-
Notifications
You must be signed in to change notification settings - Fork 721
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix: Release workflow permissions #3506
Conversation
Currently repo owner i.e "prebid" is used to check collaborator permission. However, "github.actor" i.e user who runs workflow should be used to check user permission. Earlier this workflow was tested on fork repository (https://github.com/onkarvhanumante/prebid-server/actions/runs/7842711148). However on fork repository, value for owner and username were same. Therefore this issue was not seen on fork repository.
Publish tag step depends on build-master. The build-master step has writePermission check. Therefore no need to include condition check in Publish tag step.
@@ -71,7 +64,6 @@ jobs: | |||
publish-tag: | |||
name: Publish tag | |||
needs: build-master | |||
if: contains(needs.check-permission.outputs.hasWritePermission, 'true') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this line for the publish-tag
step be if: contains(inputs.debug, 'false')
similar to the publish-docker-image
and publish-release
steps? When I go to run the release, the checkbox says: "executes the workflow in debug mode (skip the publishing tag, docker image and release steps)".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Publish-tag
step has following code. If inputs.debug
is true then publish-tag
step simply prints the version of next tag but does not create tag. This was done because in debug mode we want to run tests against code and then check what will be next version but don't want to release it.
prebid-server/.github/workflows/release.yml
Lines 108 to 114 in 79ae58d
if [ ${{ inputs.debug }} == 'true' ]; then | |
echo "running workflow in debug mode, next ${releaseType} tag: ${nextTag}" | |
else | |
git tag $nextTag | |
git push origin $nextTag | |
echo "tag=${nextTag}" >> $GITHUB_OUTPUT | |
fi |
Release workflow has
check user permission
step. To check permission workflow makes call to permission api with repo owner and username as input.Currently repo owner i.e
prebid
is used as username to check collaborator permission. However,github.actor
i.e user who runs workflow should be used to check user permission. PR makes changes to use github.actor as username.Earlier this workflow was tested on fork repository (https://github.com/onkarvhanumante/prebid-server/actions/runs/7842711148). However on fork repository, value for owner and username were same. Therefore this issue was not seen on fork repository.
Tested new changes on fork - https://github.com/onkarvhanumante/prebid-server/actions/runs/7913227266/job/21600444085