From 83cf51c8f1336b7a0a5cd95d1489c7a21e3c7ba8 Mon Sep 17 00:00:00 2001 From: Dan Pock Date: Mon, 6 Oct 2025 17:50:30 -0400 Subject: [PATCH 1/3] Add dockerhub login to prevent ratelimit of CI --- .github/workflows/ci.yml | 12 ++++++++++++ .github/workflows/e2e-ci.yaml | 12 ++++++++++++ 2 files changed, 24 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 047ee3c..6bd1c26 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,6 +36,18 @@ jobs: ci: runs-on: runs-on,runner=2cpu-linux-x64,run-id=${{ github.run_id }} steps: + - name: Load Secrets from Vault + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ; + secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD ; + - name: Log in to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ env.DOCKERHUB_USERNAME }} + password: ${{ env.DOCKER_PASSWORD }} + - # Add support for more platforms with QEMU (optional) # https://github.com/docker/setup-qemu-action diff --git a/.github/workflows/e2e-ci.yaml b/.github/workflows/e2e-ci.yaml index 7976182..7e40c2e 100644 --- a/.github/workflows/e2e-ci.yaml +++ b/.github/workflows/e2e-ci.yaml @@ -55,6 +55,18 @@ jobs: - arm64 runs-on: ${{ github.repository == 'rancher/kuberlr-kubectl' && format('runs-on,image=ubuntu22-full-{1},runner=4cpu-linux-{1},run-id={0}', github.run_id, matrix.arch) || 'ubuntu-latest' }} steps: + - name: Load Secrets from Vault + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ; + secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD ; + - name: Log in to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ env.DOCKERHUB_USERNAME }} + password: ${{ env.DOCKER_PASSWORD }} + - # Add support for more platforms with QEMU (optional) # https://github.com/docker/setup-qemu-action From 302b4adce369be9e42d075b1a46bd7bc7728503a Mon Sep 17 00:00:00 2001 From: Dan Pock Date: Mon, 6 Oct 2025 17:52:54 -0400 Subject: [PATCH 2/3] Add id perms --- .github/workflows/ci.yml | 6 ++++++ .github/workflows/e2e-ci.yaml | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6bd1c26..6aa89fb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,6 +34,12 @@ env: jobs: ci: + permissions: + # write is needed for: + # - OIDC for cosign's use in ecm-distro-tools/publish-image. + # - Read vault secrets in rancher-eio/read-vault-secrets. + # - Publish image to ghcr.io + id-token: write runs-on: runs-on,runner=2cpu-linux-x64,run-id=${{ github.run_id }} steps: - name: Load Secrets from Vault diff --git a/.github/workflows/e2e-ci.yaml b/.github/workflows/e2e-ci.yaml index 7e40c2e..abef23b 100644 --- a/.github/workflows/e2e-ci.yaml +++ b/.github/workflows/e2e-ci.yaml @@ -48,6 +48,12 @@ permissions: jobs: e2e-kuberlr-kubectl: + permissions: + # write is needed for: + # - OIDC for cosign's use in ecm-distro-tools/publish-image. + # - Read vault secrets in rancher-eio/read-vault-secrets. + # - Publish image to ghcr.io + id-token: write strategy: matrix: arch: From 2fb4e749617fddf7eaf5000bf305641f07dfff7f Mon Sep 17 00:00:00 2001 From: Dan Pock Date: Mon, 6 Oct 2025 18:04:16 -0400 Subject: [PATCH 3/3] Adjust workflow step order --- .github/workflows/ci.yml | 18 ++++++++++-------- .github/workflows/e2e-ci.yaml | 21 +++++++++++---------- 2 files changed, 21 insertions(+), 18 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6aa89fb..dfe3186 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,41 +26,43 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - contents: write # Upload artefacts to release. - env: PUBLIC_REGISTRY: ghcr.io jobs: ci: permissions: + contents: write # Upload artefacts to release. # write is needed for: # - OIDC for cosign's use in ecm-distro-tools/publish-image. # - Read vault secrets in rancher-eio/read-vault-secrets. - # - Publish image to ghcr.io id-token: write + packages: write + attestations: write runs-on: runs-on,runner=2cpu-linux-x64,run-id=${{ github.run_id }} steps: + - name: Check out repository code + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Load Secrets from Vault uses: rancher-eio/read-vault-secrets@main with: secrets: | secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ; secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD ; + - name: Log in to Docker Hub uses: docker/login-action@v3 with: - username: ${{ env.DOCKERHUB_USERNAME }} - password: ${{ env.DOCKER_PASSWORD }} + username: ${{ env.DOCKER_USERNAME || vars.DOCKER_USERNAME || github.repository_owner }} + password: ${{ env.DOCKER_PASSWORD || secrets.DOCKER_PASSWORD }} - # Add support for more platforms with QEMU (optional) # https://github.com/docker/setup-qemu-action name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3 - - name: Check out repository code - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Basic CI run: make ci - name: Upload CI files to artifacts (on failure) diff --git a/.github/workflows/e2e-ci.yaml b/.github/workflows/e2e-ci.yaml index abef23b..47c160a 100644 --- a/.github/workflows/e2e-ci.yaml +++ b/.github/workflows/e2e-ci.yaml @@ -43,17 +43,16 @@ env: DEBUG: ${{ github.event.inputs.debug || false }} CLUSTER_NAME: 'e2e-ci-kuberlr-kubectl' -permissions: - contents: write - jobs: e2e-kuberlr-kubectl: permissions: + contents: write # Upload artefacts to release. # write is needed for: # - OIDC for cosign's use in ecm-distro-tools/publish-image. # - Read vault secrets in rancher-eio/read-vault-secrets. - # - Publish image to ghcr.io id-token: write + packages: write + attestations: write strategy: matrix: arch: @@ -61,6 +60,11 @@ jobs: - arm64 runs-on: ${{ github.repository == 'rancher/kuberlr-kubectl' && format('runs-on,image=ubuntu22-full-{1},runner=4cpu-linux-{1},run-id={0}', github.run_id, matrix.arch) || 'ubuntu-latest' }} steps: + - + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + fetch-depth: 0 + - name: Load Secrets from Vault uses: rancher-eio/read-vault-secrets@main with: @@ -70,18 +74,15 @@ jobs: - name: Log in to Docker Hub uses: docker/login-action@v3 with: - username: ${{ env.DOCKERHUB_USERNAME }} - password: ${{ env.DOCKER_PASSWORD }} + username: ${{ env.DOCKER_USERNAME || vars.DOCKER_USERNAME || github.repository_owner }} + password: ${{ env.DOCKER_PASSWORD || secrets.DOCKER_PASSWORD }} - # Add support for more platforms with QEMU (optional) # https://github.com/docker/setup-qemu-action name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3 - - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - with: - fetch-depth: 0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6 with: go-version: '>=1.20.0'