fix: upgraded build and push yaml (MAPCO-9842)#69
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the tag-triggered GitHub Actions workflow to use MapColonies “shared-workflows” composite actions and to parameterize registry/token values via secrets, supporting a more reusable and centrally maintained release pipeline.
Changes:
- Switch from repo-specific actions to
MapColonies/shared-workflows/actions/*equivalents for login, build/push, and artifacts update. - Replace hard-coded ACR registry URL with
${{ secrets.ACR_URL }}and adjust action inputs (e.g.,context,artifact_name,artifact_tag,type). - Configure checkout and artifacts update steps to use
${{ secrets.GH_PAT }}.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| artifact_tag: ${{ github.ref_name }} | ||
| type: helm | ||
| registry: ${{ secrets.ACR_URL }} | ||
| github_token: ${{ secrets.GH_PAT }} |
There was a problem hiding this comment.
github_token is set to a PAT (secrets.GH_PAT). If the action only needs repo-scoped access, use GITHUB_TOKEN so access is constrained by the workflow permissions and can’t exceed what the job declares.
| github_token: ${{ secrets.GH_PAT }} | |
| github_token: ${{ github.token }} |
| uses: MapColonies/shared-workflows/actions/artifactory-login@artifactory-login-v1.0.0 | ||
| with: |
There was a problem hiding this comment.
This action is referenced by a movable tag. To reduce supply-chain risk, consider pinning to an immutable commit SHA (or another immutability mechanism your org uses) instead of a tag name.
| uses: MapColonies/shared-workflows/actions/build-and-push-helm@build-and-push-helm-v1.0.1 | ||
| with: |
There was a problem hiding this comment.
This action is referenced by a movable tag. To reduce supply-chain risk, consider pinning to an immutable commit SHA (or another immutability mechanism your org uses) instead of a tag name.
| uses: MapColonies/shared-workflows/actions/update-artifacts-file@update-artifacts-file-v1.1.1 | ||
| with: |
There was a problem hiding this comment.
This action is referenced by a movable tag. To reduce supply-chain risk, consider pinning to an immutable commit SHA (or another immutability mechanism your org uses) instead of a tag name.
| with: | ||
| token: ${{ secrets.GH_PAT }} |
There was a problem hiding this comment.
actions/checkout is configured to use a long-lived PAT (secrets.GH_PAT). If a PAT isn’t strictly required here, prefer the built-in GITHUB_TOKEN (or omit with.token) so the workflow token stays least-privileged and scoped by the workflow permissions block. If a PAT is required, consider documenting why and ensuring it’s minimally scoped (e.g., contents only).
| with: | |
| token: ${{ secrets.GH_PAT }} |
roicohen326
changed the title
roicohen326
changed the title
roicohen326
changed the title
Uh oh!
There was an error while loading. Please reload this page.