fix(ci): proper permissions for main CI

Signed-off-by: Emilien Escalle <emilien.escalle@escemi.com>
hoverkraft-tech · Mar 31, 2024 · 8bff35d · 8bff35d
1 parent 0ba1c43
commit 8bff35d
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 4 deletions.
diff --git a/.ghadocs.json b/.ghadocs.json
@@ -0,0 +1,17 @@
+{
+  "paths": {
+    "action": "action.yml",
+    "readme": "README.md"
+  },
+  "show_logo": true,
+  "versioning": {
+    "enabled": true,
+    "override": "",
+    "prefix": "v",
+    "branch": "main"
+  },
+  "owner": "hoverkraft-tech",
+  "repo": "ci-gitHub-common",
+  "title_prefix": "GitHub Action: ",
+  "prettier": true
+}
diff --git a/.github/workflows/__main-ci.yml b/.github/workflows/__main-ci.yml
@@ -7,7 +7,13 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: read
+  contents: write
+  packages: read
+  statuses: write
+  actions: write
+  pull-requests: write
+  # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
+  id-token: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}

diff --git a/.github/workflows/release-actions.yml b/.github/workflows/release-actions.yml
@@ -125,8 +125,35 @@ jobs:
       fail-fast: false
       matrix:
         action: ${{ fromJson(needs.prepare-release.outputs.changed-actions) }}
+    # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@v4
+
+      # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
+      # jscpd:ignore-start
+      - id: oidc
+        uses: ChristopherHX/oidc@v3
+      - uses: actions/checkout@v4 # checks out called workflow
+        with:
+          path: ./self-workflow
+          repository: ${{ steps.oidc.outputs.job_workflow_repo_name_and_owner }}
+          ref: ${{ steps.oidc.outputs.job_workflow_repo_ref }}
+      # jscpd:ignore-end
+
+      - id: action-slug
+        uses: ./self-workflow/actions/slugify
+        with:
+          value: ${{ matrix.action }}
+
+      - run: |
+          jq '.paths.action = "${{ matrix.action }}/action.yml"' .ghadocs.json > .ghadocs.json.tmp
+          mv .ghadocs.json.tmp .ghadocs.json
+
+          jq '.paths.readme = "${{ matrix.action }}/README.md"' .ghadocs.json > .ghadocs.json.tmp
+          mv .ghadocs.json.tmp .ghadocs.json
 
       - name: 📖 Generate README
         uses: bitflight-devops/github-action-readme-generator@v1.8.0
@@ -144,7 +171,7 @@ jobs:
 
       - uses: actions/upload-artifact@v4
         with:
-          name: changed-files
+          name: changed-files-${{ steps.action-slug.outputs.result }}
           path: ${{ github.workspace }}/**/${{ matrix.action }}/README.md
 
   generate-workflows-readme:
@@ -155,9 +182,29 @@ jobs:
       fail-fast: false
       matrix:
         workflow: ${{ fromJson(needs.prepare-release.outputs.changed-workflows) }}
+    # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@v4
 
+      # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
+      # jscpd:ignore-start
+      - id: oidc
+        uses: ChristopherHX/oidc@v3
+      - uses: actions/checkout@v4 # checks out called workflow
+        with:
+          path: ./self-workflow
+          repository: ${{ steps.oidc.outputs.job_workflow_repo_name_and_owner }}
+          ref: ${{ steps.oidc.outputs.job_workflow_repo_ref }}
+      # jscpd:ignore-end
+
+      - id: workflow-slug
+        uses: ./self-workflow/actions/slugify
+        with:
+          value: ${{ matrix.workflow }}
+
       - name: 📖 Generate README
         id: generate-readme
         run:
@@ -173,7 +220,7 @@ jobs:
 
       - uses: actions/upload-artifact@v4
         with:
-          name: changed-files
+          name: changed-files-${{ steps.workflow-slug.outputs.result }}
           path: ${{ github.workspace }}/**/${{ steps.generate-readme.outputs.readme-file }}
 
   publish-actions-readme:
@@ -191,7 +238,8 @@ jobs:
 
       - uses: actions/download-artifact@v4
         with:
-          name: changed-files
+          pattern: changed-files-*
+          merge-multiple: true
 
       - uses: actions/create-github-app-token@v1
         if: inputs.github-app-id