Add workflow file for publishing releases to immutable action package #485
Conversation
This workflow file publishes new action releases to the immutable action package of the same name as this repo. This is part of the Immutable Actions project which is not yet fully released to the public. First party actions like this one are part of our initial testing of this feature.
Jcambass
temporarily deployed
to
debug-integration-test
GitHub Actions
Inactive
|
Hello from actions/github-script! (4c33e81) |
| uses: actions/publish-immutable-action@0.0.1 | ||
| with: | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
We could update this action to default ot using the GITHUB_TOKEN
Lines 11 to 14 in 35b1cdd
|
|
||
| on: | ||
| release: | ||
| types: [created] |
There was a problem hiding this comment.
Should we use release published instead of created?
https://docs.github.com/en/webhooks/webhook-events-and-payloads?actionType=published#release
Users may create a draft release and not want others to depend on it yet.
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| id-token: write |
There was a problem hiding this comment.
Why is an OIDC token needed?
There was a problem hiding this comment.
It's required for generating the attestation - it uses the id-token to prove the identity and request a Sigstore signing cert. See also: https://github.com/actions/attest-build-provenance?tab=readme-ov-file#usage
The id-token permission gives the action the ability to mint the OIDC token necessary to request a Sigstore signing certificate. The attestations permission is necessary to persist the attestation.
(we don't persist the attestation with GitHub's API so we don't need that second one)
|
Will follow-up on the review comments in a separate PR across multiple repositories. |
This workflow file publishes new action releases to the immutable action package of the same name as this repo.
This is part of the Immutable Actions project which is not yet fully released to the public. First party actions like this one are part of our initial testing of this feature.