Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix GitHub Releases deployment. #2444

Merged
merged 1 commit into from
Jun 26, 2024
Merged

Fix GitHub Releases deployment. #2444

merged 1 commit into from
Jun 26, 2024

Conversation

jsirois
Copy link
Member

@jsirois jsirois commented Jun 26, 2024

The addition of digital attestations in #2442 broke the GitHub Releases
release by moving from default permissions to more restrictive explicit
permission. Those permissions lacked the content write permission needed
to create the release and post its artifacts.

@jsirois
Fix GitHub Releases deployment.
33738be 
The addition of digital attestations in pex-tool#2442 broke the GitHub Releases
release by moving from default permissions to more restrictive explicit
permission. Those permissions lacked the content write permission needed
to create the release and post its artifacts.
jsirois
jsirois commented Jun 26, 2024
View reviewed changes
.github/workflows/release.yml
@@ -72,6 +72,7 @@ jobs:
permissions:
id-token: write
attestations: write
contents: write
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The failure caused by the lack of content write permission can be seen here: https://github.com/pex-tool/pex/actions/runs/9684301905/job/26722997959

jsirois
jsirois commented Jun 26, 2024
View reviewed changes
.github/workflows/release.yml
@@ -72,6 +72,7 @@ jobs:
permissions:
id-token: write
attestations: write
Copy link
Member Author

@jsirois jsirois Jun 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The attestations did work however: https://github.com/pex-tool/pex/attestations

@jsirois jsirois merged commit 02a34af into pex-tool:main Jun 26, 2024
26 checks passed
@jsirois jsirois deleted the release/fixGHR branch June 26, 2024 19:54
@jsirois
Copy link
Member Author

jsirois commented Jun 26, 2024
edited
Loading

Ok, @benjyw that didn't quite do it. The fix in the 2.6.1 release is a nice-to-have and only really useful if you can't use --pip-version 24.1 (You run Python<3.8). I'm away until July 2nd at which point I'll dig in to righting the release ship. If an emergency release is needed, I think just reverting this PR and the attestation PR makes sense as the stop gap.

@benjyw
Copy link
Collaborator

benjyw commented Jun 27, 2024

Thanks @jsirois, I'll keep an eye out for any urgent release needs.

@benjyw
Copy link
Collaborator

benjyw commented Jun 27, 2024

FWIW, looks like this issue was triggered, presumably by the upgrade of softprops/action-gh-release in #2374, and nothing to do with the attestations.

@jsirois
Copy link
Member Author

jsirois commented Jul 2, 2024

I don't think so. The action log shows it checked out softprops/action-gh-release@4634c16 which is v2 from February. That issue loosely pattern matches, but is from 2021. I'll be spinning up a test repo to see what's going on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benjyw benjyw benjyw approved these changes

@zmanji zmanji Awaiting requested review from zmanji

@kaos kaos Awaiting requested review from kaos

@huonw huonw Awaiting requested review from huonw

@sureshjoshi sureshjoshi Awaiting requested review from sureshjoshi

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jsirois @benjyw