ceph-csi/.github/workflows/publish-artifacts.yaml
naveen 2672fad90a ci: Set permissions for GitHub actions
Restrict the GitHub token permissions only to the required ones; this way,
 even if the attackers will succeed in compromising your workflow,
 they won’t be able to do much.

- Included permissions for the action.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-05-05 20:21:15 +05:30

42 lines
1.2 KiB
YAML

---
name: publish artifacts
# yamllint disable-line rule:truthy
on:
push:
# Sequence of patterns matched against refs/heads
branches:
# Push events on default branch
- devel
# Push events to branches matching refs/heads/release-v*
- 'release-v*'
permissions:
contents: read
jobs:
push:
name: Publish artifacts
runs-on: ubuntu-latest
if: github.repository == 'ceph/ceph-csi'
steps:
- uses: actions/checkout@v3
- name: Login to Quay
uses: docker/login-action@v1
with:
registry: quay.io
username: ${{ secrets.QUAY_IO_USERNAME }}
password: ${{ secrets.QUAY_IO_PASSWORD }}
- name: Set build environment variables
run: |
echo "BRANCH_NAME=${GITHUB_REF##*/}" >> $GITHUB_ENV
echo "GITHUB_USER=${{ secrets.CEPH_CSI_BOT_NAME }}" >> $GITHUB_ENV
echo "GITHUB_EMAIL=${{ secrets.CEPH_CSI_BOT_EMAIL }}" >> $GITHUB_ENV
echo "GITHUB_TOKEN=${{ secrets.CEPH_CSI_BOT_TOKEN }}" >> $GITHUB_ENV
- name: publish artifacts
# podman cannot pull images with both tag and digest
# https://github.com/containers/buildah/issues/1407
# use docker to build images
run: CONTAINER_CMD=docker ./deploy.sh