feat: minty configuration file for this repository (#134)

Conversion of: https://github.com/abcxyz/abcxyz-services/blob/main/github-token-minter/deployments/configs/abcxyz/secure-setup-terraform.yaml
abcxyz · Sep 25, 2024 · e490ec6 · e490ec6
1 parent 2da079b
commit e490ec6
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 0 deletions.
diff --git a/.github/minty.yaml b/.github/minty.yaml
@@ -0,0 +1,31 @@
+version: 'minty.abcxyz.dev/v2'
+
+rule:
+  if: |-
+    assertion.iss == 'https://token.actions.githubusercontent.com' &&
+    assertion.organization_id == '93787867' &&
+    assertion.repository_id == '560465650' &&
+    assertion.ref == 'refs/heads/main'
+
+scope:
+  update-checksums:
+    rule:
+      if: |-
+        assertion.workflow_ref.startsWith("abcxyz/secure-setup-terraform/.github/workflows/update-checksums.yml") &&
+        (assertion.event_name == 'schedule' || assertion.event_name == 'workflow_dispatch')
+    repositories:
+      - 'secure-setup-terraform'
+    permissions:
+      pull_requests: 'write'
+      contents: 'write'
+
+  create-release:
+    rule:
+      if: |-
+        assertion.workflow_ref.startsWith("abcxyz/secure-setup-terraform/.github/workflows/create-release.yml") &&
+        assertion.event_name == 'push'
+    repositories:
+      - 'secure-setup-terraform'
+    permissions:
+      contents: 'write'
+
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
@@ -60,6 +60,7 @@ jobs:
           service_url: '${{ vars.TOKEN_MINTER_SERVICE_URL }}'
           requested_permissions: |-
             {
+              "scope": "create-release",
               "repositories": ["${{ github.event.repository.name }}"],
               "permissions": {
                 "contents": "write"

diff --git a/.github/workflows/update-checksums.yml b/.github/workflows/update-checksums.yml
@@ -48,6 +48,7 @@ jobs:
           service_url: '${{ vars.TOKEN_MINTER_SERVICE_URL }}'
           requested_permissions: |-
             {
+              "scope": "update-checksums",
               "repositories": ["secure-setup-terraform"],
               "permissions": {
                 "pull_requests": "write",