Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update-helm-repo: fix oci image push failure #3418

Merged
merged 2 commits into from
Nov 11, 2024
Merged

update-helm-repo: fix oci image push failure #3418

merged 2 commits into from
Nov 11, 2024

Conversation

narqo
Copy link
Contributor

@narqo narqo commented Nov 11, 2024
edited
Loading

This is the fixup for #3366

Relates to #3068

It turned out GitHub doesn't support publishing a package using GitHub App installation tokens (or fine-grained personal tokens). That is, as of today, the users are left with using either "classic" PAT with org-scopes or the magical GITHUB_TOKEN (docs).

This PR fixes the update-helm-repo workflow, updating the last step to use the GITHUB_TOKEN token. Otherwise, the workflow fails with:

Run helm push "/home/runner/work/mimir/mimir/.cr-release-packages/mimir-distributed-5.6.0-weekly.315.tgz" "oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/helm-charts"
Error: unexpected status from POST request to https://ghcr.io/v2/grafana/helm-charts/mimir-distributed/blobs/uploads/: 403 Forbidden

Note that, the package is pushed to the GITHUB_REPOSITORY_OWNER repository, under the name helm-charts/<chart-name>. The package than is automatically associated with the source repository that ran the push. This is similar to how helm-chart/grafana-operator is published currently (ref).

@narqo
update-helm-repo: fix oci image push
e8d7185 
Signed-off-by: Vladimir Varankin <[email protected]>
@narqo narqo requested a review from a team as a code owner November 11, 2024 08:22
@narqo narqo changed the title update-helm-repo: fix oci image push update-helm-repo: fix oci image push failure Nov 11, 2024
dimitarvdimitrov
dimitarvdimitrov reviewed Nov 11, 2024
View reviewed changes
.github/workflows/update-helm-repo.yaml
@@ -94,8 +94,7 @@ jobs:
needs: [setup]
runs-on: ubuntu-latest
permissions:
contents: write # to push chart release, create release, and push tags to github
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we still create a GH release. Don't we still need contents

helm-charts/.github/workflows/update-helm-repo.yaml

Lines 205 to 219 in 226cf91

- name: Make github release
uses: softprops/action-gh-release@v1
with:
body: |
${{ steps.parse-chart.outputs.desc }}
Source commit: https://github.com/${{ github.repository }}/commit/${{ github.sha }}
Tag on source: https://github.com/${{ github.repository }}/releases/tag/${{ steps.parse-chart.outputs.tagname }}
files: |
${{ env.CR_PACKAGE_PATH }}/${{ steps.parse-chart.outputs.packagename }}.tgz
${{ env.CR_PACKAGE_PATH }}/${{ steps.parse-chart.outputs.packagename }}.tgz.prov
repository: grafana/helm-charts
tag_name: ${{ steps.parse-chart.outputs.tagname }}
token: ${{ env.AUTHTOKEN }}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I understand it, the permissions only apply to GITHUB_TOKEN. But this workflow publishes the content via the app install token, which has the scope assigned when the app is installed.

Not that the workflow never had permissions. They were added only recently in the #3366 (I don't think this was necessary)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so in effect #3383 which you opened was unnecessary?

dimitarvdimitrov
dimitarvdimitrov approved these changes Nov 11, 2024
View reviewed changes
Copy link
Contributor

@dimitarvdimitrov dimitarvdimitrov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM

krajorama
krajorama approved these changes Nov 11, 2024
View reviewed changes
Copy link
Contributor

@krajorama krajorama left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

stamp

pracucci
pracucci approved these changes Nov 11, 2024
View reviewed changes
Copy link
Contributor

@pracucci pracucci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@narqo narqo merged commit c9f5634 into main Nov 11, 2024
6 checks passed
@narqo narqo deleted the vldmr/fix-gh-workflow-update-helm branch November 11, 2024 15:19
This was referenced Nov 13, 2024
Merged
Open
@morganrowse morganrowse mentioned this pull request Nov 18, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dimitarvdimitrov dimitarvdimitrov dimitarvdimitrov approved these changes

@krajorama krajorama krajorama approved these changes

@pracucci pracucci pracucci approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@narqo @pracucci @krajorama @dimitarvdimitrov