search

hyperledger / aries-cloudagent-python

Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments.
https://wiki.hyperledger.org/display/aries
Apache License 2.0
405 stars 510 forks source link

Update CI with explicit permissions for publishing images #3165

Closed gmulhearn closed 1 month ago

gmulhearn commented 1 month ago

Hi, after encountering a recent issue in VCX's CI with image publishing permissions, i checked acapy as well..

I believe something changed in the hyperledger organisation settings last week where the GITHUB_TOKEN default permissions dropped to read-only. As a result, our image-publishing jobs started getting denied..

e.g. it looks like nightly publishes of acapy have failed or skipped for the past week or so: https://github.com/hyperledger/aries-cloudagent-python/actions/workflows/nigthly.yml

last successful run: https://github.com/hyperledger/aries-cloudagent-python/actions/runs/10275685048 image

runs now: https://github.com/hyperledger/aries-cloudagent-python/actions/runs/10396422027/job/28790543901 image

(compare the github_token permissions)

For VCX, the fix appeared to be adding explicit permissions to the affected jobs:

    permissions:
      contents: read
      packages: write

Related fix in VCX: https://github.com/hyperledger/aries-vcx/pull/1283

swcurran commented 1 month ago

Thanks — this was top of the agenda today. @jamshale could you take a look?

I had a similar (but perhaps unrelated) experience with another repo that required adding this.

jamshale commented 1 month ago

That sounds like the same issue. I had thought the token might have expired, but this would make sense.