mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-09-19 23:19:52 +00:00
2672fad90a
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
42 lines
1.2 KiB
YAML
42 lines
1.2 KiB
YAML
---
|
|
name: publish artifacts
|
|
# yamllint disable-line rule:truthy
|
|
on:
|
|
push:
|
|
# Sequence of patterns matched against refs/heads
|
|
branches:
|
|
# Push events on default branch
|
|
- devel
|
|
# Push events to branches matching refs/heads/release-v*
|
|
- 'release-v*'
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
push:
|
|
name: Publish artifacts
|
|
runs-on: ubuntu-latest
|
|
if: github.repository == 'ceph/ceph-csi'
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
|
|
- name: Login to Quay
|
|
uses: docker/login-action@v1
|
|
with:
|
|
registry: quay.io
|
|
username: ${{ secrets.QUAY_IO_USERNAME }}
|
|
password: ${{ secrets.QUAY_IO_PASSWORD }}
|
|
|
|
- name: Set build environment variables
|
|
run: |
|
|
echo "BRANCH_NAME=${GITHUB_REF##*/}" >> $GITHUB_ENV
|
|
echo "GITHUB_USER=${{ secrets.CEPH_CSI_BOT_NAME }}" >> $GITHUB_ENV
|
|
echo "GITHUB_EMAIL=${{ secrets.CEPH_CSI_BOT_EMAIL }}" >> $GITHUB_ENV
|
|
echo "GITHUB_TOKEN=${{ secrets.CEPH_CSI_BOT_TOKEN }}" >> $GITHUB_ENV
|
|
|
|
- name: publish artifacts
|
|
# podman cannot pull images with both tag and digest
|
|
# https://github.com/containers/buildah/issues/1407
|
|
# use docker to build images
|
|
run: CONTAINER_CMD=docker ./deploy.sh
|