From 3410d6fb1823704ef9e42019725ea5ff64b17a7f Mon Sep 17 00:00:00 2001 From: Julien Pivotto <291750+roidelapluie@users.noreply.github.com> Date: Thu, 28 May 2026 12:15:09 +0200 Subject: [PATCH 1/2] ci: migrate publish_release to use github.token instead of PROMBOT_GITHUB_TOKEN Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com> --- .github/workflows/ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f40369c..7144143 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -61,6 +61,8 @@ jobs: publish_release: name: Publish release artefacts runs-on: ubuntu-latest + permissions: + contents: write needs: [test_go, build] if: | (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')) @@ -74,4 +76,4 @@ jobs: docker_hub_password: ${{ secrets.docker_hub_password }} quay_io_login: ${{ secrets.quay_io_login }} quay_io_password: ${{ secrets.quay_io_password }} - github_token: ${{ secrets.PROMBOT_GITHUB_TOKEN }} + github_token: ${{ github.token }} From fba2b104f90f74f1087dd8e934ba54442904b8f1 Mon Sep 17 00:00:00 2001 From: Julien Pivotto <291750+roidelapluie@users.noreply.github.com> Date: Fri, 29 May 2026 17:35:56 +0200 Subject: [PATCH 2/2] ci: bump promci to v0.8.2, push to GHCR, drop redundant checkouts - Bump promci build/publish_main/publish_release to v0.8.2 (SHA-pinned) - promci v0.8.2 performs its own checkout, so remove the preceding actions/checkout steps from build, publish_main, and publish_release - Add packages: write permission to publish_main and publish_release - Add ghcr_io_password: ${{ github.token }} to publish_main and publish_release to enable GHCR image pushes Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com> --- .github/workflows/ci.yml | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7144143..076f37d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -32,10 +32,7 @@ jobs: matrix: thread: [ 0, 1, 2, 3 ] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - uses: prometheus/promci/build@769ee18070cd21cfc2a24fa912349fd3e48dee58 # v0.6.0 + - uses: prometheus/promci/build@d9d4f5688814f0b77bf003d07fb8c00507390634 # v0.8.2 with: parallelism: 4 thread: ${{ matrix.thread }} @@ -44,17 +41,17 @@ jobs: # https://github.com/prometheus/promci/blob/52c7012f5f0070d7281b8db4a119e21341d43c91/actions/publish_main/action.yml name: Publish main branch artifacts runs-on: ubuntu-latest + permissions: + packages: write needs: [test_go, build] if: | (github.event_name == 'push' && github.event.ref == 'refs/heads/main') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - uses: prometheus/promci/publish_main@769ee18070cd21cfc2a24fa912349fd3e48dee58 # v0.6.0 + - uses: prometheus/promci/publish_main@d9d4f5688814f0b77bf003d07fb8c00507390634 # v0.8.2 with: docker_hub_login: ${{ secrets.docker_hub_login }} docker_hub_password: ${{ secrets.docker_hub_password }} + ghcr_io_password: ${{ github.token }} quay_io_login: ${{ secrets.quay_io_login }} quay_io_password: ${{ secrets.quay_io_password }} @@ -63,17 +60,16 @@ jobs: runs-on: ubuntu-latest permissions: contents: write + packages: write needs: [test_go, build] if: | (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')) steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - uses: prometheus/promci/publish_release@769ee18070cd21cfc2a24fa912349fd3e48dee58 # v0.6.0 + - uses: prometheus/promci/publish_release@d9d4f5688814f0b77bf003d07fb8c00507390634 # v0.8.2 with: docker_hub_login: ${{ secrets.docker_hub_login }} docker_hub_password: ${{ secrets.docker_hub_password }} + ghcr_io_password: ${{ github.token }} quay_io_login: ${{ secrets.quay_io_login }} quay_io_password: ${{ secrets.quay_io_password }} github_token: ${{ github.token }}