From c6d26f0d379136f9e4a011f1f07319ed2f347f2b Mon Sep 17 00:00:00 2001 From: Gabriel Adrian Samfira Date: Thu, 2 Dec 2021 15:55:58 +0200 Subject: [PATCH 1/2] Authenticate against ghcr.io This change adds a login step that authenticates the runner to ghcr.io. This allows whomever triggers the action to use github packages as a destination for the container images. Signed-off-by: Gabriel Adrian Samfira --- .github/workflows/build-test-images.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/build-test-images.yml b/.github/workflows/build-test-images.yml index ffbcea893..a1a2a5901 100644 --- a/.github/workflows/build-test-images.yml +++ b/.github/workflows/build-test-images.yml @@ -143,6 +143,13 @@ jobs: service_account_key: ${{ secrets.GCP_SA_KEY }} export_default_credentials: true + - name: Login to GitHub Container Registry + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build and push images shell: bash run: | From 323a62d7b9da1a2901385c1455cd67fecfa9198d Mon Sep 17 00:00:00 2001 From: Gabriel Adrian Samfira Date: Thu, 2 Dec 2021 18:13:27 +0200 Subject: [PATCH 2/2] Add permissions Limit the scope of GITHUB_TOKEN to only have write access to packages and read access to metadata. By default it seems to be granted access equal to that of the github.actor that triggered the workflow, which may include access to more than the workflow needs. Signed-off-by: Gabriel Adrian Samfira --- .github/workflows/build-test-images.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build-test-images.yml b/.github/workflows/build-test-images.yml index a1a2a5901..edccdbf1d 100644 --- a/.github/workflows/build-test-images.yml +++ b/.github/workflows/build-test-images.yml @@ -19,6 +19,9 @@ on: required: true default: westeurope +permissions: + packages: write + env: AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUB_ID }} DEFAULT_ADMIN_USERNAME: azureuser