From e596d93a4eddbda7442858dfbcc5fc8dc3bb8651 Mon Sep 17 00:00:00 2001 From: Kieran Mann Date: Wed, 11 Feb 2026 08:39:00 -0800 Subject: [PATCH 1/2] speculative: add cache variable everywhere to gha --- .github/workflows/README.md | 15 +++++++++++++++ .github/workflows/build-earthly.yml | 1 + .github/workflows/ci-lint-changelog.yml | 1 + .github/workflows/ci-scheduled-podman-mac.yml | 1 + .github/workflows/ci-security.yml | 3 +++ .github/workflows/ci-staging-deploy.yml | 3 +++ .github/workflows/docs-checks-links.yml | 1 + .github/workflows/on-tag-release.yml | 3 +++ .github/workflows/release-merge-docs.yml | 1 + .../workflows/reusable-bootstrap-integrations.yml | 1 + .../reusable-docker-build-integrations.yml | 1 + .../workflows/reusable-earthbuild-image-tests.yml | 1 + .github/workflows/reusable-example.yml | 1 + .github/workflows/reusable-export-test.yml | 1 + .github/workflows/reusable-git-metadata-test.yml | 1 + .github/workflows/reusable-misc-tests-1.yml | 1 + .github/workflows/reusable-misc-tests-2.yml | 1 + .github/workflows/reusable-push-integrations.yml | 1 + .github/workflows/reusable-race-test.yml | 1 + .github/workflows/reusable-repo-auth-tests.yml | 1 + .../workflows/reusable-secrets-integrations.yml | 1 + .github/workflows/reusable-test-local.yml | 1 + .github/workflows/reusable-test.yml | 1 + .github/workflows/reusable-wait-block-main.yml | 1 + .github/workflows/reusable-wait-block-target.yml | 1 + 25 files changed, 45 insertions(+) diff --git a/.github/workflows/README.md b/.github/workflows/README.md index 4f6e5556d4..ec52c13d95 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -2,6 +2,21 @@ Documentation for this repo GitHub actions configuration +## Earthly remote cache (GHCR) + +CI workflows that execute `earthly` set `EARTHLY_REMOTE_CACHE` from the repository Actions variable `REMOTE_CACHE_REGISTRY`. + +Set `REMOTE_CACHE_REGISTRY` to a full GHCR image ref used only for cache, for example: + +`ghcr.io/earthly/cache/buildkit/earthly:ci` + +Permissions required for workflows that write cache: + +- `packages: write` to push/update cache layers +- `packages: read` to pull existing cache layers + +For pull requests from forks (where secrets/tokens may be restricted), cache export may fail due to permissions. Cache import from public refs can still work. + ## Skipping PR Workflows (DISABLED! SEE NOTE BELOW) The following is disabled due to issue https://github.com/orgs/community/discussions/13261. diff --git a/.github/workflows/build-earthly.yml b/.github/workflows/build-earthly.yml index 4245e068d0..31bd48d392 100644 --- a/.github/workflows/build-earthly.yml +++ b/.github/workflows/build-earthly.yml @@ -35,6 +35,7 @@ jobs: env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" # Used in our github action as the token - TODO: look to change it into an input GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Use fixed buildkitd image with Docker 29+ ulimit fix until next release diff --git a/.github/workflows/ci-lint-changelog.yml b/.github/workflows/ci-lint-changelog.yml index 347a09be0b..1bc1129f07 100644 --- a/.github/workflows/ci-lint-changelog.yml +++ b/.github/workflows/ci-lint-changelog.yml @@ -16,6 +16,7 @@ jobs: env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" DOCKERHUB_MIRROR_USERNAME: "${{ secrets.DOCKERHUB_MIRROR_USERNAME }}" DOCKERHUB_MIRROR_PASSWORD: "${{ secrets.DOCKERHUB_MIRROR_PASSWORD }}" # Used in our github action as the token - TODO: look to change it into an input diff --git a/.github/workflows/ci-scheduled-podman-mac.yml b/.github/workflows/ci-scheduled-podman-mac.yml index 41c197d4f8..c1bd8dcc01 100644 --- a/.github/workflows/ci-scheduled-podman-mac.yml +++ b/.github/workflows/ci-scheduled-podman-mac.yml @@ -11,6 +11,7 @@ jobs: env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" BUILT_EARTHLY_PATH: build/darwin/amd64/earthly # Used in our github action as the token - TODO: look to change it into an input diff --git a/.github/workflows/ci-security.yml b/.github/workflows/ci-security.yml index 7eaebed1c4..056275b9b0 100644 --- a/.github/workflows/ci-security.yml +++ b/.github/workflows/ci-security.yml @@ -6,6 +6,9 @@ on: - '**/go.mod' - '**/go.sum' +env: + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" + jobs: govulncheck: name: Go Vulnerabilities Report diff --git a/.github/workflows/ci-staging-deploy.yml b/.github/workflows/ci-staging-deploy.yml index cd293d5812..8fc1977867 100644 --- a/.github/workflows/ci-staging-deploy.yml +++ b/.github/workflows/ci-staging-deploy.yml @@ -12,6 +12,9 @@ on: - '.github/CODEOWNERS' - 'LICENSE' +env: + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" + jobs: build-earthly: permissions: write-all diff --git a/.github/workflows/docs-checks-links.yml b/.github/workflows/docs-checks-links.yml index 2653c731f0..09c59427de 100644 --- a/.github/workflows/docs-checks-links.yml +++ b/.github/workflows/docs-checks-links.yml @@ -16,6 +16,7 @@ jobs: env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" DOCKERHUB_MIRROR_USERNAME: "${{ secrets.DOCKERHUB_MIRROR_USERNAME }}" DOCKERHUB_MIRROR_PASSWORD: "${{ secrets.DOCKERHUB_MIRROR_PASSWORD }}" # Used in our github action as the token - TODO: look to change it into an input diff --git a/.github/workflows/on-tag-release.yml b/.github/workflows/on-tag-release.yml index b3be5811b7..ecfb59b442 100644 --- a/.github/workflows/on-tag-release.yml +++ b/.github/workflows/on-tag-release.yml @@ -4,6 +4,9 @@ on: release: types: [published] +env: + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" + jobs: add-artifacts-to-release: runs-on: ubuntu-24.04-arm diff --git a/.github/workflows/release-merge-docs.yml b/.github/workflows/release-merge-docs.yml index 544e50687d..91c66db0e2 100644 --- a/.github/workflows/release-merge-docs.yml +++ b/.github/workflows/release-merge-docs.yml @@ -16,6 +16,7 @@ jobs: env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" DOCKERHUB_MIRROR_USERNAME: "${{ secrets.DOCKERHUB_MIRROR_USERNAME }}" DOCKERHUB_MIRROR_PASSWORD: "${{ secrets.DOCKERHUB_MIRROR_PASSWORD }}" # Used in our github action as the token - TODO: look to change it into an input diff --git a/.github/workflows/reusable-bootstrap-integrations.yml b/.github/workflows/reusable-bootstrap-integrations.yml index e14ff3fc0e..274b6cce77 100644 --- a/.github/workflows/reusable-bootstrap-integrations.yml +++ b/.github/workflows/reusable-bootstrap-integrations.yml @@ -25,6 +25,7 @@ jobs: env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" DOCKERHUB_MIRROR_USERNAME: "${{ secrets.DOCKERHUB_MIRROR_USERNAME }}" DOCKERHUB_MIRROR_PASSWORD: "${{ secrets.DOCKERHUB_MIRROR_PASSWORD }}" # Used in our github action as the token - TODO: look to change it into an input diff --git a/.github/workflows/reusable-docker-build-integrations.yml b/.github/workflows/reusable-docker-build-integrations.yml index 41e8b3957d..e28f365932 100644 --- a/.github/workflows/reusable-docker-build-integrations.yml +++ b/.github/workflows/reusable-docker-build-integrations.yml @@ -31,6 +31,7 @@ jobs: FORCE_COLOR: 1 EARTHLY_ORG: "${{inputs.EARTHLY_ORG}}" EARTHLY_INSTALL_ID: "earthly-githubactions" + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" DOCKERHUB_MIRROR_USERNAME: "${{ secrets.DOCKERHUB_MIRROR_USERNAME }}" DOCKERHUB_MIRROR_PASSWORD: "${{ secrets.DOCKERHUB_MIRROR_PASSWORD }}" # Used in our github action as the token - TODO: look to change it into an input diff --git a/.github/workflows/reusable-earthbuild-image-tests.yml b/.github/workflows/reusable-earthbuild-image-tests.yml index aa198b19e5..8d49632e55 100644 --- a/.github/workflows/reusable-earthbuild-image-tests.yml +++ b/.github/workflows/reusable-earthbuild-image-tests.yml @@ -35,6 +35,7 @@ jobs: env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" # Used in our github action as the token - TODO: look to change it into an input GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: diff --git a/.github/workflows/reusable-example.yml b/.github/workflows/reusable-example.yml index 9c04d3ec3c..24a673350a 100644 --- a/.github/workflows/reusable-example.yml +++ b/.github/workflows/reusable-example.yml @@ -44,6 +44,7 @@ jobs: env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" EARTHLY_ORG: "${{inputs.EARTHLY_ORG}}" DOCKERHUB_MIRROR_USERNAME: "${{ secrets.DOCKERHUB_MIRROR_USERNAME }}" DOCKERHUB_MIRROR_PASSWORD: "${{ secrets.DOCKERHUB_MIRROR_PASSWORD }}" diff --git a/.github/workflows/reusable-export-test.yml b/.github/workflows/reusable-export-test.yml index 0dc0657ce8..08d2f7b844 100644 --- a/.github/workflows/reusable-export-test.yml +++ b/.github/workflows/reusable-export-test.yml @@ -28,6 +28,7 @@ jobs: env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" # Used in our github action as the token - TODO: look to change it into an input GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: diff --git a/.github/workflows/reusable-git-metadata-test.yml b/.github/workflows/reusable-git-metadata-test.yml index 5bc5f93888..45c1ec5333 100644 --- a/.github/workflows/reusable-git-metadata-test.yml +++ b/.github/workflows/reusable-git-metadata-test.yml @@ -32,6 +32,7 @@ jobs: env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" EARTHLY_ORG: "${{inputs.EARTHLY_ORG}}" DOCKERHUB_MIRROR_USERNAME: "${{ secrets.DOCKERHUB_MIRROR_USERNAME }}" DOCKERHUB_MIRROR_PASSWORD: "${{ secrets.DOCKERHUB_MIRROR_PASSWORD }}" diff --git a/.github/workflows/reusable-misc-tests-1.yml b/.github/workflows/reusable-misc-tests-1.yml index 3f23afdfce..1b9c8a982c 100644 --- a/.github/workflows/reusable-misc-tests-1.yml +++ b/.github/workflows/reusable-misc-tests-1.yml @@ -35,6 +35,7 @@ jobs: env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" # Used in our github action as the token - TODO: look to change it into an input GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: diff --git a/.github/workflows/reusable-misc-tests-2.yml b/.github/workflows/reusable-misc-tests-2.yml index e97ff5a458..252815f15f 100644 --- a/.github/workflows/reusable-misc-tests-2.yml +++ b/.github/workflows/reusable-misc-tests-2.yml @@ -38,6 +38,7 @@ jobs: env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" # Used in our github action as the token - TODO: look to change it into an input GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: diff --git a/.github/workflows/reusable-push-integrations.yml b/.github/workflows/reusable-push-integrations.yml index 5735d68400..72368d0075 100644 --- a/.github/workflows/reusable-push-integrations.yml +++ b/.github/workflows/reusable-push-integrations.yml @@ -34,6 +34,7 @@ jobs: env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" # Used in our github action as the token - TODO: look to change it into an input GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: diff --git a/.github/workflows/reusable-race-test.yml b/.github/workflows/reusable-race-test.yml index 9ccc3fa395..bf77dcd376 100644 --- a/.github/workflows/reusable-race-test.yml +++ b/.github/workflows/reusable-race-test.yml @@ -44,6 +44,7 @@ jobs: env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/reusable-repo-auth-tests.yml b/.github/workflows/reusable-repo-auth-tests.yml index f502139fb9..bacd9fc5c5 100644 --- a/.github/workflows/reusable-repo-auth-tests.yml +++ b/.github/workflows/reusable-repo-auth-tests.yml @@ -35,6 +35,7 @@ jobs: env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" SSH_PORT: "2222" # Used in our github action as the token - TODO: look to change it into an input GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/reusable-secrets-integrations.yml b/.github/workflows/reusable-secrets-integrations.yml index b6ff6d721d..440ecb90e0 100644 --- a/.github/workflows/reusable-secrets-integrations.yml +++ b/.github/workflows/reusable-secrets-integrations.yml @@ -35,6 +35,7 @@ jobs: FORCE_COLOR: 1 EARTHLY_TOKEN: "${{ secrets.EARTHLY_TOKEN }}" EARTHLY_INSTALL_ID: "earthly-githubactions" + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" DOCKERHUB_MIRROR_USERNAME: "${{ secrets.DOCKERHUB_MIRROR_USERNAME }}" DOCKERHUB_MIRROR_PASSWORD: "${{ secrets.DOCKERHUB_MIRROR_PASSWORD }}" # Used in our github action as the token - TODO: look to change it into an input diff --git a/.github/workflows/reusable-test-local.yml b/.github/workflows/reusable-test-local.yml index d4c10993e6..461c4d8c67 100644 --- a/.github/workflows/reusable-test-local.yml +++ b/.github/workflows/reusable-test-local.yml @@ -39,6 +39,7 @@ jobs: env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" EARTHLY_ORG: "${{inputs.EARTHLY_ORG}}" DOCKERHUB_MIRROR_USERNAME: "${{ secrets.DOCKERHUB_MIRROR_USERNAME }}" DOCKERHUB_MIRROR_PASSWORD: "${{ secrets.DOCKERHUB_MIRROR_PASSWORD }}" diff --git a/.github/workflows/reusable-test.yml b/.github/workflows/reusable-test.yml index 46aa3007e1..64506430dc 100644 --- a/.github/workflows/reusable-test.yml +++ b/.github/workflows/reusable-test.yml @@ -44,6 +44,7 @@ jobs: env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" EARTHLY_ORG: "${{inputs.EARTHLY_ORG}}" # Used in our github action as the token - TODO: look to change it into an input GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/reusable-wait-block-main.yml b/.github/workflows/reusable-wait-block-main.yml index 7051b8112f..0160b7daa6 100644 --- a/.github/workflows/reusable-wait-block-main.yml +++ b/.github/workflows/reusable-wait-block-main.yml @@ -34,6 +34,7 @@ jobs: env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" # Used in our github action as the token - TODO: look to change it into an input GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: diff --git a/.github/workflows/reusable-wait-block-target.yml b/.github/workflows/reusable-wait-block-target.yml index 5856d8f82f..ec7a9612f3 100644 --- a/.github/workflows/reusable-wait-block-target.yml +++ b/.github/workflows/reusable-wait-block-target.yml @@ -41,6 +41,7 @@ jobs: env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" + EARTHLY_REMOTE_CACHE: "earthly-ghcr-cache,image-manifest=true,oci-mediatypes=true,ref=${{ vars.REMOTE_CACHE_REGISTRY }}" # Used in our github action as the token - TODO: look to change it into an input GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: From d66bcfe2a66cbf154d61bfa9da56a16cac192582 Mon Sep 17 00:00:00 2001 From: Kieran Mann Date: Wed, 11 Feb 2026 09:58:42 -0800 Subject: [PATCH 2/2] attempt fix for permissions --- .github/workflows/ci-docker-ubuntu.yml | 4 ++++ .github/workflows/ci-earthly-next-docker-ubuntu.yml | 4 ++++ .github/workflows/ci-lint-changelog.yml | 3 +++ .github/workflows/ci-podman-ubuntu.yml | 4 ++++ .github/workflows/ci-scheduled-podman-mac.yml | 3 +++ .github/workflows/ci-security.yml | 1 + .github/workflows/ci-staging-deploy.yml | 3 ++- .github/workflows/docs-checks-links.yml | 3 +++ .github/workflows/on-tag-release.yml | 3 ++- .github/workflows/release-merge-docs.yml | 3 +++ .github/workflows/reusable-bootstrap-integrations.yml | 3 +++ .github/workflows/reusable-docker-build-integrations.yml | 3 +++ .github/workflows/reusable-earthbuild-image-tests.yml | 3 +++ .github/workflows/reusable-example.yml | 3 +++ .github/workflows/reusable-export-test.yml | 3 +++ .github/workflows/reusable-git-metadata-test.yml | 3 +++ .github/workflows/reusable-misc-tests-1.yml | 3 +++ .github/workflows/reusable-misc-tests-2.yml | 2 +- .github/workflows/reusable-push-integrations.yml | 3 +++ .github/workflows/reusable-race-test.yml | 3 +++ .github/workflows/reusable-repo-auth-tests.yml | 3 +++ .github/workflows/reusable-secrets-integrations.yml | 3 +++ .github/workflows/reusable-test-local.yml | 3 +++ .github/workflows/reusable-test.yml | 3 +++ .github/workflows/reusable-wait-block-main.yml | 3 +++ .github/workflows/reusable-wait-block-target.yml | 3 +++ 26 files changed, 75 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci-docker-ubuntu.yml b/.github/workflows/ci-docker-ubuntu.yml index e5dafddf1b..20f4a9ccf3 100644 --- a/.github/workflows/ci-docker-ubuntu.yml +++ b/.github/workflows/ci-docker-ubuntu.yml @@ -16,6 +16,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + packages: write + jobs: # this job will output a boolean value to check whether files that require these tests to run # since all jobs depend on `build-earthly` job, conditionally running it will either cause all jobs to run or skip, diff --git a/.github/workflows/ci-earthly-next-docker-ubuntu.yml b/.github/workflows/ci-earthly-next-docker-ubuntu.yml index 7848163438..b00af7ad95 100644 --- a/.github/workflows/ci-earthly-next-docker-ubuntu.yml +++ b/.github/workflows/ci-earthly-next-docker-ubuntu.yml @@ -16,6 +16,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + packages: write + jobs: build-earthly-with-next: permissions: write-all diff --git a/.github/workflows/ci-lint-changelog.yml b/.github/workflows/ci-lint-changelog.yml index 1bc1129f07..1f5bfdd313 100644 --- a/.github/workflows/ci-lint-changelog.yml +++ b/.github/workflows/ci-lint-changelog.yml @@ -13,6 +13,9 @@ jobs: test: name: +lint-changelog runs-on: ubuntu-24.04-arm + permissions: + contents: read + packages: write env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" diff --git a/.github/workflows/ci-podman-ubuntu.yml b/.github/workflows/ci-podman-ubuntu.yml index dfe32c7b89..d5547f6bd0 100644 --- a/.github/workflows/ci-podman-ubuntu.yml +++ b/.github/workflows/ci-podman-ubuntu.yml @@ -16,6 +16,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + packages: write + jobs: # this job will output a boolean value to check whether files that require these tests to run # since all jobs depend on `build-earthly` job, conditionally running it will either cause all jobs to run or skip, diff --git a/.github/workflows/ci-scheduled-podman-mac.yml b/.github/workflows/ci-scheduled-podman-mac.yml index c1bd8dcc01..c8879ad019 100644 --- a/.github/workflows/ci-scheduled-podman-mac.yml +++ b/.github/workflows/ci-scheduled-podman-mac.yml @@ -8,6 +8,9 @@ jobs: podman-macos-test: name: +testing-gha-podman runs-on: macos-15 # GitHub Actions the latest tag still uses macos-11, which does not have brew installed by default + permissions: + contents: read + packages: write env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" diff --git a/.github/workflows/ci-security.yml b/.github/workflows/ci-security.yml index 056275b9b0..9e4eb8f6fc 100644 --- a/.github/workflows/ci-security.yml +++ b/.github/workflows/ci-security.yml @@ -15,6 +15,7 @@ jobs: runs-on: ubuntu-24.04-arm permissions: contents: read + packages: write env: FORCE_COLOR: 1 steps: diff --git a/.github/workflows/ci-staging-deploy.yml b/.github/workflows/ci-staging-deploy.yml index 8fc1977867..0a09cbf382 100644 --- a/.github/workflows/ci-staging-deploy.yml +++ b/.github/workflows/ci-staging-deploy.yml @@ -202,7 +202,7 @@ jobs: needs: [build-earthly, prepare-release, release-image] runs-on: ubuntu-24.04 permissions: - packages: read + packages: write env: FORCE_COLOR: 1 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -236,6 +236,7 @@ jobs: runs-on: ubuntu-24.04 permissions: contents: write + packages: write env: FORCE_COLOR: 1 GITHUB_USER: "earthbuild" diff --git a/.github/workflows/docs-checks-links.yml b/.github/workflows/docs-checks-links.yml index 09c59427de..9c4b544cbe 100644 --- a/.github/workflows/docs-checks-links.yml +++ b/.github/workflows/docs-checks-links.yml @@ -13,6 +13,9 @@ concurrency: jobs: check-broken-links: runs-on: "ubuntu-latest" + permissions: + contents: read + packages: write env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" diff --git a/.github/workflows/on-tag-release.yml b/.github/workflows/on-tag-release.yml index ecfb59b442..c29a0c658c 100644 --- a/.github/workflows/on-tag-release.yml +++ b/.github/workflows/on-tag-release.yml @@ -13,6 +13,7 @@ jobs: permissions: contents: write actions: read + packages: write env: FORCE_COLOR: 1 steps: @@ -33,7 +34,7 @@ jobs: runs-on: ubuntu-24.04-arm permissions: contents: read - packages: read + packages: write env: FORCE_COLOR: 1 steps: diff --git a/.github/workflows/release-merge-docs.yml b/.github/workflows/release-merge-docs.yml index 91c66db0e2..0ad247eeef 100644 --- a/.github/workflows/release-merge-docs.yml +++ b/.github/workflows/release-merge-docs.yml @@ -13,6 +13,9 @@ jobs: main-to-docs: name: merge main to docs-0.8 runs-on: "ubuntu-latest" + permissions: + contents: read + packages: write env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" diff --git a/.github/workflows/reusable-bootstrap-integrations.yml b/.github/workflows/reusable-bootstrap-integrations.yml index 274b6cce77..326ed98f99 100644 --- a/.github/workflows/reusable-bootstrap-integrations.yml +++ b/.github/workflows/reusable-bootstrap-integrations.yml @@ -32,6 +32,9 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} if: ${{ !inputs.SKIP_JOB && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) }} runs-on: ${{inputs.RUNS_ON}} + permissions: + contents: read + packages: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/reusable-docker-build-integrations.yml b/.github/workflows/reusable-docker-build-integrations.yml index e28f365932..c96710f3f0 100644 --- a/.github/workflows/reusable-docker-build-integrations.yml +++ b/.github/workflows/reusable-docker-build-integrations.yml @@ -27,6 +27,9 @@ jobs: docker-build-integration: if: ${{ !inputs.SKIP_JOB && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) }} runs-on: ${{inputs.RUNS_ON}} + permissions: + contents: read + packages: write env: FORCE_COLOR: 1 EARTHLY_ORG: "${{inputs.EARTHLY_ORG}}" diff --git a/.github/workflows/reusable-earthbuild-image-tests.yml b/.github/workflows/reusable-earthbuild-image-tests.yml index 8d49632e55..84d6cf4db1 100644 --- a/.github/workflows/reusable-earthbuild-image-tests.yml +++ b/.github/workflows/reusable-earthbuild-image-tests.yml @@ -32,6 +32,9 @@ jobs: earthbuild-image-tests: if: ${{!inputs.SKIP_JOB}} runs-on: ${{inputs.RUNS_ON}} + permissions: + contents: read + packages: write env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" diff --git a/.github/workflows/reusable-example.yml b/.github/workflows/reusable-example.yml index 24a673350a..41138443a2 100644 --- a/.github/workflows/reusable-example.yml +++ b/.github/workflows/reusable-example.yml @@ -41,6 +41,9 @@ jobs: name: ${{inputs.EXAMPLE_NAME}}-${{inputs.RUNS_ON}}-${{inputs.BINARY}} if: ${{!inputs.SKIP_JOB}} runs-on: ${{inputs.RUNS_ON}} + permissions: + contents: read + packages: write env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" diff --git a/.github/workflows/reusable-export-test.yml b/.github/workflows/reusable-export-test.yml index 08d2f7b844..d43e0e8482 100644 --- a/.github/workflows/reusable-export-test.yml +++ b/.github/workflows/reusable-export-test.yml @@ -25,6 +25,9 @@ jobs: name: Export tests runs-on: ${{inputs.RUNS_ON}} if: ${{ !inputs.SKIP_JOB && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) }} + permissions: + contents: read + packages: write env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" diff --git a/.github/workflows/reusable-git-metadata-test.yml b/.github/workflows/reusable-git-metadata-test.yml index 45c1ec5333..4f1e6f1b74 100644 --- a/.github/workflows/reusable-git-metadata-test.yml +++ b/.github/workflows/reusable-git-metadata-test.yml @@ -29,6 +29,9 @@ jobs: name: +testing-gha-${{inputs.RUNS_ON}}-${{inputs.BINARY}} if: ${{!inputs.SKIP_JOB}} runs-on: ${{inputs.RUNS_ON}} + permissions: + contents: read + packages: write env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" diff --git a/.github/workflows/reusable-misc-tests-1.yml b/.github/workflows/reusable-misc-tests-1.yml index 1b9c8a982c..5d60350be1 100644 --- a/.github/workflows/reusable-misc-tests-1.yml +++ b/.github/workflows/reusable-misc-tests-1.yml @@ -32,6 +32,9 @@ jobs: misc-tests-1: if: ${{!inputs.SKIP_JOB}} runs-on: ${{inputs.RUNS_ON}} + permissions: + contents: read + packages: write env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" diff --git a/.github/workflows/reusable-misc-tests-2.yml b/.github/workflows/reusable-misc-tests-2.yml index 252815f15f..cb2b2b974f 100644 --- a/.github/workflows/reusable-misc-tests-2.yml +++ b/.github/workflows/reusable-misc-tests-2.yml @@ -34,7 +34,7 @@ jobs: runs-on: ${{inputs.RUNS_ON}} permissions: contents: read - packages: read + packages: write env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" diff --git a/.github/workflows/reusable-push-integrations.yml b/.github/workflows/reusable-push-integrations.yml index 72368d0075..60168e946b 100644 --- a/.github/workflows/reusable-push-integrations.yml +++ b/.github/workflows/reusable-push-integrations.yml @@ -31,6 +31,9 @@ jobs: push-integrations: if: ${{ !inputs.SKIP_JOB && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) }} runs-on: ${{inputs.RUNS_ON}} + permissions: + contents: read + packages: write env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" diff --git a/.github/workflows/reusable-race-test.yml b/.github/workflows/reusable-race-test.yml index bf77dcd376..5d2ed72d4c 100644 --- a/.github/workflows/reusable-race-test.yml +++ b/.github/workflows/reusable-race-test.yml @@ -41,6 +41,9 @@ jobs: name: ${{inputs.TEST_TARGET}} (-race) if: ${{!inputs.SKIP_JOB}} runs-on: ${{inputs.RUNS_ON}} + permissions: + contents: read + packages: write env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" diff --git a/.github/workflows/reusable-repo-auth-tests.yml b/.github/workflows/reusable-repo-auth-tests.yml index bacd9fc5c5..c925eb0390 100644 --- a/.github/workflows/reusable-repo-auth-tests.yml +++ b/.github/workflows/reusable-repo-auth-tests.yml @@ -32,6 +32,9 @@ jobs: name: repo auth tests if: ${{ !inputs.SKIP_JOB && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) }} runs-on: ${{inputs.RUNS_ON}} + permissions: + contents: read + packages: write env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" diff --git a/.github/workflows/reusable-secrets-integrations.yml b/.github/workflows/reusable-secrets-integrations.yml index 440ecb90e0..7e22dde813 100644 --- a/.github/workflows/reusable-secrets-integrations.yml +++ b/.github/workflows/reusable-secrets-integrations.yml @@ -31,6 +31,9 @@ jobs: secret-integration: if: ${{ !inputs.SKIP_JOB && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) }} runs-on: ${{inputs.RUNS_ON}} + permissions: + contents: read + packages: write env: FORCE_COLOR: 1 EARTHLY_TOKEN: "${{ secrets.EARTHLY_TOKEN }}" diff --git a/.github/workflows/reusable-test-local.yml b/.github/workflows/reusable-test-local.yml index 461c4d8c67..e42a667ea5 100644 --- a/.github/workflows/reusable-test-local.yml +++ b/.github/workflows/reusable-test-local.yml @@ -36,6 +36,9 @@ jobs: name: test-local ${{inputs.BINARY}} if: ${{!inputs.SKIP_JOB}} runs-on: ${{inputs.RUNS_ON}} + permissions: + contents: read + packages: write env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" diff --git a/.github/workflows/reusable-test.yml b/.github/workflows/reusable-test.yml index 64506430dc..c20b71d614 100644 --- a/.github/workflows/reusable-test.yml +++ b/.github/workflows/reusable-test.yml @@ -41,6 +41,9 @@ jobs: name: +testing-gha-${{inputs.RUNS_ON}}-${{inputs.BINARY}} if: ${{!inputs.SKIP_JOB}} runs-on: ${{inputs.RUNS_ON}} + permissions: + contents: read + packages: write env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" diff --git a/.github/workflows/reusable-wait-block-main.yml b/.github/workflows/reusable-wait-block-main.yml index 0160b7daa6..a76ee55dc4 100644 --- a/.github/workflows/reusable-wait-block-main.yml +++ b/.github/workflows/reusable-wait-block-main.yml @@ -31,6 +31,9 @@ jobs: wait-block-override: if: ${{!inputs.SKIP_JOB}} runs-on: ${{inputs.RUNS_ON}} + permissions: + contents: read + packages: write env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions" diff --git a/.github/workflows/reusable-wait-block-target.yml b/.github/workflows/reusable-wait-block-target.yml index ec7a9612f3..f0cc97348d 100644 --- a/.github/workflows/reusable-wait-block-target.yml +++ b/.github/workflows/reusable-wait-block-target.yml @@ -38,6 +38,9 @@ jobs: name: ${{inputs.TARGET_NAME}} (--global-wait-end) if: ${{!inputs.SKIP_JOB}} runs-on: ${{inputs.RUNS_ON}} + permissions: + contents: read + packages: write env: FORCE_COLOR: 1 EARTHLY_INSTALL_ID: "earthly-githubactions"