Skip to content

ci(e2e): use GITHUB_TOKEN for GHCR e2e #1554

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
crazy-max merged 1 commit into from
Jun 4, 2026
+14 −9
Merged

ci(e2e): use GITHUB_TOKEN for GHCR e2e #1554

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 2 additions & 5 deletions .github/workflows/.e2e-run.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,6 @@
# reusable workflow
name: .e2e-run

permissions:

@thaJeztah thaJeztah Jun 4, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why was this removed?

@crazy-max crazy-max Jun 4, 2026
edited
Loading

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because we introduce packages: write and caller should take care of permissions, not the reusable workflow. There is some analysis here: docker/github-builder#24

contents: read

on:
workflow_call:
inputs:
Expand Down Expand Up @@ -117,8 +114,8 @@ jobs:
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry: ${{ env.REGISTRY_FQDN || inputs.registry }}
username: ${{ env.REGISTRY_USER || secrets.registry_username }}
password: ${{ env.REGISTRY_PASSWORD || secrets.registry_password }}
username: ${{ env.REGISTRY_USER || secrets.registry_username || (inputs.registry == 'ghcr.io' && github.actor) || '' }}
password: ${{ env.REGISTRY_PASSWORD || secrets.registry_password || (inputs.registry == 'ghcr.io' && secrets.GITHUB_TOKEN) || '' }}
scope: ${{ inputs.type == 'remote' && inputs.registry == '' && '@push' || '' }}
-
name: Build and push
Expand Down
10 changes: 6 additions & 4 deletions .github/workflows/e2e.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ on:
jobs:
build:
uses: ./.github/workflows/.e2e-run.yml
permissions:
contents: read
packages: write # to push image to GHCR
strategy:
fail-fast: false
matrix:
Expand All @@ -38,7 +41,7 @@ jobs:
-
name: GitHub
registry: ghcr.io
slug: ghcr.io/docker-ghactiontest/test
slug: ghcr.io/docker/build-push-action-test
auth: ghcr
type: remote
-
Expand Down Expand Up @@ -100,11 +103,11 @@ jobs:
registry: ${{ matrix.registry }}
slug: ${{ matrix.slug }}
secrets:
# Pass only the two secrets needed by each matrix entry.
# Pass only the registry-specific secrets needed by each matrix entry.
# GHCR uses the called workflow's GITHUB_TOKEN fallback.
registry_username: >-
${{
matrix.auth == 'dockerhub' && secrets.DOCKERHUB_USERNAME ||
matrix.auth == 'ghcr' && secrets.GHCR_USERNAME ||
matrix.auth == 'gitlab' && secrets.GITLAB_USERNAME ||
matrix.auth == 'aws' && secrets.AWS_ACCESS_KEY_ID ||
matrix.auth == 'gar' && secrets.GAR_USERNAME ||
Expand All @@ -116,7 +119,6 @@ jobs:
registry_password: >-
${{
matrix.auth == 'dockerhub' && secrets.DOCKERHUB_TOKEN ||
matrix.auth == 'ghcr' && secrets.GHCR_PAT ||
matrix.auth == 'gitlab' && secrets.GITLAB_TOKEN ||
matrix.auth == 'aws' && secrets.AWS_SECRET_ACCESS_KEY ||
matrix.auth == 'gar' && secrets.GAR_JSON_KEY ||
Expand Down
6 changes: 6 additions & 0 deletions .github/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
rules:
# rule does not apply to reusable worfklows where permissions are defined by

@thaJeztah thaJeztah Jun 4, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, right; so wouldn't it still make sense to set defaults, or won't that work?

@crazy-max crazy-max Jun 4, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah that won't work unfortunately, see docker/github-builder#24

@thaJeztah thaJeztah Jun 4, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's annoying! Is it a known issue in zizmor? Is this something that could be fixed in GitHub actions itself?

@crazy-max crazy-max Jun 4, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is tracked inb zizmor yeah

# the caller workflow and not the reusable workflow itself
excessive-permissions:
ignore:
- .e2e-run.yml