build(deps): Bump launch-editor from 2.13.2 to 2.14.1 in /enclave-manager/web #196
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Verify Release Tokens | |
| on: | |
| workflow_call: | |
| workflow_dispatch: | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| # Fork PRs and dependabot PRs don't have access to release secrets. Skip the | |
| # secret-dependent jobs there; GitHub will show them as "skipped" rather than | |
| # failing contributor / dependabot PRs. | |
| jobs: | |
| verify-kurtosisbot-github-token: | |
| name: KURTOSISBOT_GITHUB_TOKEN | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }} | |
| env: | |
| TOKEN: ${{ secrets.KURTOSISBOT_GITHUB_TOKEN }} | |
| steps: | |
| - name: Ensure secret is set | |
| run: | | |
| if [ -z "$TOKEN" ]; then | |
| echo "::error::KURTOSISBOT_GITHUB_TOKEN secret is empty or missing." | |
| exit 1 | |
| fi | |
| - name: Verify authentication | |
| run: | | |
| if ! user=$(curl -fsS -H "Authorization: Bearer $TOKEN" \ | |
| -H "Accept: application/vnd.github+json" \ | |
| https://api.github.com/user 2>/dev/null); then | |
| echo "::error::KURTOSISBOT_GITHUB_TOKEN failed to authenticate against the GitHub API (401). Rotate the PAT." | |
| exit 1 | |
| fi | |
| login=$(echo "$user" | jq -r '.login') | |
| echo "Authenticated as $login" | |
| - name: Verify push access to kurtosis-cli-release-artifacts | |
| run: | | |
| repo="kurtosis-tech/kurtosis-cli-release-artifacts" | |
| resp=$(curl -fsS -H "Authorization: Bearer $TOKEN" \ | |
| -H "Accept: application/vnd.github+json" \ | |
| "https://api.github.com/repos/$repo" 2>/dev/null) || { | |
| echo "::error::KURTOSISBOT_GITHUB_TOKEN cannot read $repo (likely missing repo scope or SSO authorization)." | |
| exit 1 | |
| } | |
| push=$(echo "$resp" | jq -r '.permissions.push // false') | |
| if [ "$push" != "true" ]; then | |
| echo "::error::KURTOSISBOT_GITHUB_TOKEN lacks push permission on $repo — goreleaser will 401 when publishing CLI artifacts." | |
| exit 1 | |
| fi | |
| echo "Push access to $repo confirmed" | |
| - name: Verify push access to homebrew-tap | |
| run: | | |
| repo="kurtosis-tech/homebrew-tap" | |
| resp=$(curl -fsS -H "Authorization: Bearer $TOKEN" \ | |
| -H "Accept: application/vnd.github+json" \ | |
| "https://api.github.com/repos/$repo" 2>/dev/null) || { | |
| echo "::error::KURTOSISBOT_GITHUB_TOKEN cannot read $repo — goreleaser Homebrew formula bump will fail." | |
| exit 1 | |
| } | |
| push=$(echo "$resp" | jq -r '.permissions.push // false') | |
| if [ "$push" != "true" ]; then | |
| echo "::error::KURTOSISBOT_GITHUB_TOKEN lacks push permission on $repo." | |
| exit 1 | |
| fi | |
| echo "Push access to $repo confirmed" | |
| verify-releaser-token: | |
| name: RELEASER_TOKEN | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }} | |
| env: | |
| TOKEN: ${{ secrets.RELEASER_TOKEN }} | |
| steps: | |
| - name: Ensure secret is set | |
| run: | | |
| if [ -z "$TOKEN" ]; then | |
| echo "::error::RELEASER_TOKEN secret is empty or missing." | |
| exit 1 | |
| fi | |
| - name: Verify authentication | |
| run: | | |
| if ! curl -fsS -H "Authorization: Bearer $TOKEN" \ | |
| -H "Accept: application/vnd.github+json" \ | |
| https://api.github.com/user > /dev/null 2>&1; then | |
| echo "::error::RELEASER_TOKEN failed to authenticate (401). release-please will not be able to open release PRs." | |
| exit 1 | |
| fi | |
| - name: Verify push access to kurtosis-tech/kurtosis | |
| run: | | |
| repo="${{ github.repository }}" | |
| resp=$(curl -fsS -H "Authorization: Bearer $TOKEN" \ | |
| -H "Accept: application/vnd.github+json" \ | |
| "https://api.github.com/repos/$repo" 2>/dev/null) || { | |
| echo "::error::RELEASER_TOKEN cannot read $repo." | |
| exit 1 | |
| } | |
| push=$(echo "$resp" | jq -r '.permissions.push // false') | |
| if [ "$push" != "true" ]; then | |
| echo "::error::RELEASER_TOKEN lacks push permission on $repo — release-please cannot open/merge release PRs." | |
| exit 1 | |
| fi | |
| echo "Push access to $repo confirmed" | |
| verify-dockerhub-credentials: | |
| name: DOCKERHUB_USERNAME / DOCKERHUB_PASSWORD | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }} | |
| env: | |
| DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} | |
| DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} | |
| steps: | |
| - name: Ensure secrets are set | |
| run: | | |
| if [ -z "$DOCKERHUB_USERNAME" ] || [ -z "$DOCKERHUB_PASSWORD" ]; then | |
| echo "::error::DOCKERHUB_USERNAME and/or DOCKERHUB_PASSWORD secret is empty or missing." | |
| exit 1 | |
| fi | |
| - name: Verify Docker Hub login | |
| run: | | |
| if ! echo "$DOCKERHUB_PASSWORD" | docker login --username "$DOCKERHUB_USERNAME" --password-stdin > /dev/null 2>&1; then | |
| echo "::error::Docker Hub login failed. Rotate DOCKERHUB_PASSWORD (recommend an access token scoped to Read/Write/Delete)." | |
| exit 1 | |
| fi | |
| echo "Docker Hub login succeeded for $DOCKERHUB_USERNAME" | |
| docker logout > /dev/null 2>&1 || true | |
| verify-npm-token: | |
| name: NPMJS_AUTH_TOKEN | |
| if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }} | |
| uses: ./.github/workflows/verify-npm-token.yml | |
| secrets: inherit |