Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add permissions to the GitHub Actions token #5106

Merged
merged 1 commit into from
Aug 26, 2024
Merged

Add permissions to the GitHub Actions token #5106

merged 1 commit into from
Aug 26, 2024

Conversation

nrb
Copy link
Contributor

@nrb nrb commented Aug 26, 2024

What type of PR is this?

/kind bug

What this PR does / why we need it:

Since moving to the Kubernetes GitHub Enterprise account, our GitHub Actions jobs haven't been able to write their status to the API.

This results in the following error on all jobs that run within GitHub Actions:

Error: unable to create check run: POST https://api.github.com/repos/kubernetes-sigs/cluster-api-provider-aws/check-runs: 403 Resource not accessible by integration []

Special notes for your reviewer:

This is similar to the permissions carried by upstream CAPI

Release note:

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/bug Categorizes issue or PR as related to a bug. labels Aug 26, 2024
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Aug 26, 2024
@nrb
Copy link
Contributor Author

nrb commented Aug 26, 2024

The values for this PR come from a similar one in CAPI

damdo
damdo reviewed Aug 26, 2024
View reviewed changes
Copy link
Member

@damdo damdo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 26, 2024
@nrb
Copy link
Contributor Author

nrb commented Aug 26, 2024

Also - GitHub won't pick up the new values from this PR until it's merged, as a safety measure against attacks (so that random users can't open a PR and export secrets).

@nrb
Fix permissions for GitHub Actions jobs
e1e078b 
* Dependabot needs to be able to update PRs it creates
* The pr-verify job needs to be able to write to the checks API

Signed-off-by: Nolan Brubaker <nolan@nbrubaker.com>
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 26, 2024
AndiDog
AndiDog reviewed Aug 26, 2024
View reviewed changes
Copy link
Contributor

@AndiDog AndiDog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 26, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: AndiDog

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 26, 2024
@cblecker cblecker merged commit 4507c0b into kubernetes-sigs:main Aug 26, 2024
15 of 17 checks passed
@cblecker
Copy link
Member

Manually merging at OWNERS request as this is to address the failing GH action

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AndiDog AndiDog AndiDog left review comments

@damdo damdo damdo left review comments

@luthermonson luthermonson Awaiting requested review from luthermonson

@sbueringer sbueringer Awaiting requested review from sbueringer

Assignees

@AndiDog AndiDog

@damdo damdo

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority release-note-none Denotes a PR that doesn't merit a release note. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@nrb @k8s-ci-robot @cblecker @AndiDog @damdo