-
Notifications
You must be signed in to change notification settings - Fork 96
140 lines (128 loc) · 5.91 KB
/
Copy pathverify-release-tokens.yml
File metadata and controls
140 lines (128 loc) · 5.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
name: Verify Release Tokens
on:
workflow_call:
workflow_dispatch:
pull_request:
branches: [main]
permissions:
contents: read
# Fork PRs and dependabot PRs don't have access to release secrets. Skip the
# secret-dependent jobs there; GitHub will show them as "skipped" rather than
# failing contributor / dependabot PRs.
jobs:
verify-kurtosisbot-github-token:
name: KURTOSISBOT_GITHUB_TOKEN
runs-on: ubuntu-latest
if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }}
env:
TOKEN: ${{ secrets.KURTOSISBOT_GITHUB_TOKEN }}
steps:
- name: Ensure secret is set
run: |
if [ -z "$TOKEN" ]; then
echo "::error::KURTOSISBOT_GITHUB_TOKEN secret is empty or missing."
exit 1
fi
- name: Verify authentication
run: |
if ! user=$(curl -fsS -H "Authorization: Bearer $TOKEN" \
-H "Accept: application/vnd.github+json" \
https://api.github.com/user 2>/dev/null); then
echo "::error::KURTOSISBOT_GITHUB_TOKEN failed to authenticate against the GitHub API (401). Rotate the PAT."
exit 1
fi
login=$(echo "$user" | jq -r '.login')
echo "Authenticated as $login"
- name: Verify push access to kurtosis-cli-release-artifacts
run: |
repo="kurtosis-tech/kurtosis-cli-release-artifacts"
resp=$(curl -fsS -H "Authorization: Bearer $TOKEN" \
-H "Accept: application/vnd.github+json" \
"https://api.github.com/repos/$repo" 2>/dev/null) || {
echo "::error::KURTOSISBOT_GITHUB_TOKEN cannot read $repo (likely missing repo scope or SSO authorization)."
exit 1
}
push=$(echo "$resp" | jq -r '.permissions.push // false')
if [ "$push" != "true" ]; then
echo "::error::KURTOSISBOT_GITHUB_TOKEN lacks push permission on $repo — goreleaser will 401 when publishing CLI artifacts."
exit 1
fi
echo "Push access to $repo confirmed"
- name: Verify push access to homebrew-tap
run: |
repo="kurtosis-tech/homebrew-tap"
resp=$(curl -fsS -H "Authorization: Bearer $TOKEN" \
-H "Accept: application/vnd.github+json" \
"https://api.github.com/repos/$repo" 2>/dev/null) || {
echo "::error::KURTOSISBOT_GITHUB_TOKEN cannot read $repo — goreleaser Homebrew formula bump will fail."
exit 1
}
push=$(echo "$resp" | jq -r '.permissions.push // false')
if [ "$push" != "true" ]; then
echo "::error::KURTOSISBOT_GITHUB_TOKEN lacks push permission on $repo."
exit 1
fi
echo "Push access to $repo confirmed"
verify-releaser-token:
name: RELEASER_TOKEN
runs-on: ubuntu-latest
if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }}
env:
TOKEN: ${{ secrets.RELEASER_TOKEN }}
steps:
- name: Ensure secret is set
run: |
if [ -z "$TOKEN" ]; then
echo "::error::RELEASER_TOKEN secret is empty or missing."
exit 1
fi
- name: Verify authentication
run: |
if ! curl -fsS -H "Authorization: Bearer $TOKEN" \
-H "Accept: application/vnd.github+json" \
https://api.github.com/user > /dev/null 2>&1; then
echo "::error::RELEASER_TOKEN failed to authenticate (401). release-please will not be able to open release PRs."
exit 1
fi
- name: Verify push access to kurtosis-tech/kurtosis
run: |
repo="${{ github.repository }}"
resp=$(curl -fsS -H "Authorization: Bearer $TOKEN" \
-H "Accept: application/vnd.github+json" \
"https://api.github.com/repos/$repo" 2>/dev/null) || {
echo "::error::RELEASER_TOKEN cannot read $repo."
exit 1
}
push=$(echo "$resp" | jq -r '.permissions.push // false')
if [ "$push" != "true" ]; then
echo "::error::RELEASER_TOKEN lacks push permission on $repo — release-please cannot open/merge release PRs."
exit 1
fi
echo "Push access to $repo confirmed"
verify-dockerhub-credentials:
name: DOCKERHUB_USERNAME / DOCKERHUB_PASSWORD
runs-on: ubuntu-latest
if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }}
env:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
steps:
- name: Ensure secrets are set
run: |
if [ -z "$DOCKERHUB_USERNAME" ] || [ -z "$DOCKERHUB_PASSWORD" ]; then
echo "::error::DOCKERHUB_USERNAME and/or DOCKERHUB_PASSWORD secret is empty or missing."
exit 1
fi
- name: Verify Docker Hub login
run: |
if ! echo "$DOCKERHUB_PASSWORD" | docker login --username "$DOCKERHUB_USERNAME" --password-stdin > /dev/null 2>&1; then
echo "::error::Docker Hub login failed. Rotate DOCKERHUB_PASSWORD (recommend an access token scoped to Read/Write/Delete)."
exit 1
fi
echo "Docker Hub login succeeded for $DOCKERHUB_USERNAME"
docker logout > /dev/null 2>&1 || true
verify-npm-token:
name: NPMJS_AUTH_TOKEN
if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }}
uses: ./.github/workflows/verify-npm-token.yml
secrets: inherit