflows/emailcli.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: emailcli_VERSION: ${{ inputs.package_version_override }} emailcli_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-emailcli: needs: matrix-emailcli if: github.event_name != 'schedule' && needs.matrix-emailcli.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/envcli.yml b/.github/workflows/envcli.yml index 4e34f3a1ca..acda721c62 100644 --- a/.github/workflows/envcli.yml +++ b/.github/workflows/envcli.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/envcli/** - - .github/workflows/envcli.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/envcli.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/envcli/** - .github/workflows/envcli.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: envcli_VERSION: ${{ inputs.package_version_override }} envcli_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-envcli: needs: matrix-envcli if: github.event_name != 'schedule' && needs.matrix-envcli.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/fetch.yml b/.github/workflows/fetch.yml index aa9d3acc08..5c0fb6cf9e 100644 --- a/.github/workflows/fetch.yml +++ b/.github/workflows/fetch.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/fetch/** - - .github/workflows/fetch.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/fetch.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/fetch/** - .github/workflows/fetch.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: fetch_VERSION: ${{ inputs.package_version_override }} fetch_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-fetch: needs: matrix-fetch if: github.event_name != 'schedule' && needs.matrix-fetch.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/figurine.yml b/.github/workflows/figurine.yml index 72d820747c..7c36973891 100644 --- a/.github/workflows/figurine.yml +++ b/.github/workflows/figurine.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/figurine/** - - .github/workflows/figurine.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/figurine.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/figurine/** - .github/workflows/figurine.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: figurine_VERSION: ${{ inputs.package_version_override }} figurine_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-figurine: needs: matrix-figurine if: github.event_name != 'schedule' && needs.matrix-figurine.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/fzf.yml b/.github/workflows/fzf.yml index 95258ddd84..fc5175d9a0 100644 --- a/.github/workflows/fzf.yml +++ b/.github/workflows/fzf.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/fzf/** - - .github/workflows/fzf.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/fzf.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/fzf/** - .github/workflows/fzf.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: fzf_VERSION: ${{ inputs.package_version_override }} fzf_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-fzf: needs: matrix-fzf if: github.event_name != 'schedule' && needs.matrix-fzf.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/gh.yml b/.github/workflows/gh.yml index 72b08f6cfb..6938e5f046 100644 --- a/.github/workflows/gh.yml +++ b/.github/workflows/gh.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/gh/** - - .github/workflows/gh.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/gh.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/gh/** - .github/workflows/gh.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: gh_VERSION: ${{ inputs.package_version_override }} gh_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-gh: needs: matrix-gh if: github.event_name != 'schedule' && needs.matrix-gh.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/ghr.yml b/.github/workflows/ghr.yml index 5416fe3abc..cc33f04edc 100644 --- a/.github/workflows/ghr.yml +++ b/.github/workflows/ghr.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/ghr/** - - .github/workflows/ghr.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/ghr.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/ghr/** - .github/workflows/ghr.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: ghr_VERSION: ${{ inputs.package_version_override }} ghr_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-ghr: needs: matrix-ghr if: github.event_name != 'schedule' && needs.matrix-ghr.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/github-commenter.yml b/.github/workflows/github-commenter.yml index 4188db9eb8..667d6c6835 100644 --- a/.github/workflows/github-commenter.yml +++ b/.github/workflows/github-commenter.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/github-commenter/** - - .github/workflows/github-commenter.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/github-commenter.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/github-commenter/** - .github/workflows/github-commenter.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: github-commenter_VERSION: ${{ inputs.package_version_override }} github-commenter_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-github-commenter: needs: matrix-github-commenter if: github.event_name != 'schedule' && needs.matrix-github-commenter.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/github-release.yml b/.github/workflows/github-release.yml index 7d49dac6ab..7550954fb0 100644 --- a/.github/workflows/github-release.yml +++ b/.github/workflows/github-release.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/github-release/** - - .github/workflows/github-release.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/github-release.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/github-release/** - .github/workflows/github-release.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: github-release_VERSION: ${{ inputs.package_version_override }} github-release_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-github-release: needs: matrix-github-release if: github.event_name != 'schedule' && needs.matrix-github-release.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/github-status-updater.yml b/.github/workflows/github-status-updater.yml index c224d99b3b..4d1dce542f 100644 --- a/.github/workflows/github-status-updater.yml +++ b/.github/workflows/github-status-updater.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/github-status-updater/** - - .github/workflows/github-status-updater.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/github-status-updater.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/github-status-updater/** - .github/workflows/github-status-updater.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: github-status-updater_VERSION: ${{ inputs.package_version_override }} github-status-updater_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-github-status-updater: needs: matrix-github-status-updater if: github.event_name != 'schedule' && needs.matrix-github-status-updater.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index c80d831ccc..969fe4b2a0 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/gitleaks/** - - .github/workflows/gitleaks.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/gitleaks.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/gitleaks/** - .github/workflows/gitleaks.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: gitleaks_VERSION: ${{ inputs.package_version_override }} gitleaks_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-gitleaks: needs: matrix-gitleaks if: github.event_name != 'schedule' && needs.matrix-gitleaks.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/go-jsonnet.yml b/.github/workflows/go-jsonnet.yml index faa7154773..320230a149 100644 --- a/.github/workflows/go-jsonnet.yml +++ b/.github/workflows/go-jsonnet.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/go-jsonnet/** - - .github/workflows/go-jsonnet.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/go-jsonnet.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/go-jsonnet/** - .github/workflows/go-jsonnet.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: go-jsonnet_VERSION: ${{ inputs.package_version_override }} go-jsonnet_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-go-jsonnet: needs: matrix-go-jsonnet if: github.event_name != 'schedule' && needs.matrix-go-jsonnet.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/gomplate.yml b/.github/workflows/gomplate.yml index 1993a30162..e4fc88804e 100644 --- a/.github/workflows/gomplate.yml +++ b/.github/workflows/gomplate.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/gomplate/** - - .github/workflows/gomplate.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/gomplate.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/gomplate/** - .github/workflows/gomplate.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: gomplate_VERSION: ${{ inputs.package_version_override }} gomplate_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-gomplate: needs: matrix-gomplate if: github.event_name != 'schedule' && needs.matrix-gomplate.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/gonsul.yml b/.github/workflows/gonsul.yml index 1b396fce3c..b9d9ecdd6e 100644 --- a/.github/workflows/gonsul.yml +++ b/.github/workflows/gonsul.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/gonsul/** - - .github/workflows/gonsul.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/gonsul.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/gonsul/** - .github/workflows/gonsul.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: gonsul_VERSION: ${{ inputs.package_version_override }} gonsul_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-gonsul: needs: matrix-gonsul if: github.event_name != 'schedule' && needs.matrix-gonsul.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/goofys.yml b/.github/workflows/goofys.yml index fd25716638..76f494c4b8 100644 --- a/.github/workflows/goofys.yml +++ b/.github/workflows/goofys.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/goofys/** - - .github/workflows/goofys.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/goofys.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/goofys/** - .github/workflows/goofys.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: goofys_VERSION: ${{ inputs.package_version_override }} goofys_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-goofys: needs: matrix-goofys if: github.event_name != 'schedule' && needs.matrix-goofys.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/gosu.yml b/.github/workflows/gosu.yml index be83d797e8..e90c1a4fdd 100644 --- a/.github/workflows/gosu.yml +++ b/.github/workflows/gosu.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/gosu/** - - .github/workflows/gosu.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/gosu.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/gosu/** - .github/workflows/gosu.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: gosu_VERSION: ${{ inputs.package_version_override }} gosu_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-gosu: needs: matrix-gosu if: github.event_name != 'schedule' && needs.matrix-gosu.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/gotop.yml b/.github/workflows/gotop.yml index 731e71eb15..351be716c7 100644 --- a/.github/workflows/gotop.yml +++ b/.github/workflows/gotop.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/gotop/** - - .github/workflows/gotop.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/gotop.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/gotop/** - .github/workflows/gotop.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: gotop_VERSION: ${{ inputs.package_version_override }} gotop_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-gotop: needs: matrix-gotop if: github.event_name != 'schedule' && needs.matrix-gotop.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/grpcurl.yml b/.github/workflows/grpcurl.yml index 44b07d338d..ed0b54b024 100644 --- a/.github/workflows/grpcurl.yml +++ b/.github/workflows/grpcurl.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/grpcurl/** - - .github/workflows/grpcurl.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/grpcurl.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/grpcurl/** - .github/workflows/grpcurl.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: grpcurl_VERSION: ${{ inputs.package_version_override }} grpcurl_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-grpcurl: needs: matrix-grpcurl if: github.event_name != 'schedule' && needs.matrix-grpcurl.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/hcledit.yml b/.github/workflows/hcledit.yml index 8f19780946..8827aabc38 100644 --- a/.github/workflows/hcledit.yml +++ b/.github/workflows/hcledit.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/hcledit/** - - .github/workflows/hcledit.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/hcledit.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/hcledit/** - .github/workflows/hcledit.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: hcledit_VERSION: ${{ inputs.package_version_override }} hcledit_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-hcledit: needs: matrix-hcledit if: github.event_name != 'schedule' && needs.matrix-hcledit.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml index f6ec1d892a..c10fac9b6f 100644 --- a/.github/workflows/helm.yml +++ b/.github/workflows/helm.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/helm/** - - .github/workflows/helm.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/helm.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/helm/** - .github/workflows/helm.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: helm_VERSION: ${{ inputs.package_version_override }} helm_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-helm: needs: matrix-helm if: github.event_name != 'schedule' && needs.matrix-helm.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/helm2.yml b/.github/workflows/helm2.yml index 813bd7678d..e1e1b2e349 100644 --- a/.github/workflows/helm2.yml +++ b/.github/workflows/helm2.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/helm2/** - - .github/workflows/helm2.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/helm2.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/helm2/** - .github/workflows/helm2.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: helm2_VERSION: ${{ inputs.package_version_override }} helm2_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-helm2: needs: matrix-helm2 if: github.event_name != 'schedule' && needs.matrix-helm2.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/helm3.yml b/.github/workflows/helm3.yml index 937ef09f3d..204574905b 100644 --- a/.github/workflows/helm3.yml +++ b/.github/workflows/helm3.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/helm3/** - - .github/workflows/helm3.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/helm3.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/helm3/** - .github/workflows/helm3.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: helm3_VERSION: ${{ inputs.package_version_override }} helm3_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-helm3: needs: matrix-helm3 if: github.event_name != 'schedule' && needs.matrix-helm3.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/helmfile.yml b/.github/workflows/helmfile.yml index ac34c51468..d1d5f506a3 100644 --- a/.github/workflows/helmfile.yml +++ b/.github/workflows/helmfile.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/helmfile/** - - .github/workflows/helmfile.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/helmfile.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/helmfile/** - .github/workflows/helmfile.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: helmfile_VERSION: ${{ inputs.package_version_override }} helmfile_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-helmfile: needs: matrix-helmfile if: github.event_name != 'schedule' && needs.matrix-helmfile.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/htmltest.yml b/.github/workflows/htmltest.yml index 55c1bfb2d9..698f1554f1 100644 --- a/.github/workflows/htmltest.yml +++ b/.github/workflows/htmltest.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/htmltest/** - - .github/workflows/htmltest.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/htmltest.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/htmltest/** - .github/workflows/htmltest.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: htmltest_VERSION: ${{ inputs.package_version_override }} htmltest_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-htmltest: needs: matrix-htmltest if: github.event_name != 'schedule' && needs.matrix-htmltest.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/hugo.yml b/.github/workflows/hugo.yml index c9715f62d4..14410151f1 100644 --- a/.github/workflows/hugo.yml +++ b/.github/workflows/hugo.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/hugo/** - - .github/workflows/hugo.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/hugo.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/hugo/** - .github/workflows/hugo.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: hugo_VERSION: ${{ inputs.package_version_override }} hugo_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-hugo: needs: matrix-hugo if: github.event_name != 'schedule' && needs.matrix-hugo.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/infracost.yml b/.github/workflows/infracost.yml index 1633aaab80..95928745cb 100644 --- a/.github/workflows/infracost.yml +++ b/.github/workflows/infracost.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/infracost/** - - .github/workflows/infracost.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/infracost.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/infracost/** - .github/workflows/infracost.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: infracost_VERSION: ${{ inputs.package_version_override }} infracost_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-infracost: needs: matrix-infracost if: github.event_name != 'schedule' && needs.matrix-infracost.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/jp.yml b/.github/workflows/jp.yml index d69d186476..57d0e94116 100644 --- a/.github/workflows/jp.yml +++ b/.github/workflows/jp.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/jp/** - - .github/workflows/jp.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/jp.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/jp/** - .github/workflows/jp.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: jp_VERSION: ${{ inputs.package_version_override }} jp_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-jp: needs: matrix-jp if: github.event_name != 'schedule' && needs.matrix-jp.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/json2hcl.yml b/.github/workflows/json2hcl.yml index c537cda767..2e19511126 100644 --- a/.github/workflows/json2hcl.yml +++ b/.github/workflows/json2hcl.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/json2hcl/** - - .github/workflows/json2hcl.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/json2hcl.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/json2hcl/** - .github/workflows/json2hcl.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: json2hcl_VERSION: ${{ inputs.package_version_override }} json2hcl_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-json2hcl: needs: matrix-json2hcl if: github.event_name != 'schedule' && needs.matrix-json2hcl.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/jx.yml b/.github/workflows/jx.yml index b6f0b8f449..75518bcb65 100644 --- a/.github/workflows/jx.yml +++ b/.github/workflows/jx.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/jx/** - - .github/workflows/jx.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/jx.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/jx/** - .github/workflows/jx.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: jx_VERSION: ${{ inputs.package_version_override }} jx_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-jx: needs: matrix-jx if: github.event_name != 'schedule' && needs.matrix-jx.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/k3d.yml b/.github/workflows/k3d.yml index 361770e2b3..0ba8f79644 100644 --- a/.github/workflows/k3d.yml +++ b/.github/workflows/k3d.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/k3d/** - - .github/workflows/k3d.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/k3d.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/k3d/** - .github/workflows/k3d.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: k3d_VERSION: ${{ inputs.package_version_override }} k3d_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-k3d: needs: matrix-k3d if: github.event_name != 'schedule' && needs.matrix-k3d.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/k6.yml b/.github/workflows/k6.yml index cb663e3a46..f8ad207fb6 100644 --- a/.github/workflows/k6.yml +++ b/.github/workflows/k6.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/k6/** - - .github/workflows/k6.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/k6.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/k6/** - .github/workflows/k6.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: k6_VERSION: ${{ inputs.package_version_override }} k6_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-k6: needs: matrix-k6 if: github.event_name != 'schedule' && needs.matrix-k6.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/k9s.yml b/.github/workflows/k9s.yml index 11b2a6b47c..5e52bb8de4 100644 --- a/.github/workflows/k9s.yml +++ b/.github/workflows/k9s.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/k9s/** - - .github/workflows/k9s.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/k9s.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/k9s/** - .github/workflows/k9s.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: k9s_VERSION: ${{ inputs.package_version_override }} k9s_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-k9s: needs: matrix-k9s if: github.event_name != 'schedule' && needs.matrix-k9s.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/katafygio.yml b/.github/workflows/katafygio.yml index 7c04077ebb..f0d70d8b66 100644 --- a/.github/workflows/katafygio.yml +++ b/.github/workflows/katafygio.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/katafygio/** - - .github/workflows/katafygio.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/katafygio.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/katafygio/** - .github/workflows/katafygio.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: katafygio_VERSION: ${{ inputs.package_version_override }} katafygio_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-katafygio: needs: matrix-katafygio if: github.event_name != 'schedule' && needs.matrix-katafygio.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kfctl.yml b/.github/workflows/kfctl.yml index fe2e8c406f..3e7e61a42b 100644 --- a/.github/workflows/kfctl.yml +++ b/.github/workflows/kfctl.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kfctl/** - - .github/workflows/kfctl.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kfctl.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kfctl/** - .github/workflows/kfctl.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kfctl_VERSION: ${{ inputs.package_version_override }} kfctl_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kfctl: needs: matrix-kfctl if: github.event_name != 'schedule' && needs.matrix-kfctl.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kind.yml b/.github/workflows/kind.yml index f86db10388..5f6c12c5b4 100644 --- a/.github/workflows/kind.yml +++ b/.github/workflows/kind.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kind/** - - .github/workflows/kind.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kind.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kind/** - .github/workflows/kind.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kind_VERSION: ${{ inputs.package_version_override }} kind_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kind: needs: matrix-kind if: github.event_name != 'schedule' && needs.matrix-kind.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kops.yml b/.github/workflows/kops.yml index 77b9ebb1f7..37478ef12a 100644 --- a/.github/workflows/kops.yml +++ b/.github/workflows/kops.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kops/** - - .github/workflows/kops.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kops.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kops/** - .github/workflows/kops.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kops_VERSION: ${{ inputs.package_version_override }} kops_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kops: needs: matrix-kops if: github.event_name != 'schedule' && needs.matrix-kops.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/krew.yml b/.github/workflows/krew.yml index 148b267214..b69b4ebb64 100644 --- a/.github/workflows/krew.yml +++ b/.github/workflows/krew.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/krew/** - - .github/workflows/krew.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/krew.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/krew/** - .github/workflows/krew.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: krew_VERSION: ${{ inputs.package_version_override }} krew_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-krew: needs: matrix-krew if: github.event_name != 'schedule' && needs.matrix-krew.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubecron.yml b/.github/workflows/kubecron.yml index 9c1738982d..ba57ebe970 100644 --- a/.github/workflows/kubecron.yml +++ b/.github/workflows/kubecron.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubecron/** - - .github/workflows/kubecron.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubecron.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubecron/** - .github/workflows/kubecron.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubecron_VERSION: ${{ inputs.package_version_override }} kubecron_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubecron: needs: matrix-kubecron if: github.event_name != 'schedule' && needs.matrix-kubecron.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubectl-1.13.yml b/.github/workflows/kubectl-1.13.yml index 40490d2d1d..dfbe125f79 100644 --- a/.github/workflows/kubectl-1.13.yml +++ b/.github/workflows/kubectl-1.13.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubectl-1.13/** - - .github/workflows/kubectl-1.13.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubectl-1.13.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubectl-1.13/** - .github/workflows/kubectl-1.13.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubectl-1.13_VERSION: ${{ inputs.package_version_override }} kubectl-1.13_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubectl-1_13: needs: matrix-kubectl-1_13 if: github.event_name != 'schedule' && needs.matrix-kubectl-1_13.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubectl-1.14.yml b/.github/workflows/kubectl-1.14.yml index ee064401e5..6d3763b5c8 100644 --- a/.github/workflows/kubectl-1.14.yml +++ b/.github/workflows/kubectl-1.14.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubectl-1.14/** - - .github/workflows/kubectl-1.14.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubectl-1.14.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubectl-1.14/** - .github/workflows/kubectl-1.14.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubectl-1.14_VERSION: ${{ inputs.package_version_override }} kubectl-1.14_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubectl-1_14: needs: matrix-kubectl-1_14 if: github.event_name != 'schedule' && needs.matrix-kubectl-1_14.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubectl-1.15.yml b/.github/workflows/kubectl-1.15.yml index da522b853a..52f8e458f7 100644 --- a/.github/workflows/kubectl-1.15.yml +++ b/.github/workflows/kubectl-1.15.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubectl-1.15/** - - .github/workflows/kubectl-1.15.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubectl-1.15.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubectl-1.15/** - .github/workflows/kubectl-1.15.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubectl-1.15_VERSION: ${{ inputs.package_version_override }} kubectl-1.15_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubectl-1_15: needs: matrix-kubectl-1_15 if: github.event_name != 'schedule' && needs.matrix-kubectl-1_15.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubectl-1.16.yml b/.github/workflows/kubectl-1.16.yml index 6130180701..c9a226fb75 100644 --- a/.github/workflows/kubectl-1.16.yml +++ b/.github/workflows/kubectl-1.16.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubectl-1.16/** - - .github/workflows/kubectl-1.16.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubectl-1.16.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubectl-1.16/** - .github/workflows/kubectl-1.16.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubectl-1.16_VERSION: ${{ inputs.package_version_override }} kubectl-1.16_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubectl-1_16: needs: matrix-kubectl-1_16 if: github.event_name != 'schedule' && needs.matrix-kubectl-1_16.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubectl-1.17.yml b/.github/workflows/kubectl-1.17.yml index 2ec13f5159..5cb8533052 100644 --- a/.github/workflows/kubectl-1.17.yml +++ b/.github/workflows/kubectl-1.17.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubectl-1.17/** - - .github/workflows/kubectl-1.17.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubectl-1.17.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubectl-1.17/** - .github/workflows/kubectl-1.17.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubectl-1.17_VERSION: ${{ inputs.package_version_override }} kubectl-1.17_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubectl-1_17: needs: matrix-kubectl-1_17 if: github.event_name != 'schedule' && needs.matrix-kubectl-1_17.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubectl-1.18.yml b/.github/workflows/kubectl-1.18.yml index 9e9391f047..aa8c3d260e 100644 --- a/.github/workflows/kubectl-1.18.yml +++ b/.github/workflows/kubectl-1.18.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubectl-1.18/** - - .github/workflows/kubectl-1.18.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubectl-1.18.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubectl-1.18/** - .github/workflows/kubectl-1.18.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubectl-1.18_VERSION: ${{ inputs.package_version_override }} kubectl-1.18_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubectl-1_18: needs: matrix-kubectl-1_18 if: github.event_name != 'schedule' && needs.matrix-kubectl-1_18.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubectl-1.19.yml b/.github/workflows/kubectl-1.19.yml index b794b48062..0011288957 100644 --- a/.github/workflows/kubectl-1.19.yml +++ b/.github/workflows/kubectl-1.19.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubectl-1.19/** - - .github/workflows/kubectl-1.19.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubectl-1.19.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubectl-1.19/** - .github/workflows/kubectl-1.19.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubectl-1.19_VERSION: ${{ inputs.package_version_override }} kubectl-1.19_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubectl-1_19: needs: matrix-kubectl-1_19 if: github.event_name != 'schedule' && needs.matrix-kubectl-1_19.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubectl-1.20.yml b/.github/workflows/kubectl-1.20.yml index ef3bffe44c..18128f5009 100644 --- a/.github/workflows/kubectl-1.20.yml +++ b/.github/workflows/kubectl-1.20.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubectl-1.20/** - - .github/workflows/kubectl-1.20.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubectl-1.20.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubectl-1.20/** - .github/workflows/kubectl-1.20.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubectl-1.20_VERSION: ${{ inputs.package_version_override }} kubectl-1.20_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubectl-1_20: needs: matrix-kubectl-1_20 if: github.event_name != 'schedule' && needs.matrix-kubectl-1_20.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubectl-1.21.yml b/.github/workflows/kubectl-1.21.yml index 1ad2e46b39..19b1dd13d0 100644 --- a/.github/workflows/kubectl-1.21.yml +++ b/.github/workflows/kubectl-1.21.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubectl-1.21/** - - .github/workflows/kubectl-1.21.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubectl-1.21.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubectl-1.21/** - .github/workflows/kubectl-1.21.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubectl-1.21_VERSION: ${{ inputs.package_version_override }} kubectl-1.21_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubectl-1_21: needs: matrix-kubectl-1_21 if: github.event_name != 'schedule' && needs.matrix-kubectl-1_21.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubectl-1.22.yml b/.github/workflows/kubectl-1.22.yml index 36a7e75cac..2c4751298a 100644 --- a/.github/workflows/kubectl-1.22.yml +++ b/.github/workflows/kubectl-1.22.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubectl-1.22/** - - .github/workflows/kubectl-1.22.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubectl-1.22.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubectl-1.22/** - .github/workflows/kubectl-1.22.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubectl-1.22_VERSION: ${{ inputs.package_version_override }} kubectl-1.22_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubectl-1_22: needs: matrix-kubectl-1_22 if: github.event_name != 'schedule' && needs.matrix-kubectl-1_22.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubectl-1.23.yml b/.github/workflows/kubectl-1.23.yml index c82e738059..e91aa2cb1f 100644 --- a/.github/workflows/kubectl-1.23.yml +++ b/.github/workflows/kubectl-1.23.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubectl-1.23/** - - .github/workflows/kubectl-1.23.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubectl-1.23.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubectl-1.23/** - .github/workflows/kubectl-1.23.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubectl-1.23_VERSION: ${{ inputs.package_version_override }} kubectl-1.23_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubectl-1_23: needs: matrix-kubectl-1_23 if: github.event_name != 'schedule' && needs.matrix-kubectl-1_23.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubectl-1.24.yml b/.github/workflows/kubectl-1.24.yml index 54e1a9b078..ae0bb05001 100644 --- a/.github/workflows/kubectl-1.24.yml +++ b/.github/workflows/kubectl-1.24.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubectl-1.24/** - - .github/workflows/kubectl-1.24.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubectl-1.24.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubectl-1.24/** - .github/workflows/kubectl-1.24.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubectl-1.24_VERSION: ${{ inputs.package_version_override }} kubectl-1.24_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubectl-1_24: needs: matrix-kubectl-1_24 if: github.event_name != 'schedule' && needs.matrix-kubectl-1_24.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubectl-1.25.yml b/.github/workflows/kubectl-1.25.yml index 04a245a40c..97a4ffb01d 100644 --- a/.github/workflows/kubectl-1.25.yml +++ b/.github/workflows/kubectl-1.25.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubectl-1.25/** - - .github/workflows/kubectl-1.25.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubectl-1.25.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubectl-1.25/** - .github/workflows/kubectl-1.25.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubectl-1.25_VERSION: ${{ inputs.package_version_override }} kubectl-1.25_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubectl-1_25: needs: matrix-kubectl-1_25 if: github.event_name != 'schedule' && needs.matrix-kubectl-1_25.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubectl-1.26.yml b/.github/workflows/kubectl-1.26.yml index 3a22e5c19a..cf38ff0706 100644 --- a/.github/workflows/kubectl-1.26.yml +++ b/.github/workflows/kubectl-1.26.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubectl-1.26/** - - .github/workflows/kubectl-1.26.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubectl-1.26.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubectl-1.26/** - .github/workflows/kubectl-1.26.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubectl-1.26_VERSION: ${{ inputs.package_version_override }} kubectl-1.26_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubectl-1_26: needs: matrix-kubectl-1_26 if: github.event_name != 'schedule' && needs.matrix-kubectl-1_26.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubectl-1.27.yml b/.github/workflows/kubectl-1.27.yml index aa3d657dd8..ce92353ded 100644 --- a/.github/workflows/kubectl-1.27.yml +++ b/.github/workflows/kubectl-1.27.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubectl-1.27/** - - .github/workflows/kubectl-1.27.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubectl-1.27.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubectl-1.27/** - .github/workflows/kubectl-1.27.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubectl-1.27_VERSION: ${{ inputs.package_version_override }} kubectl-1.27_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubectl-1_27: needs: matrix-kubectl-1_27 if: github.event_name != 'schedule' && needs.matrix-kubectl-1_27.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubectl-1.28.yml b/.github/workflows/kubectl-1.28.yml index 83a464a385..68fd9a2535 100644 --- a/.github/workflows/kubectl-1.28.yml +++ b/.github/workflows/kubectl-1.28.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubectl-1.28/** - - .github/workflows/kubectl-1.28.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubectl-1.28.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubectl-1.28/** - .github/workflows/kubectl-1.28.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubectl-1.28_VERSION: ${{ inputs.package_version_override }} kubectl-1.28_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubectl-1_28: needs: matrix-kubectl-1_28 if: github.event_name != 'schedule' && needs.matrix-kubectl-1_28.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubectl-1.29.yml b/.github/workflows/kubectl-1.29.yml index 8b04cab6b5..810a1f7c60 100644 --- a/.github/workflows/kubectl-1.29.yml +++ b/.github/workflows/kubectl-1.29.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubectl-1.29/** - - .github/workflows/kubectl-1.29.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubectl-1.29.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubectl-1.29/** - .github/workflows/kubectl-1.29.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubectl-1.29_VERSION: ${{ inputs.package_version_override }} kubectl-1.29_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubectl-1_29: needs: matrix-kubectl-1_29 if: github.event_name != 'schedule' && needs.matrix-kubectl-1_29.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubectl-1.30.yml b/.github/workflows/kubectl-1.30.yml index 47bda28c7f..931ff93d33 100644 --- a/.github/workflows/kubectl-1.30.yml +++ b/.github/workflows/kubectl-1.30.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubectl-1.30/** - - .github/workflows/kubectl-1.30.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubectl-1.30.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubectl-1.30/** - .github/workflows/kubectl-1.30.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubectl-1.30_VERSION: ${{ inputs.package_version_override }} kubectl-1.30_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubectl-1_30: needs: matrix-kubectl-1_30 if: github.event_name != 'schedule' && needs.matrix-kubectl-1_30.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubectl.yml b/.github/workflows/kubectl.yml index 185b080842..53d539f1df 100644 --- a/.github/workflows/kubectl.yml +++ b/.github/workflows/kubectl.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubectl/** - - .github/workflows/kubectl.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubectl.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubectl/** - .github/workflows/kubectl.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubectl_VERSION: ${{ inputs.package_version_override }} kubectl_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubectl: needs: matrix-kubectl if: github.event_name != 'schedule' && needs.matrix-kubectl.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubectx.yml b/.github/workflows/kubectx.yml index 571aa09e8d..fc9103b52f 100644 --- a/.github/workflows/kubectx.yml +++ b/.github/workflows/kubectx.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubectx/** - - .github/workflows/kubectx.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubectx.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubectx/** - .github/workflows/kubectx.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubectx_VERSION: ${{ inputs.package_version_override }} kubectx_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubectx: needs: matrix-kubectx if: github.event_name != 'schedule' && needs.matrix-kubectx.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubens.yml b/.github/workflows/kubens.yml index a7569e5638..b130e2068e 100644 --- a/.github/workflows/kubens.yml +++ b/.github/workflows/kubens.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubens/** - - .github/workflows/kubens.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubens.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubens/** - .github/workflows/kubens.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubens_VERSION: ${{ inputs.package_version_override }} kubens_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubens: needs: matrix-kubens if: github.event_name != 'schedule' && needs.matrix-kubens.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/kubeval.yml b/.github/workflows/kubeval.yml index 82da031d4f..11215537b3 100644 --- a/.github/workflows/kubeval.yml +++ b/.github/workflows/kubeval.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/kubeval/** - - .github/workflows/kubeval.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/kubeval.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/kubeval/** - .github/workflows/kubeval.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: kubeval_VERSION: ${{ inputs.package_version_override }} kubeval_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-kubeval: needs: matrix-kubeval if: github.event_name != 'schedule' && needs.matrix-kubeval.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/lazydocker.yml b/.github/workflows/lazydocker.yml index 1230a20124..9c4f0204aa 100644 --- a/.github/workflows/lazydocker.yml +++ b/.github/workflows/lazydocker.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/lazydocker/** - - .github/workflows/lazydocker.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/lazydocker.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/lazydocker/** - .github/workflows/lazydocker.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: lazydocker_VERSION: ${{ inputs.package_version_override }} lazydocker_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-lazydocker: needs: matrix-lazydocker if: github.event_name != 'schedule' && needs.matrix-lazydocker.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/lectl.yml b/.github/workflows/lectl.yml index 9760c7cf22..f5fb9b3d4a 100644 --- a/.github/workflows/lectl.yml +++ b/.github/workflows/lectl.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/lectl/** - - .github/workflows/lectl.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/lectl.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/lectl/** - .github/workflows/lectl.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: lectl_VERSION: ${{ inputs.package_version_override }} lectl_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-lectl: needs: matrix-lectl if: github.event_name != 'schedule' && needs.matrix-lectl.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/minikube.yml b/.github/workflows/minikube.yml index a824f082c0..7212c17c32 100644 --- a/.github/workflows/minikube.yml +++ b/.github/workflows/minikube.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/minikube/** - - .github/workflows/minikube.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/minikube.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/minikube/** - .github/workflows/minikube.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: minikube_VERSION: ${{ inputs.package_version_override }} minikube_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-minikube: needs: matrix-minikube if: github.event_name != 'schedule' && needs.matrix-minikube.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/misspell.yml b/.github/workflows/misspell.yml index e762fc355c..0ef339300a 100644 --- a/.github/workflows/misspell.yml +++ b/.github/workflows/misspell.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/misspell/** - - .github/workflows/misspell.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/misspell.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/misspell/** - .github/workflows/misspell.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: misspell_VERSION: ${{ inputs.package_version_override }} misspell_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-misspell: needs: matrix-misspell if: github.event_name != 'schedule' && needs.matrix-misspell.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/opa.yml b/.github/workflows/opa.yml index 6f944753d9..4c5d30d787 100644 --- a/.github/workflows/opa.yml +++ b/.github/workflows/opa.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/opa/** - - .github/workflows/opa.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/opa.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/opa/** - .github/workflows/opa.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: opa_VERSION: ${{ inputs.package_version_override }} opa_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-opa: needs: matrix-opa if: github.event_name != 'schedule' && needs.matrix-opa.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/pack.yml b/.github/workflows/pack.yml index bc64bb1fb9..e5872400d7 100644 --- a/.github/workflows/pack.yml +++ b/.github/workflows/pack.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/pack/** - - .github/workflows/pack.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/pack.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/pack/** - .github/workflows/pack.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: pack_VERSION: ${{ inputs.package_version_override }} pack_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-pack: needs: matrix-pack if: github.event_name != 'schedule' && needs.matrix-pack.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/packer.yml b/.github/workflows/packer.yml index a748ba4580..fd298bf8f9 100644 --- a/.github/workflows/packer.yml +++ b/.github/workflows/packer.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/packer/** - - .github/workflows/packer.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/packer.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/packer/** - .github/workflows/packer.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: packer_VERSION: ${{ inputs.package_version_override }} packer_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-packer: needs: matrix-packer if: github.event_name != 'schedule' && needs.matrix-packer.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/pandoc.yml b/.github/workflows/pandoc.yml index 6055a314f9..a5bf6b6a95 100644 --- a/.github/workflows/pandoc.yml +++ b/.github/workflows/pandoc.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/pandoc/** - - .github/workflows/pandoc.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/pandoc.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/pandoc/** - .github/workflows/pandoc.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: pandoc_VERSION: ${{ inputs.package_version_override }} pandoc_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-pandoc: needs: matrix-pandoc if: github.event_name != 'schedule' && needs.matrix-pandoc.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/pgmetrics.yml b/.github/workflows/pgmetrics.yml index 44d5675709..831aed1736 100644 --- a/.github/workflows/pgmetrics.yml +++ b/.github/workflows/pgmetrics.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/pgmetrics/** - - .github/workflows/pgmetrics.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/pgmetrics.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/pgmetrics/** - .github/workflows/pgmetrics.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: pgmetrics_VERSION: ${{ inputs.package_version_override }} pgmetrics_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-pgmetrics: needs: matrix-pgmetrics if: github.event_name != 'schedule' && needs.matrix-pgmetrics.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/pluto.yml b/.github/workflows/pluto.yml index ba6d8c5af4..0d7be9e65d 100644 --- a/.github/workflows/pluto.yml +++ b/.github/workflows/pluto.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/pluto/** - - .github/workflows/pluto.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/pluto.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/pluto/** - .github/workflows/pluto.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: pluto_VERSION: ${{ inputs.package_version_override }} pluto_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-pluto: needs: matrix-pluto if: github.event_name != 'schedule' && needs.matrix-pluto.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/popeye.yml b/.github/workflows/popeye.yml index d1905feee1..e83f5a03b5 100644 --- a/.github/workflows/popeye.yml +++ b/.github/workflows/popeye.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/popeye/** - - .github/workflows/popeye.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/popeye.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/popeye/** - .github/workflows/popeye.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: popeye_VERSION: ${{ inputs.package_version_override }} popeye_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-popeye: needs: matrix-popeye if: github.event_name != 'schedule' && needs.matrix-popeye.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/promtool.yml b/.github/workflows/promtool.yml index a50b565d87..0f9d50fd63 100644 --- a/.github/workflows/promtool.yml +++ b/.github/workflows/promtool.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/promtool/** - - .github/workflows/promtool.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/promtool.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/promtool/** - .github/workflows/promtool.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: promtool_VERSION: ${{ inputs.package_version_override }} promtool_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-promtool: needs: matrix-promtool if: github.event_name != 'schedule' && needs.matrix-promtool.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/rainbow-text.yml b/.github/workflows/rainbow-text.yml index 9d033ce589..c0db8730df 100644 --- a/.github/workflows/rainbow-text.yml +++ b/.github/workflows/rainbow-text.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/rainbow-text/** - - .github/workflows/rainbow-text.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/rainbow-text.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/rainbow-text/** - .github/workflows/rainbow-text.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: rainbow-text_VERSION: ${{ inputs.package_version_override }} rainbow-text_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-rainbow-text: needs: matrix-rainbow-text if: github.event_name != 'schedule' && needs.matrix-rainbow-text.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/rakkess.yml b/.github/workflows/rakkess.yml index 9554782375..409e52c432 100644 --- a/.github/workflows/rakkess.yml +++ b/.github/workflows/rakkess.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/rakkess/** - - .github/workflows/rakkess.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/rakkess.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/rakkess/** - .github/workflows/rakkess.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: rakkess_VERSION: ${{ inputs.package_version_override }} rakkess_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-rakkess: needs: matrix-rakkess if: github.event_name != 'schedule' && needs.matrix-rakkess.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/rancher.yml b/.github/workflows/rancher.yml index fd5d48002b..e689a7070b 100644 --- a/.github/workflows/rancher.yml +++ b/.github/workflows/rancher.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/rancher/** - - .github/workflows/rancher.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/rancher.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/rancher/** - .github/workflows/rancher.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: rancher_VERSION: ${{ inputs.package_version_override }} rancher_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-rancher: needs: matrix-rancher if: github.event_name != 'schedule' && needs.matrix-rancher.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/rbac-lookup.yml b/.github/workflows/rbac-lookup.yml index 822b2f1cab..c35a3437fb 100644 --- a/.github/workflows/rbac-lookup.yml +++ b/.github/workflows/rbac-lookup.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/rbac-lookup/** - - .github/workflows/rbac-lookup.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/rbac-lookup.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/rbac-lookup/** - .github/workflows/rbac-lookup.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: rbac-lookup_VERSION: ${{ inputs.package_version_override }} rbac-lookup_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-rbac-lookup: needs: matrix-rbac-lookup if: github.event_name != 'schedule' && needs.matrix-rbac-lookup.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/saml2aws.yml b/.github/workflows/saml2aws.yml index 15bfadc5ae..c7028e3ab1 100644 --- a/.github/workflows/saml2aws.yml +++ b/.github/workflows/saml2aws.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/saml2aws/** - - .github/workflows/saml2aws.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/saml2aws.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/saml2aws/** - .github/workflows/saml2aws.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: saml2aws_VERSION: ${{ inputs.package_version_override }} saml2aws_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-saml2aws: needs: matrix-saml2aws if: github.event_name != 'schedule' && needs.matrix-saml2aws.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/sentry-cli.yml b/.github/workflows/sentry-cli.yml index 1424b6a904..a74a056f9f 100644 --- a/.github/workflows/sentry-cli.yml +++ b/.github/workflows/sentry-cli.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/sentry-cli/** - - .github/workflows/sentry-cli.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/sentry-cli.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/sentry-cli/** - .github/workflows/sentry-cli.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: sentry-cli_VERSION: ${{ inputs.package_version_override }} sentry-cli_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-sentry-cli: needs: matrix-sentry-cli if: github.event_name != 'schedule' && needs.matrix-sentry-cli.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index 18f561c8e7..eda65183b7 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/shellcheck/** - - .github/workflows/shellcheck.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/shellcheck.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/shellcheck/** - .github/workflows/shellcheck.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: shellcheck_VERSION: ${{ inputs.package_version_override }} shellcheck_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-shellcheck: needs: matrix-shellcheck if: github.event_name != 'schedule' && needs.matrix-shellcheck.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/shfmt.yml b/.github/workflows/shfmt.yml index f4009e67e0..58ce88dbeb 100644 --- a/.github/workflows/shfmt.yml +++ b/.github/workflows/shfmt.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/shfmt/** - - .github/workflows/shfmt.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/shfmt.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/shfmt/** - .github/workflows/shfmt.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: shfmt_VERSION: ${{ inputs.package_version_override }} shfmt_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-shfmt: needs: matrix-shfmt if: github.event_name != 'schedule' && needs.matrix-shfmt.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/slack-notifier.yml b/.github/workflows/slack-notifier.yml index 7cb3d5eab6..2ba53e334c 100644 --- a/.github/workflows/slack-notifier.yml +++ b/.github/workflows/slack-notifier.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/slack-notifier/** - - .github/workflows/slack-notifier.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/slack-notifier.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/slack-notifier/** - .github/workflows/slack-notifier.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: slack-notifier_VERSION: ${{ inputs.package_version_override }} slack-notifier_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-slack-notifier: needs: matrix-slack-notifier if: github.event_name != 'schedule' && needs.matrix-slack-notifier.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/sops.yml b/.github/workflows/sops.yml index 19cb3613ea..74ec96ee4d 100644 --- a/.github/workflows/sops.yml +++ b/.github/workflows/sops.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/sops/** - - .github/workflows/sops.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/sops.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/sops/** - .github/workflows/sops.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: sops_VERSION: ${{ inputs.package_version_override }} sops_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-sops: needs: matrix-sops if: github.event_name != 'schedule' && needs.matrix-sops.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/spacectl.yml b/.github/workflows/spacectl.yml index d9e945c8bb..f14e33a881 100644 --- a/.github/workflows/spacectl.yml +++ b/.github/workflows/spacectl.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/spacectl/** - - .github/workflows/spacectl.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/spacectl.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/spacectl/** - .github/workflows/spacectl.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: spacectl_VERSION: ${{ inputs.package_version_override }} spacectl_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-spacectl: needs: matrix-spacectl if: github.event_name != 'schedule' && needs.matrix-spacectl.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/spotctl.yml b/.github/workflows/spotctl.yml index 90e51d6c92..910e88cb38 100644 --- a/.github/workflows/spotctl.yml +++ b/.github/workflows/spotctl.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/spotctl/** - - .github/workflows/spotctl.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/spotctl.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/spotctl/** - .github/workflows/spotctl.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: spotctl_VERSION: ${{ inputs.package_version_override }} spotctl_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-spotctl: needs: matrix-spotctl if: github.event_name != 'schedule' && needs.matrix-spotctl.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/sshm.yml b/.github/workflows/sshm.yml index 5b5095903d..25b9ff420a 100644 --- a/.github/workflows/sshm.yml +++ b/.github/workflows/sshm.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/sshm/** - - .github/workflows/sshm.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/sshm.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/sshm/** - .github/workflows/sshm.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: sshm_VERSION: ${{ inputs.package_version_override }} sshm_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-sshm: needs: matrix-sshm if: github.event_name != 'schedule' && needs.matrix-sshm.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/stern.yml b/.github/workflows/stern.yml index 22bc058eee..c37a6ff3f3 100644 --- a/.github/workflows/stern.yml +++ b/.github/workflows/stern.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/stern/** - - .github/workflows/stern.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/stern.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/stern/** - .github/workflows/stern.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: stern_VERSION: ${{ inputs.package_version_override }} stern_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-stern: needs: matrix-stern if: github.event_name != 'schedule' && needs.matrix-stern.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/sudosh.yml b/.github/workflows/sudosh.yml index 564a178340..d8e1fff72f 100644 --- a/.github/workflows/sudosh.yml +++ b/.github/workflows/sudosh.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/sudosh/** - - .github/workflows/sudosh.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/sudosh.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/sudosh/** - .github/workflows/sudosh.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: sudosh_VERSION: ${{ inputs.package_version_override }} sudosh_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-sudosh: needs: matrix-sudosh if: github.event_name != 'schedule' && needs.matrix-sudosh.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/teleport-4.3.yml b/.github/workflows/teleport-4.3.yml index e4286a357d..d4ff82da24 100644 --- a/.github/workflows/teleport-4.3.yml +++ b/.github/workflows/teleport-4.3.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/teleport-4.3/** - - .github/workflows/teleport-4.3.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/teleport-4.3.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/teleport-4.3/** - .github/workflows/teleport-4.3.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: teleport-4.3_VERSION: ${{ inputs.package_version_override }} teleport-4.3_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-teleport-4_3: needs: matrix-teleport-4_3 if: github.event_name != 'schedule' && needs.matrix-teleport-4_3.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/teleport-4.4.yml b/.github/workflows/teleport-4.4.yml index 6e0bd06ca7..a32275012f 100644 --- a/.github/workflows/teleport-4.4.yml +++ b/.github/workflows/teleport-4.4.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/teleport-4.4/** - - .github/workflows/teleport-4.4.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/teleport-4.4.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/teleport-4.4/** - .github/workflows/teleport-4.4.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: teleport-4.4_VERSION: ${{ inputs.package_version_override }} teleport-4.4_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-teleport-4_4: needs: matrix-teleport-4_4 if: github.event_name != 'schedule' && needs.matrix-teleport-4_4.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/teleport-5.0.yml b/.github/workflows/teleport-5.0.yml index 55112e3a88..db7f4fc12c 100644 --- a/.github/workflows/teleport-5.0.yml +++ b/.github/workflows/teleport-5.0.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/teleport-5.0/** - - .github/workflows/teleport-5.0.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/teleport-5.0.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/teleport-5.0/** - .github/workflows/teleport-5.0.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: teleport-5.0_VERSION: ${{ inputs.package_version_override }} teleport-5.0_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-teleport-5_0: needs: matrix-teleport-5_0 if: github.event_name != 'schedule' && needs.matrix-teleport-5_0.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/teleport.yml b/.github/workflows/teleport.yml index fd4c84568c..8eb197a4d1 100644 --- a/.github/workflows/teleport.yml +++ b/.github/workflows/teleport.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/teleport/** - - .github/workflows/teleport.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/teleport.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/teleport/** - .github/workflows/teleport.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: teleport_VERSION: ${{ inputs.package_version_override }} teleport_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-teleport: needs: matrix-teleport if: github.event_name != 'schedule' && needs.matrix-teleport.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/terraform-0.11.yml b/.github/workflows/terraform-0.11.yml index e74c0bc08c..d6e8afbc83 100644 --- a/.github/workflows/terraform-0.11.yml +++ b/.github/workflows/terraform-0.11.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/terraform-0.11/** - - .github/workflows/terraform-0.11.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/terraform-0.11.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/terraform-0.11/** - .github/workflows/terraform-0.11.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: terraform-0.11_VERSION: ${{ inputs.package_version_override }} terraform-0.11_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-terraform-0_11: needs: matrix-terraform-0_11 if: github.event_name != 'schedule' && needs.matrix-terraform-0_11.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/terraform-0.12.yml b/.github/workflows/terraform-0.12.yml index 0714edc47b..9d136f3a5d 100644 --- a/.github/workflows/terraform-0.12.yml +++ b/.github/workflows/terraform-0.12.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/terraform-0.12/** - - .github/workflows/terraform-0.12.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/terraform-0.12.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/terraform-0.12/** - .github/workflows/terraform-0.12.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: terraform-0.12_VERSION: ${{ inputs.package_version_override }} terraform-0.12_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-terraform-0_12: needs: matrix-terraform-0_12 if: github.event_name != 'schedule' && needs.matrix-terraform-0_12.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/terraform-0.13.yml b/.github/workflows/terraform-0.13.yml index c4a247662b..756f85d7bf 100644 --- a/.github/workflows/terraform-0.13.yml +++ b/.github/workflows/terraform-0.13.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/terraform-0.13/** - - .github/workflows/terraform-0.13.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/terraform-0.13.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/terraform-0.13/** - .github/workflows/terraform-0.13.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: terraform-0.13_VERSION: ${{ inputs.package_version_override }} terraform-0.13_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-terraform-0_13: needs: matrix-terraform-0_13 if: github.event_name != 'schedule' && needs.matrix-terraform-0_13.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/terraform-0.14.yml b/.github/workflows/terraform-0.14.yml index dcc3b9efd3..a9076851cf 100644 --- a/.github/workflows/terraform-0.14.yml +++ b/.github/workflows/terraform-0.14.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/terraform-0.14/** - - .github/workflows/terraform-0.14.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/terraform-0.14.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/terraform-0.14/** - .github/workflows/terraform-0.14.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: terraform-0.14_VERSION: ${{ inputs.package_version_override }} terraform-0.14_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-terraform-0_14: needs: matrix-terraform-0_14 if: github.event_name != 'schedule' && needs.matrix-terraform-0_14.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/terraform-0.15.yml b/.github/workflows/terraform-0.15.yml index c37023c6b5..1854e60ca8 100644 --- a/.github/workflows/terraform-0.15.yml +++ b/.github/workflows/terraform-0.15.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/terraform-0.15/** - - .github/workflows/terraform-0.15.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/terraform-0.15.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/terraform-0.15/** - .github/workflows/terraform-0.15.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: terraform-0.15_VERSION: ${{ inputs.package_version_override }} terraform-0.15_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-terraform-0_15: needs: matrix-terraform-0_15 if: github.event_name != 'schedule' && needs.matrix-terraform-0_15.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/terraform-1.yml b/.github/workflows/terraform-1.yml index 8ed83157c8..4bad8be01f 100644 --- a/.github/workflows/terraform-1.yml +++ b/.github/workflows/terraform-1.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/terraform-1/** - - .github/workflows/terraform-1.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/terraform-1.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/terraform-1/** - .github/workflows/terraform-1.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: terraform-1_VERSION: ${{ inputs.package_version_override }} terraform-1_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-terraform-1: needs: matrix-terraform-1 if: github.event_name != 'schedule' && needs.matrix-terraform-1.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/terraform-config-inspect.yml b/.github/workflows/terraform-config-inspect.yml index 7dce1ce0e4..5455055f36 100644 --- a/.github/workflows/terraform-config-inspect.yml +++ b/.github/workflows/terraform-config-inspect.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/terraform-config-inspect/** - - .github/workflows/terraform-config-inspect.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/terraform-config-inspect.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/terraform-config-inspect/** - .github/workflows/terraform-config-inspect.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: terraform-config-inspect_VERSION: ${{ inputs.package_version_override }} terraform-config-inspect_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-terraform-config-inspect: needs: matrix-terraform-config-inspect if: github.event_name != 'schedule' && needs.matrix-terraform-config-inspect.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/terraform-docs.yml b/.github/workflows/terraform-docs.yml index 9d4dd12bb4..9ac944f77e 100644 --- a/.github/workflows/terraform-docs.yml +++ b/.github/workflows/terraform-docs.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/terraform-docs/** - - .github/workflows/terraform-docs.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/terraform-docs.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/terraform-docs/** - .github/workflows/terraform-docs.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: terraform-docs_VERSION: ${{ inputs.package_version_override }} terraform-docs_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-terraform-docs: needs: matrix-terraform-docs if: github.event_name != 'schedule' && needs.matrix-terraform-docs.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/terraform-module-versions.yml b/.github/workflows/terraform-module-versions.yml index 65b4f527c0..8ebda7bbeb 100644 --- a/.github/workflows/terraform-module-versions.yml +++ b/.github/workflows/terraform-module-versions.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/terraform-module-versions/** - - .github/workflows/terraform-module-versions.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/terraform-module-versions.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/terraform-module-versions/** - .github/workflows/terraform-module-versions.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: terraform-module-versions_VERSION: ${{ inputs.package_version_override }} terraform-module-versions_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-terraform-module-versions: needs: matrix-terraform-module-versions if: github.event_name != 'schedule' && needs.matrix-terraform-module-versions.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index c133e59cfe..db5a5413b1 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/terraform/** - - .github/workflows/terraform.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/terraform.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/terraform/** - .github/workflows/terraform.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: terraform_VERSION: ${{ inputs.package_version_override }} terraform_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-terraform: needs: matrix-terraform if: github.event_name != 'schedule' && needs.matrix-terraform.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/terraform_0.11.yml b/.github/workflows/terraform_0.11.yml index 52140b7b26..e6df455c8e 100644 --- a/.github/workflows/terraform_0.11.yml +++ b/.github/workflows/terraform_0.11.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/terraform_0.11/** - - .github/workflows/terraform_0.11.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/terraform_0.11.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/terraform_0.11/** - .github/workflows/terraform_0.11.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: terraform_0.11_VERSION: ${{ inputs.package_version_override }} terraform_0.11_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-terraform_0_11: needs: matrix-terraform_0_11 if: github.event_name != 'schedule' && needs.matrix-terraform_0_11.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/terraform_0.12.yml b/.github/workflows/terraform_0.12.yml index 3ecc245645..9852a41bf5 100644 --- a/.github/workflows/terraform_0.12.yml +++ b/.github/workflows/terraform_0.12.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/terraform_0.12/** - - .github/workflows/terraform_0.12.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/terraform_0.12.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/terraform_0.12/** - .github/workflows/terraform_0.12.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: terraform_0.12_VERSION: ${{ inputs.package_version_override }} terraform_0.12_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-terraform_0_12: needs: matrix-terraform_0_12 if: github.event_name != 'schedule' && needs.matrix-terraform_0_12.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/terraform_0.13.yml b/.github/workflows/terraform_0.13.yml index 17c678ef05..eb5693250b 100644 --- a/.github/workflows/terraform_0.13.yml +++ b/.github/workflows/terraform_0.13.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/terraform_0.13/** - - .github/workflows/terraform_0.13.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/terraform_0.13.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/terraform_0.13/** - .github/workflows/terraform_0.13.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: terraform_0.13_VERSION: ${{ inputs.package_version_override }} terraform_0.13_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-terraform_0_13: needs: matrix-terraform_0_13 if: github.event_name != 'schedule' && needs.matrix-terraform_0_13.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/terragrunt.yml b/.github/workflows/terragrunt.yml index 65f0ac53f7..c1881f14d5 100644 --- a/.github/workflows/terragrunt.yml +++ b/.github/workflows/terragrunt.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/terragrunt/** - - .github/workflows/terragrunt.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/terragrunt.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/terragrunt/** - .github/workflows/terragrunt.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: terragrunt_VERSION: ${{ inputs.package_version_override }} terragrunt_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-terragrunt: needs: matrix-terragrunt if: github.event_name != 'schedule' && needs.matrix-terragrunt.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/terrahelp.yml b/.github/workflows/terrahelp.yml index 72e50a5652..bf6d1014e1 100644 --- a/.github/workflows/terrahelp.yml +++ b/.github/workflows/terrahelp.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/terrahelp/** - - .github/workflows/terrahelp.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/terrahelp.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/terrahelp/** - .github/workflows/terrahelp.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: terrahelp_VERSION: ${{ inputs.package_version_override }} terrahelp_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-terrahelp: needs: matrix-terrahelp if: github.event_name != 'schedule' && needs.matrix-terrahelp.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/tflint.yml b/.github/workflows/tflint.yml index 16161d6d04..8bb303cc55 100644 --- a/.github/workflows/tflint.yml +++ b/.github/workflows/tflint.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/tflint/** - - .github/workflows/tflint.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/tflint.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/tflint/** - .github/workflows/tflint.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: tflint_VERSION: ${{ inputs.package_version_override }} tflint_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-tflint: needs: matrix-tflint if: github.event_name != 'schedule' && needs.matrix-tflint.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/tfschema.yml b/.github/workflows/tfschema.yml index 3c7e4bb4d9..dc23c7331c 100644 --- a/.github/workflows/tfschema.yml +++ b/.github/workflows/tfschema.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/tfschema/** - - .github/workflows/tfschema.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/tfschema.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/tfschema/** - .github/workflows/tfschema.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: tfschema_VERSION: ${{ inputs.package_version_override }} tfschema_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-tfschema: needs: matrix-tfschema if: github.event_name != 'schedule' && needs.matrix-tfschema.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index 0cf4f499d5..7fe1a5dd82 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/tfsec/** - - .github/workflows/tfsec.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/tfsec.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/tfsec/** - .github/workflows/tfsec.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: tfsec_VERSION: ${{ inputs.package_version_override }} tfsec_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-tfsec: needs: matrix-tfsec if: github.event_name != 'schedule' && needs.matrix-tfsec.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/thanos.yml b/.github/workflows/thanos.yml index 8c1c0c2b2b..0f67b2eb7a 100644 --- a/.github/workflows/thanos.yml +++ b/.github/workflows/thanos.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/thanos/** - - .github/workflows/thanos.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/thanos.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/thanos/** - .github/workflows/thanos.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: thanos_VERSION: ${{ inputs.package_version_override }} thanos_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-thanos: needs: matrix-thanos if: github.event_name != 'schedule' && needs.matrix-thanos.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 2b29ba8628..87dc7c57fd 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/trivy/** - - .github/workflows/trivy.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/trivy.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/trivy/** - .github/workflows/trivy.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: trivy_VERSION: ${{ inputs.package_version_override }} trivy_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-trivy: needs: matrix-trivy if: github.event_name != 'schedule' && needs.matrix-trivy.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/variant.yml b/.github/workflows/variant.yml index 5dd0fa9581..2781b3e815 100644 --- a/.github/workflows/variant.yml +++ b/.github/workflows/variant.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/variant/** - - .github/workflows/variant.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/variant.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/variant/** - .github/workflows/variant.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: variant_VERSION: ${{ inputs.package_version_override }} variant_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-variant: needs: matrix-variant if: github.event_name != 'schedule' && needs.matrix-variant.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/variant2.yml b/.github/workflows/variant2.yml index 4872222677..78f4720e67 100644 --- a/.github/workflows/variant2.yml +++ b/.github/workflows/variant2.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/variant2/** - - .github/workflows/variant2.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/variant2.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/variant2/** - .github/workflows/variant2.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: variant2_VERSION: ${{ inputs.package_version_override }} variant2_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-variant2: needs: matrix-variant2 if: github.event_name != 'schedule' && needs.matrix-variant2.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/vault.yml b/.github/workflows/vault.yml index e65ef12118..55b695ce73 100644 --- a/.github/workflows/vault.yml +++ b/.github/workflows/vault.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/vault/** - - .github/workflows/vault.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/vault.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/vault/** - .github/workflows/vault.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: vault_VERSION: ${{ inputs.package_version_override }} vault_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-vault: needs: matrix-vault if: github.event_name != 'schedule' && needs.matrix-vault.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/velero.yml b/.github/workflows/velero.yml index d281f65f68..371d8ed185 100644 --- a/.github/workflows/velero.yml +++ b/.github/workflows/velero.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/velero/** - - .github/workflows/velero.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/velero.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/velero/** - .github/workflows/velero.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: velero_VERSION: ${{ inputs.package_version_override }} velero_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-velero: needs: matrix-velero if: github.event_name != 'schedule' && needs.matrix-velero.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/vendir.yml b/.github/workflows/vendir.yml index 996eb8753c..f6b20a857a 100644 --- a/.github/workflows/vendir.yml +++ b/.github/workflows/vendir.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/vendir/** - - .github/workflows/vendir.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/vendir.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/vendir/** - .github/workflows/vendir.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: vendir_VERSION: ${{ inputs.package_version_override }} vendir_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-vendir: needs: matrix-vendir if: github.event_name != 'schedule' && needs.matrix-vendir.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/venona.yml b/.github/workflows/venona.yml index ca1f24e874..f4919dbbaf 100644 --- a/.github/workflows/venona.yml +++ b/.github/workflows/venona.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/venona/** - - .github/workflows/venona.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/venona.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/venona/** - .github/workflows/venona.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: venona_VERSION: ${{ inputs.package_version_override }} venona_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-venona: needs: matrix-venona if: github.event_name != 'schedule' && needs.matrix-venona.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/vert.yml b/.github/workflows/vert.yml index f478b30e51..5b5a36d858 100644 --- a/.github/workflows/vert.yml +++ b/.github/workflows/vert.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/vert/** - - .github/workflows/vert.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/vert.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/vert/** - .github/workflows/vert.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: vert_VERSION: ${{ inputs.package_version_override }} vert_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-vert: needs: matrix-vert if: github.event_name != 'schedule' && needs.matrix-vert.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/yajsv.yml b/.github/workflows/yajsv.yml index 4561cd8db3..9f856c14d0 100644 --- a/.github/workflows/yajsv.yml +++ b/.github/workflows/yajsv.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/yajsv/** - - .github/workflows/yajsv.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/yajsv.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/yajsv/** - .github/workflows/yajsv.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: yajsv_VERSION: ${{ inputs.package_version_override }} yajsv_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-yajsv: needs: matrix-yajsv if: github.event_name != 'schedule' && needs.matrix-yajsv.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' diff --git a/.github/workflows/yq.yml b/.github/workflows/yq.yml index 144c7a4421..f9a196883e 100644 --- a/.github/workflows/yq.yml +++ b/.github/workflows/yq.yml @@ -18,11 +18,14 @@ on: - rpm/** - tasks/** - vendor/yq/** - - .github/workflows/yq.yml + # Do not automatically trigger a build when the workflow file is changed, because we often make mass updates. + # If we need to run all the workflows, we can just uncomment the line below and make new workflows. + # - .github/workflows/yq.yml pull_request: types: [opened, synchronize, reopened] + # Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR. paths: - apk/** - deb/** @@ -31,7 +34,6 @@ on: - vendor/yq/** - .github/workflows/yq.yml - #bridgecrew:skip=BC_REPO_GITHUB_ACTION_7:The whole point of the workflow dispatch is to feed in a version workflow_dispatch: inputs: package_version_override: @@ -47,6 +49,12 @@ env: yq_VERSION: ${{ inputs.package_version_override }} yq_RELEASE: ${{ inputs.release_number_override }} +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: # Mergify cannot distinguish between 2 jobs with the same name run from different workflows, # so each job must have a unique name for the rules to work properly. @@ -76,7 +84,7 @@ jobs: # Build for alpine linux - # Kept separate because it is old and slightly different than the other package builds + # Kept separate because it is old and slightly different from the other package builds alpine-yq: needs: matrix-yq if: github.event_name != 'schedule' && needs.matrix-yq.outputs.apk-enabled != 'false' @@ -96,10 +104,10 @@ jobs: PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub container: - image: cloudposse/packages-apkbuild:${{matrix.alpine}} + image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}} credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: ${{ github.actor }} + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -118,17 +126,14 @@ jobs: - name: "List packages" run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .' - # Export the artifact filename including path - # Path must be relative to workdir for Cloudsmith action to be able to find it + # Export the artifact filename including path. + # Path must be relative to workdir for Cloudsmith action to be able to find it. - name: "Set output path to artifact" id: artifact shell: bash run: | artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk) echo "path=$artifact" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" @@ -145,7 +150,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push' @@ -199,10 +204,10 @@ jobs: # Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type container: - image: cloudposse/packages-${{matrix.package-type}}build:latest + image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest credentials: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" steps: # Checkout the packages repo so we can build the packages as a monorepo @@ -232,9 +237,6 @@ jobs: echo "setting output" echo "path=$packages" | tee -a $GITHUB_OUTPUT - echo creating '"pip"' cache directory for Cloudsmith - mkdir -p $HOME/.cache/pip && chmod -R 777 $HOME/.cache || echo Ignoring error creating '"pip"' cache directory - # Determine which package organization we should use (e.g. dev or prod) - name: "Determine package repo" shell: bash @@ -250,7 +252,7 @@ jobs: # Publish the artifacts - name: "Push artifact to package repository" - uses: cloudsmith-io/action@v0.5.4 + uses: cloudsmith-io/action@v0.6.10 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: 'push'