Merge pull request #12045 from id/1128-fix-token-permissions-in-release-workflow

ci: fix insufficient permissions for github token in release workflow
2023-11-29 12:53:08 +01:00 · 2023-11-29 12:53:08 +01:00 · 41ff357ed2
parent 8d105a3f82 19e7ec1f1f
commit 41ff357ed2
1 changed files with 14 additions and 4 deletions
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -20,7 +20,14 @@ jobs:
  upload:
    runs-on: ubuntu-22.04
    permissions:
+      contents: write
+      checks: write
      packages: write
+      actions: read
+      issues: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
    strategy:
      fail-fast: false
    steps:
@ -45,11 +52,13 @@ jobs:
            v*)
              echo "profile=emqx" >> $GITHUB_OUTPUT
              echo "version=$(./pkg-vsn.sh emqx)" >> $GITHUB_OUTPUT
+              echo "ref_name=v$(./pkg-vsn.sh emqx)" >> "$GITHUB_ENV"
              echo "s3dir=emqx-ce" >> $GITHUB_OUTPUT
              ;;
            e*)
              echo "profile=emqx-enterprise" >> $GITHUB_OUTPUT
              echo "version=$(./pkg-vsn.sh emqx-enterprise)" >> $GITHUB_OUTPUT
+              echo "ref_name=e$(./pkg-vsn.sh emqx-enterprise)" >> "$GITHUB_ENV"
              echo "s3dir=emqx-ee" >> $GITHUB_OUTPUT
              ;;
          esac
@ -57,14 +66,15 @@ jobs:
        run: |
          BUCKET=${{ secrets.AWS_S3_BUCKET }}
          OUTPUT_DIR=${{ steps.profile.outputs.s3dir }}
-          aws s3 cp --recursive s3://$BUCKET/$OUTPUT_DIR/${{ github.ref_name }} packages
-      - uses: alexellis/upload-assets@0.4.0
+          aws s3 cp --recursive s3://$BUCKET/$OUTPUT_DIR/${{ env.ref_name }} packages
+      - uses: emqx/upload-assets@8d2083b4dbe3151b0b735572eaa153b6acb647fe # 0.5.0
        env:
          GITHUB_TOKEN: ${{ github.token }}
        with:
          asset_paths: '["packages/*"]'
+          tag_name: "${{ env.ref_name }}"
      - name: update to emqx.io
-        if: startsWith(github.ref_name, 'v') && ((github.event_name == 'release' && !github.event.release.prerelease) || inputs.publish_release_artefacts)
+        if: startsWith(env.ref_name, 'v') && ((github.event_name == 'release' && !github.event.release.prerelease) || inputs.publish_release_artefacts)
        run: |
          set -eux
          curl -w %{http_code} \
@ -72,7 +82,7 @@ jobs:
               -H "Content-Type: application/json" \
               -H "token: ${{ secrets.EMQX_IO_TOKEN }}" \
               -X POST \
-               -d "{\"repo\":\"emqx/emqx\", \"tag\": \"${{ github.ref_name }}\" }" \
+               -d "{\"repo\":\"emqx/emqx\", \"tag\": \"${{ env.ref_name }}\" }" \
               ${{ secrets.EMQX_IO_RELEASE_API }}
      - name: Push to packagecloud.io
        if: (github.event_name == 'release' && !github.event.release.prerelease) || inputs.publish_release_artefacts