Merge pull request #3528 from cpanato/update-ci

split release job in two to avoid have token excess permissions in prs
kubernetes · Mar 31, 2024 · d67aed5 · d67aed5
2 parents 87521cb + 8b6a7fd
commit d67aed5
Show file tree

Hide file tree

Showing 6 changed files with 71 additions and 18 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -3,7 +3,7 @@ updates:
   - package-ecosystem: gomod
     directory: "/"
     schedule:
-      interval: daily
+      interval: "daily"
     labels:
       - "area/dependency"
       - "release-note-none"

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -55,7 +55,9 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
 
-    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+    - name: Set up Go
+      id: go
+      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
       with:
         go-version: '1.22'
         check-latest: true

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -15,13 +15,15 @@ jobs:
 
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
 
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - name: Set up Go
+        id: go
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: '1.22'
           check-latest: true
 
       - name: golangci-lint
         uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
         with:
-          version: v1.56
+          version: v1.57
           args: --timeout=15m
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,40 +1,47 @@
 ---
 name: release
+
 on:
-  pull_request:
   push:
     tags:
       - 'v*'
+
 jobs:
   build:
     runs-on: ubuntu-latest
+
     permissions:
       id-token: write
-      packages: write
       contents: write
+
     steps:
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
-          go-version: '1.22'
-          check-latest: true
-      - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+          disable-sudo: true
+          egress-policy: audit
+
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3.5.2
         with:
           fetch-depth: 1
+
+      - name: Set up Go
+        id: go
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version: '1.22'
+          check-latest: true
+
+      - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+
       - name: Build and publish release
         uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
         if: contains(github.ref, 'refs/tags')
         with:
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Test release build
-        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
-        if: "!contains(github.ref, 'refs/tags')"
-        with:
-          args: release --clean --snapshot --skip=sign
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
       - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: artifacts

diff --git a/.github/workflows/snapshot.yaml b/.github/workflows/snapshot.yaml
@@ -0,0 +1,42 @@
+---
+name: test-snapshot-release
+
+on:
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: audit
+
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3.5.2
+        with:
+          fetch-depth: 1
+
+      - name: Set up Go
+        id: go
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version: '1.22'
+          check-latest: true
+
+      - name: Test release build
+        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
+        with:
+          args: release --clean --snapshot --skip=sign
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: artifacts
+          path: dist/*
diff --git a/dependencies.yaml b/dependencies.yaml
@@ -390,7 +390,7 @@ dependencies:
 
   # golangci-lint-version
   - name: "golangci-lint"
-    version: v1.56
+    version: v1.57
     refPaths:
     - path: .github/workflows/lint.yml
       match: "version: v\\d+.\\d+?\\.?(\\d+)?"