Add in needed GHA token permissions

Run-GHA: true Signed-off-by: Margaret Lawson <[email protected]>
daos-stack · Dec 6, 2024 · b3b465e · b3b465e
1 parent 6c9950f
commit b3b465e
Showing 1 changed file with 26 additions and 20 deletions.
diff --git a/.github/workflows/gcp-rpm-build-and-test.yml b/.github/workflows/gcp-rpm-build-and-test.yml
@@ -54,19 +54,31 @@ jobs:
     # instead we assume success at the beginning and then let any axis that fails remove the
     # lastSuccessfulBuild link if it fails
     name: Create lastBuild and lastSuccessfulBuild symlinks
+    permissions:
+      statuses: write
+      contents: read
+      id-token: write
     runs-on: [self-hosted, gcp]
     steps:
+      # we are required to checkout the code to have auth save the token we need for GCSFUSE
+      # per https://github.com/google-github-actions/auth#inputs-miscellaneous
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
       - name: Authenticate to GCP
         id: gcp-authentication
         uses: 'google-github-actions/auth@v2'
         with:
           project_id: ${{ env.PROJECT_ID }}
           workload_identity_provider: ${{ env.WIP_PROVIDER }}
+      - name: "Set up Cloud SDK"
+        uses: "google-github-actions/setup-gcloud@v2"
       - name: Set up GCSFUSE
         run: |
-              fusermount -u ${GCS_BUCKET_MOUNT_PT} || true
+              sudo fusermount -u ${GCS_BUCKET_MOUNT_PT} && sudo rm -fr /tmp/gcp_artifacts || true
               mkdir -p "${GCS_BUCKET_MOUNT_PT}"
-              gcsfuse --implicit-dirs "${GCS_BUCKET}" "${GCS_BUCKET_MOUNT_PT}"
+              sudo -u ext_mlawsonca_google_com gcsfuse --implicit-dirs "${GCS_BUCKET}" "${GCS_BUCKET_MOUNT_PT}"
       - name: Create lastBuild and lastSuccessfulBuild symlinks
         run: mkdir -p ${REPO_PATH};
                rm -f ${REPO_PATH}last{,Successful}Build;
@@ -104,6 +116,8 @@ jobs:
     name: Build RPM
     permissions:
       statuses: write
+      contents: read
+      id-token: write
     runs-on: [self-hosted, gcp]
     needs: [Create-symlinks, Calc-rpm-build-matrix]
     if: needs.Create-symlinks.result == 'success' &&
@@ -160,9 +174,10 @@ jobs:
             echo "DISTRO_NAME=$DISTRO_NAME" >> $GITHUB_ENV
             echo "DISTRO_VERSION=$DISTRO_VERSION" >> $GITHUB_ENV
             echo "BUILD_CHROOT=/var/lib/mock/$CHROOT_NAME-${{ github.run_id }}/" >> $GITHUB_ENV
-            echo "STAGE_NAME=Build RPM on $DISTRO_NAME $DISTRO_VERSION" >> $GITHUB_ENV
+            echo "STAGE_NAME=Build GCP RPM on $DISTRO_NAME $DISTRO_VERSION" >> $GITHUB_ENV
             echo "FVERSION=$FVERSION" >> $GITHUB_ENV
             echo "COMMIT_STATUS_DISTRO_VERSION=$COMMIT_STATUS_DISTRO_VERSION" >> $GITHUB_ENV
+            echo "REPO_BUILD_PATH=${REPO_PATH}${{ github.run_number }}/artifact/artifacts/$TARGET" >> $GITHUB_ENV
       - name: Checkout code
         uses: actions/checkout@v4
         with:
@@ -198,7 +213,9 @@ jobs:
                         -e REPO_FILE_URL="$REPO_FILE_URL"
                         -e JENKINS_URL="$JENKINS_URL"
                         -e TARGET="$TARGET"
-                        mock-build make chrootbuild
+                        mock-build make chrootbuild && \
+                        createrepo /var/lib/mock/$CHROOT_NAME/result && \
+                        dnf --disablerepo=\* --repofrompath testrepo,file:"${REPO_BUILD_PATH}" repoquery -a
         # yamllint enable rule:line-length
       - name: Build RPM failure log
         id: build-rpm-fail-log
@@ -214,32 +231,21 @@ jobs:
           path: |
             mock_result/root.log
             mock_result/build.log
-      - name: Create repo
-        id: create-repo
-        if: steps.build-rpm.outcome == 'success'
-        continue-on-error: true
-        run: CHROOT_NAME=$CHROOT_NAME ci/rpm/create_repo.sh
-      - name: Test repo
-        id: test-repo
-        if: steps.create-repo.outcome == 'success'
-        continue-on-error: true
-        run: . ci/gha_functions.sh;
-             dnf --disablerepo=\* --repofrompath
-                 testrepo,file://${REPO_PATH}${{ github.run_number }}/artifact/artifacts/$TARGET
-                 repoquery -a
       - name: Authenticate to GCP
         id: gcp-authentication
         uses: 'google-github-actions/auth@v2'
         with:
           project_id: ${{ env.PROJECT_ID }}
           workload_identity_provider: ${{ env.WIP_PROVIDER }}
+      - name: "Set up Cloud SDK"
+        uses: "google-github-actions/setup-gcloud@v2"
       - name: Set up GCSFUSE
         run: |
-              fusermount -u ${GCS_BUCKET_MOUNT_PT} || true
+              sudo fusermount -u ${GCS_BUCKET_MOUNT_PT} && sudo rm -fr /tmp/gcp_artifacts || true
               mkdir -p "${GCS_BUCKET_MOUNT_PT}"
-              gcsfuse --implicit-dirs "${GCS_BUCKET}" "${GCS_BUCKET_MOUNT_PT}"
+              sudo -u ext_mlawsonca_google_com gcsfuse --implicit-dirs "${GCS_BUCKET}" "${GCS_BUCKET_MOUNT_PT}"
       - name: Remove lastSuccessfulBuild link and exit failure
-        if: steps.test-repo.outcome != 'success'
+        if: steps.build-rpm.outcome != 'success'
         run: rm -f ${REPO_PATH}lastSuccessfulBuild;
              exit 1
       - name: Publish RPMs