mvdan.cc / cue
this repo has no description
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

internal/ci: allow steps to influence job permissions

Allow steps declared in a job to set permissions on that job. This is
important when steps are reused between jobs. In particular, the new
registry-login-action step, which requires a certain permission to be
set on the containing job. We corresponding update loginCentralRegistry
to use this new capability and remove the manual setting of the
permission within the two jobs that use this reusable step.

We bump the nested CUE module's version in order to use explicit open.

Signed-off-by: Paul Jolly <paul@myitcv.io>
Change-Id: Ifb363e0bffe01e3198b966c7de78e777c604320a
Reviewed-on: https://cue.gerrithub.io/c/cue-lang/cue/+/1230270
TryBot-Result: CUEcueckoo <cueckoo@cuelang.org>
Reviewed-by: Daniel Martí <mvdan@mvdan.cc>

Paul Jolly 839f03d2 bc5bd8fc

+28 -8
+27 -5
internal/ci/base/github.cue
··· 1 + @experiment(explicitopen) 2 + 1 3 package base 2 4 3 5 // This file contains aspects principally related to GitHub workflows ··· 12 14 ) 13 15 14 16 bashWorkflow: githubactions.#Workflow & { 15 - // Use a custom default shell that extends the GitHub default to also fail 16 - // on access to unset variables. 17 - // 18 - // https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#defaultsrunshell 19 - jobs: [string]: defaults: run: shell: "bash --noprofile --norc -euo pipefail {0}" 17 + 18 + jobs: [string]: { 19 + // Use a custom default shell that extends the GitHub default to also fail 20 + // on access to unset variables. 21 + // 22 + // https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#defaultsrunshell 23 + defaults: run: shell: "bash --noprofile --norc -euo pipefail {0}" 24 + 25 + // We want to allow steps in a job to define constraints on the job that 26 + // contains them. To allow this for steps that are re-used between jobs, 27 + // we need a means of a step declaring constraints that should be applied 28 + // on the outer structure. And then use a comprehension at the job level 29 + // to "lift" the constraints from the steps it contains. 30 + // 31 + // TODO: for some reason, as a result of either cuelang.org/issue/3594 or 32 + // cuelang.org/issue/4079 we can't constrain this field as follows: 33 + // 34 + // steps: [...{#job: githubactions.#Job}] 35 + steps: [...{#job: _}] 36 + 37 + for _, s in steps { 38 + s.#job... 39 + } 40 + } 20 41 } 21 42 22 43 // These are useful for workflows where we use a matrix over different OS runners ··· 344 365 // TODO: enforce that the job to which this belongs has the relevant 345 366 // permission. 346 367 loginCentralRegistry: githubactions.#Step & { 368 + #job: permissions: "id-token": "write" 347 369 name: "Login to CUE registry" 348 370 uses: "cue-labs/registry-login-action@v1" 349 371 }
+1 -1
internal/ci/cue.mod/module.cue
··· 1 1 module: "github.com/cue-lang/tmp/internal/ci" 2 2 language: { 3 - version: "v0.13.0" 3 + version: "v0.15.0" 4 4 } 5 5 source: { 6 6 kind: "self"
-1
internal/ci/github/release.cue
··· 38 38 branches: list.Concat([[_repo.testDefaultBranch], _repo.protectedBranchPatterns]) 39 39 } 40 40 jobs: goreleaser: { 41 - permissions: "id-token": "write" 42 41 "runs-on": _repo.linuxMachine 43 42 if: "${{github.repository == '\(_repo.githubRepositoryPath)'}}" 44 43
-1
internal/ci/github/trybot.cue
··· 35 35 36 36 jobs: { 37 37 test: { 38 - permissions: "id-token": "write" 39 38 strategy: { 40 39 "fail-fast": false 41 40 matrix: {