Skip to content

build(deps): Bump launch-editor from 2.13.2 to 2.14.1 in /enclave-manager/web #196

build(deps): Bump launch-editor from 2.13.2 to 2.14.1 in /enclave-manager/web

build(deps): Bump launch-editor from 2.13.2 to 2.14.1 in /enclave-manager/web #196

name: Verify Release Tokens
on:
workflow_call:
workflow_dispatch:
pull_request:
branches: [main]
permissions:
contents: read
# Fork PRs and dependabot PRs don't have access to release secrets. Skip the
# secret-dependent jobs there; GitHub will show them as "skipped" rather than
# failing contributor / dependabot PRs.
jobs:
verify-kurtosisbot-github-token:
name: KURTOSISBOT_GITHUB_TOKEN
runs-on: ubuntu-latest
if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }}
env:
TOKEN: ${{ secrets.KURTOSISBOT_GITHUB_TOKEN }}
steps:
- name: Ensure secret is set
run: |
if [ -z "$TOKEN" ]; then
echo "::error::KURTOSISBOT_GITHUB_TOKEN secret is empty or missing."
exit 1
fi
- name: Verify authentication
run: |
if ! user=$(curl -fsS -H "Authorization: Bearer $TOKEN" \
-H "Accept: application/vnd.github+json" \
https://api.github.com/user 2>/dev/null); then
echo "::error::KURTOSISBOT_GITHUB_TOKEN failed to authenticate against the GitHub API (401). Rotate the PAT."
exit 1
fi
login=$(echo "$user" | jq -r '.login')
echo "Authenticated as $login"
- name: Verify push access to kurtosis-cli-release-artifacts
run: |
repo="kurtosis-tech/kurtosis-cli-release-artifacts"
resp=$(curl -fsS -H "Authorization: Bearer $TOKEN" \
-H "Accept: application/vnd.github+json" \
"https://api.github.com/repos/$repo" 2>/dev/null) || {
echo "::error::KURTOSISBOT_GITHUB_TOKEN cannot read $repo (likely missing repo scope or SSO authorization)."
exit 1
}
push=$(echo "$resp" | jq -r '.permissions.push // false')
if [ "$push" != "true" ]; then
echo "::error::KURTOSISBOT_GITHUB_TOKEN lacks push permission on $repo — goreleaser will 401 when publishing CLI artifacts."
exit 1
fi
echo "Push access to $repo confirmed"
- name: Verify push access to homebrew-tap
run: |
repo="kurtosis-tech/homebrew-tap"
resp=$(curl -fsS -H "Authorization: Bearer $TOKEN" \
-H "Accept: application/vnd.github+json" \
"https://api.github.com/repos/$repo" 2>/dev/null) || {
echo "::error::KURTOSISBOT_GITHUB_TOKEN cannot read $repo — goreleaser Homebrew formula bump will fail."
exit 1
}
push=$(echo "$resp" | jq -r '.permissions.push // false')
if [ "$push" != "true" ]; then
echo "::error::KURTOSISBOT_GITHUB_TOKEN lacks push permission on $repo."
exit 1
fi
echo "Push access to $repo confirmed"
verify-releaser-token:
name: RELEASER_TOKEN
runs-on: ubuntu-latest
if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }}
env:
TOKEN: ${{ secrets.RELEASER_TOKEN }}
steps:
- name: Ensure secret is set
run: |
if [ -z "$TOKEN" ]; then
echo "::error::RELEASER_TOKEN secret is empty or missing."
exit 1
fi
- name: Verify authentication
run: |
if ! curl -fsS -H "Authorization: Bearer $TOKEN" \
-H "Accept: application/vnd.github+json" \
https://api.github.com/user > /dev/null 2>&1; then
echo "::error::RELEASER_TOKEN failed to authenticate (401). release-please will not be able to open release PRs."
exit 1
fi
- name: Verify push access to kurtosis-tech/kurtosis
run: |
repo="${{ github.repository }}"
resp=$(curl -fsS -H "Authorization: Bearer $TOKEN" \
-H "Accept: application/vnd.github+json" \
"https://api.github.com/repos/$repo" 2>/dev/null) || {
echo "::error::RELEASER_TOKEN cannot read $repo."
exit 1
}
push=$(echo "$resp" | jq -r '.permissions.push // false')
if [ "$push" != "true" ]; then
echo "::error::RELEASER_TOKEN lacks push permission on $repo — release-please cannot open/merge release PRs."
exit 1
fi
echo "Push access to $repo confirmed"
verify-dockerhub-credentials:
name: DOCKERHUB_USERNAME / DOCKERHUB_PASSWORD
runs-on: ubuntu-latest
if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }}
env:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
steps:
- name: Ensure secrets are set
run: |
if [ -z "$DOCKERHUB_USERNAME" ] || [ -z "$DOCKERHUB_PASSWORD" ]; then
echo "::error::DOCKERHUB_USERNAME and/or DOCKERHUB_PASSWORD secret is empty or missing."
exit 1
fi
- name: Verify Docker Hub login
run: |
if ! echo "$DOCKERHUB_PASSWORD" | docker login --username "$DOCKERHUB_USERNAME" --password-stdin > /dev/null 2>&1; then
echo "::error::Docker Hub login failed. Rotate DOCKERHUB_PASSWORD (recommend an access token scoped to Read/Write/Delete)."
exit 1
fi
echo "Docker Hub login succeeded for $DOCKERHUB_USERNAME"
docker logout > /dev/null 2>&1 || true
verify-npm-token:
name: NPMJS_AUTH_TOKEN
if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }}
uses: ./.github/workflows/verify-npm-token.yml
secrets: inherit