chore: ensure PR workflows can't write to GHCR

.github/workflows/nightly-ghcr.yaml

@@ -0,0 +1,40 @@
+name: Test GHCR Write
+on:
+  schedule:
+    - cron: '0 7 * * *' ## Every day at 0700 UTC
+
+  workflow_dispatch: ## Give us the ability to run this manually
+
+permissions:
+  contents: read
+
+# Abort prior jobs in the same workflow / PR
+concurrency:
+  group: e2e-ghcr-write-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Setup golang
+        uses: ./.github/actions/golang
+
+      - name: Build UDS-CLI binary
+        run: make build-cli-linux-amd ARCH=amd64
+
+      - name: Setup K3d
+        uses: ./.github/actions/k3d
+
+      - name: Run e2e tests
+        run: |
+          make test-e2e-ghcr
+
+      - name: Save logs
+        if: always()
+        uses: ./.github/actions/save-logs

.github/workflows/test-e2e.yaml → .github/workflows/test-e2e-pr.yaml

@@ -23,8 +23,6 @@ concurrency:
 jobs:
   test:
     runs-on: ubuntu-latest
-    permissions:
-      packages: write
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -38,18 +36,9 @@ jobs:
       - name: Setup K3d
         uses: ./.github/actions/k3d
 
-      - name: Login to GHCR
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Run e2e tests
         run: |
-          make test-e2e
-        env:
-          GITHUB_TOKEN: secrets.GITHUB_TOKEN
+          make test-e2e-no-ghcr-write
 
       - name: Save logs
         if: always()

Makefile

@@ -30,10 +30,13 @@ test-unit: ## Run Unit Tests
 test-e2e: ## Run End to End (e2e) tests
 	cd src/test/e2e && go test -failfast -v -timeout 30m
 
-test-e2e-no-ghcr: ## Run End to End (e2e) tests without GHCR
+test-e2e-ghcr: ## Run End to End (e2e) tests with GHCR (contains writes)
+	cd src/test/e2e && go test -failfast -v -timeout 30m -run ".*GHCR.*"
+
+test-e2e-no-ghcr-write: ## Run End to End (e2e) tests without GHCR
 	cd src/test/e2e && go test -failfast -v -timeout 30m -skip ".*GHCR.*"
 
-test-e2e-only-tasks: ## Run End to End (e2e) tests for task runner only
+test-e2e-runner: ## Run End to End (e2e) tests for task runner only
 	cd src/test/e2e && go test -failfast -v -timeout 30m -run TestTaskRunner
 
 schema: ## Update JSON schema for uds-bundle.yaml

src/test/e2e/bundle_test.go

@@ -121,6 +121,10 @@ func TestBundle(t *testing.T) {
 	//Test create using custom tmpDir
 	runCmd(t, "create "+bundleDir+" --tmpdir ./customtmp --confirm --insecure")
 
+	// remove customtmp folder if it exists
+	err := os.RemoveAll("./customtmp")
+	require.NoError(t, err)
+
 }
 
 func TestPackagesFlag(t *testing.T) {

src/test/e2e/ghcr_test.go

@@ -15,8 +15,9 @@ import (
 
 // NOTE: These tests need to have the string "GHCR" in their names
 //       to ensure they are not run by the test-e2e-no-ghcr make target
+//       Also, these tests are run nightly and on releases, not on PRs
 
-func TestBundleDeployFromOCIFromGHCR(t *testing.T) {
+func TestBundleCreateAndPublishGHCR(t *testing.T) {
 	deployZarfInit(t)
 
 	bundleName := "ghcr-test"
@@ -51,7 +52,7 @@ func TestBundleDeployFromOCIFromGHCR(t *testing.T) {
 }
 
 // test the create -o path
-func TestBundleCreateAndDeployGHCR(t *testing.T) {
+func TestBundleCreateRemoteAndDeployGHCR(t *testing.T) {
 	deployZarfInit(t)
 
 	bundleDir := "src/test/bundles/06-ghcr"