Skip to content

fix: permissions to write dependency graph from build #12

fix: permissions to write dependency graph from build

fix: permissions to write dependency graph from build #12

Workflow file for this run

name: Push
on:
push:
branches: [master, main, beta]
paths-ignore:
- README.md
- ./*.md
env:
CI: "true"
GRADLE_OPTS: -Dorg.gradle.jvmargs="-XX:+UseParallelGC -Xmx3g -XX:MetaspaceSize=512M -XX:MaxMetaspaceSize=512M"
GRADLE_CACHE_LOCAL: true
GRADLE_CACHE_REMOTE: true
GRADLE_CACHE_PUSH: true
GRADLE_CACHE_USERNAME: apikey
GRADLE_CACHE_PASSWORD: ${{ secrets.BUILDLESS_APIKEY }}
CACHE_ENDPOINT: ${{ vars.CACHE_ENDPOINT_GRADLE }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
TEST_EXCEPTIONS: true
jobs:
build:
name: "Build (${{ matrix.label }})"
permissions:
actions: "read"
contents: "write"
id-token: "write"
checks: "write"
packages: "read"
pull-requests: "write"
strategy:
fail-fast: false
matrix:
runner: [macOS-latest, windows-latest, ubuntu-latest]
include:
- runner: macOS-latest
flags: "--no-configuration-cache"
os: "macos"
label: "Darwin"
experimental: false
coverage: true
gvm: ${{ vars.GVM_VERSION }}
java: ${{ vars.JVM_VERSION }}
provenance: false
- runner: windows-latest-8-cores
flags: "--no-configuration-cache"
os: "windows"
label: "Windows"
experimental: false
coverage: true
gvm: ${{ vars.GVM_VERSION }}
java: ${{ vars.JVM_VERSION }}
provenance: false
- runner: ubuntu-latest-4-cores
flags: "--no-configuration-cache -PsonarScan=true"
os: "linux"
label: "Linux"
experimental: false
coverage: true
gvm: ${{ vars.GVM_VERSION }}
java: ${{ vars.JVM_VERSION }}
provenance: true
uses: ./.github/workflows/step.build.yml
secrets: inherit
with:
runner: ${{ matrix.runner }}
os: ${{ matrix.os }}
label: ${{ matrix.label }}
flags: ${{ matrix.flags }}
experimental: ${{ matrix.experimental }}
java: ${{ matrix.java }}
coverage: true
provenance: ${{ matrix.provenance }}
codeql:
name: "Analysis: CodeQL"
needs: ["build"]
uses: ./.github/workflows/codeql.ci.yml
secrets: inherit
with: {}
permissions:
actions: read
contents: read
security-events: write
qodana:
name: "Analysis: Qodana"
needs: ["build"]
uses: ./.github/workflows/qodana.ci.yml
with: {}
secrets: inherit
permissions:
actions: read
contents: read
security-events: write
publish-sandbox:
permissions:
actions: "read"
contents: "write"
id-token: "write"
checks: "write"
pull-requests: "write"
packages: "write"
name: "Publish: Sandbox"
needs: ["build", "codeql", "qodana"]
uses: ./.github/workflows/step.publish.yml
secrets:
GOOGLE_CREDENTIALS: ${{ secrets.BUILDBOT_SERVICE_ACCOUNT }}
SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
with:
version: "1.0-SNAPSHOT"
repository: "gcs://elide-snapshots/repository/v3"
logLevel: "info"
snapshot: true
release: false
signing: true
gcs: true
environment: sandbox
label: "Elide Sandbox"