diff --git a/.github/actions/build-test-scan-push/action.yaml b/.github/actions/build-test-scan-push/action.yaml index 6e120ff24..ebd4b1fe6 100644 --- a/.github/actions/build-test-scan-push/action.yaml +++ b/.github/actions/build-test-scan-push/action.yaml @@ -63,37 +63,53 @@ runs: sudo rm -rf /usr/share/dotnet # will release about 20GB - name: Login to ghcr.io - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ inputs.ghcr-token }} - name: Login to Docker Hub - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: username: ${{ inputs.dockerhub-username }} password: ${{ inputs.dockerhub-token }} - - name: Authenticate to Google Cloud + - name: Login to GCAR us-central1 continue-on-error: true - uses: google-github-actions/auth@v1 + uses: docker/login-action@v3 with: - credentials_json: '${{ inputs.gcp-json }}' + registry: us-central1-docker.pkg.dev + username: _json_key + password: '${{ inputs.gcp-json }}' - - name: Authenticate GCAR - shell: bash - run: | - if [[ "${{ inputs.gcp-json != '' }}" == "true" ]]; then - gcloud auth configure-docker -q us-central1-docker.pkg.dev - gcloud auth configure-docker -q us-docker.pkg.dev - gcloud auth configure-docker -q asia-docker.pkg.dev - gcloud auth configure-docker -q europe-docker.pkg.dev - fi + - name: Login to GCAR us + continue-on-error: true + uses: docker/login-action@v3 + with: + registry: us-docker.pkg.dev + username: _json_key + password: '${{ inputs.gcp-json }}' + + - name: Login to GCAR asia + continue-on-error: true + uses: docker/login-action@v3 + with: + registry: asia-docker.pkg.dev + username: _json_key + password: '${{ inputs.gcp-json }}' + + - name: Login to GCAR europe + continue-on-error: true + uses: docker/login-action@v3 + with: + registry: europe-docker.pkg.dev + username: _json_key + password: '${{ inputs.gcp-json }}' - name: Build id: image-build - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: load: true context: ${{ inputs.context }} @@ -150,7 +166,7 @@ runs: command: ${{ steps.eval-snyk-command.outputs.SNYK_COMMAND }} - name: Push - ${{ inputs.push-image }} - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: push: ${{ inputs.push-image }} context: ${{ inputs.context }} diff --git a/.github/workflows/build-content.yaml b/.github/workflows/build-content.yaml index bd841db11..4b7db4e1c 100644 --- a/.github/workflows/build-content.yaml +++ b/.github/workflows/build-content.yaml @@ -22,6 +22,11 @@ jobs: runs-on: ubuntu-latest needs: matrix name: content-base-${{ matrix.config.os }}-r${{ matrix.config.r }}-py${{ matrix.config.py }}--${{ github.ref }} + + permissions: + contents: read + packages: write + concurrency: group: content-base-${{ matrix.config.os }}-r${{ matrix.config.r }}-py${{ matrix.config.py }}-${{ github.ref }} cancel-in-progress: true @@ -84,6 +89,7 @@ jobs: ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # Begin retry logic @@ -108,6 +114,7 @@ jobs: ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # End retry logic @@ -178,6 +185,7 @@ jobs: ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # Begin retry logic @@ -202,5 +210,6 @@ jobs: ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # End retry logic diff --git a/.github/workflows/build-manual.yaml b/.github/workflows/build-manual.yaml index 8fa68cc7d..5525f6778 100644 --- a/.github/workflows/build-manual.yaml +++ b/.github/workflows/build-manual.yaml @@ -59,6 +59,10 @@ jobs: runs-on: ubuntu-latest name: manual-build + permissions: + contents: read + packages: write + steps: - name: Check Out Repo uses: actions/checkout@v3 @@ -133,4 +137,5 @@ jobs: ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' diff --git a/.github/workflows/build-prerelease.yaml b/.github/workflows/build-prerelease.yaml index dc828c769..fed12d32e 100644 --- a/.github/workflows/build-prerelease.yaml +++ b/.github/workflows/build-prerelease.yaml @@ -18,6 +18,10 @@ jobs: runs-on: ubuntu-latest name: build-${{ matrix.config.type }}-${{ matrix.config.product }}-${{ matrix.config.os }} + permissions: + contents: read + packages: write + strategy: fail-fast: false matrix: @@ -112,6 +116,7 @@ jobs: ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # Begin retry logic @@ -135,5 +140,6 @@ jobs: ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # End retry logic diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index 61e87b86f..d48dbc990 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -12,6 +12,11 @@ jobs: build-base: runs-on: ubuntu-latest name: product-base-build-${{ matrix.config.os }}-r${{ matrix.config.r-primary }}_${{ matrix.config.r-alternate }}-py${{ matrix.config.py-primary }}_${{ matrix.config.py-alternate }} + + permissions: + contents: read + packages: write + concurrency: group: base-build-${{ matrix.config.os }}-r${{ matrix.config.r-primary }}_${{ matrix.config.r-alternate }}-py${{ matrix.config.py-primary }}_${{ matrix.config.py-alternate }}-${{ github.ref }} cancel-in-progress: true @@ -84,9 +89,10 @@ jobs: push-image: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' || github.event.schedule == '0 12 * * 1' }} snyk-token: ${{ secrets.SNYK_TOKEN }} snyk-org-id: ${{ secrets.SNYK_ORG_ID }} - ghcr-token: ${{ secrets.BUILD_PAT }} + ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # Begin retry logic @@ -107,9 +113,10 @@ jobs: push-image: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' || github.event.schedule == '0 12 * * 1' }} snyk-token: ${{ secrets.SNYK_TOKEN }} snyk-org-id: ${{ secrets.SNYK_ORG_ID }} - ghcr-token: ${{ secrets.BUILD_PAT }} + ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # End retry logic @@ -118,6 +125,10 @@ jobs: runs-on: ubuntu-latest name: product-base-pro-build-${{ matrix.config.os }}-r${{ matrix.config.r-primary }}_${{ matrix.config.r-alternate }}-py${{ matrix.config.py-primary }}_${{ matrix.config.py-alternate }} + permissions: + contents: read + packages: write + strategy: fail-fast: false matrix: @@ -190,9 +201,10 @@ jobs: push-image: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' || github.event.schedule == '0 12 * * 1' }} snyk-token: ${{ secrets.SNYK_TOKEN }} snyk-org-id: ${{ secrets.SNYK_ORG_ID }} - ghcr-token: ${{ secrets.BUILD_PAT }} + ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # Begin retry logic @@ -213,9 +225,10 @@ jobs: push-image: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' || github.event.schedule == '0 12 * * 1' }} snyk-token: ${{ secrets.SNYK_TOKEN }} snyk-org-id: ${{ secrets.SNYK_ORG_ID }} - ghcr-token: ${{ secrets.BUILD_PAT }} + ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # End retry logic @@ -224,6 +237,10 @@ jobs: runs-on: ubuntu-latest name: build-${{ matrix.config.product }}-${{ matrix.config.os }} + permissions: + contents: read + packages: write + strategy: fail-fast: false matrix: @@ -311,9 +328,10 @@ jobs: push-image: ${{ github.ref == 'refs/heads/main' || github.event.schedule == '0 12 * * 1' }} snyk-token: ${{ secrets.SNYK_TOKEN }} snyk-org-id: ${{ secrets.SNYK_ORG_ID }} - ghcr-token: ${{ secrets.BUILD_PAT }} + ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # Begin retry logic @@ -334,9 +352,10 @@ jobs: push-image: ${{ github.ref == 'refs/heads/main' || github.event.schedule == '0 12 * * 1' }} snyk-token: ${{ secrets.SNYK_TOKEN }} snyk-org-id: ${{ secrets.SNYK_ORG_ID }} - ghcr-token: ${{ secrets.BUILD_PAT }} + ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' # End retry logic @@ -345,6 +364,10 @@ jobs: runs-on: ubuntu-latest name: build-workbench-for-google-cloud-workstations + permissions: + contents: read + packages: write + concurrency: group: build-products-${{ matrix.config.product }}-${{ matrix.config.os }}-${{ github.ref }} cancel-in-progress: true