Nirmata 0.130.x #13486
Open
Nirmata 0.130.x #13486
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…or Docker images - Add comprehensive workflow for building and pushing multiarch images - Support linux/amd64 and linux/arm64 platforms - Automated builds on push to main/nirmata-0.130.x branches - Manual workflow dispatch with configurable options - Built-in security scanning with Trivy - SBOM and provenance attestations - Push to ghcr.io/nirmata/opentelemetry-collector - Proper authentication using GITHUB_TOKEN - Version tagging: 0.130.1, 0.130, latest - PR builds for testing (no push) - Image functionality testing - Comprehensive status reporting This resolves authentication issues by using repository's built-in permissions instead of personal access tokens.
- Add security-events: write for Trivy scan SARIF uploads - Add actions: read for workflow details access - Add attestations: write for SBOM and provenance attestations - Ensures compatibility with GitHub Security tab integration - Aligns with repository security workflow patterns (CodeQL, Scorecard)
- Add fallback authentication using CONTAINER_REGISTRY_TOKEN secret - Add conditional push logic to prevent failures when token unavailable - Support multiple authentication methods: org token, repo secret, or GITHUB_TOKEN - Graceful handling of permission issues in organization repositories To fix the permission_denied error: 1. Add CONTAINER_REGISTRY_TOKEN secret with the provided PAT, OR 2. Enable organization package permissions for workflows, OR 3. Create organization-level token with write:packages permission
- Use github.repository_owner instead of hardcoded 'nirmata' - Use CR_PAT secret pattern that works in other Nirmata repos - Match authentication approach from enterprise-kyverno workflow - Remove conditional push logic that was causing issues - This pattern is proven to work in nirmata/enterprise-kyverno Based on working workflow: https://github.com/nirmata/enterprise-kyverno/blob/main/.github/workflows/release.yaml
Analysis of working nirmata/enterprise-kyverno workflow shows: - Main publishing uses secrets.GITHUB_TOKEN (not CR_PAT) - CR_PAT only used in reusable workflow calls - Our workflow now matches their exact authentication pattern This should resolve permission_denied issues since enterprise-kyverno successfully pushes to ghcr.io/nirmata/* using this approach.
Add the Prometheus receiver and prometheusremotewrite exporter to the builder configuration Rebuild the collector with these additional components
|
|
What is this PR meant to do? Did you mean to open it on the upstream Collector repository? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Link to tracking issue
Fixes #
Testing
Documentation