From 36003b8318e3736d4e791c4ee6b7f4afebd5905b Mon Sep 17 00:00:00 2001 From: ActuarySailor <24359398+actuarysailor@users.noreply.github.com> Date: Tue, 12 Aug 2025 11:33:09 -0400 Subject: [PATCH 1/9] fix: Build image workflow --- .github/workflows/build-image.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index a4fd62b0f..e7a412f82 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -2,6 +2,10 @@ name: Publish container image on: workflow_dispatch: + push: + paths: + - .github/workflows/build-image.yaml + - Dockerfile* release: types: - created @@ -51,9 +55,9 @@ jobs: type=ref,event=branch type=ref,event=pr type=sha - type=raw,value=latest,enable={{is_default_branch}} - type=raw,value={{github.ref_name}},enable={{github.ref_type == 'tag'}} - type=raw,value=nightly,enable={{github.event_name == 'schedule'}} + type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} + type=raw,value=${{ github.ref_name }},enable=${{ github.ref_type == 'tag' }} + type=raw,value=nightly,enable=${{ github.event_name == 'schedule' }} - name: Build and Push release uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 From c0e85b7186ae190ce3417cd6b4ecc7727674e03c Mon Sep 17 00:00:00 2001 From: ActuarySailor <24359398+actuarysailor@users.noreply.github.com> Date: Tue, 12 Aug 2025 12:01:49 -0400 Subject: [PATCH 2/9] fix: Relocate permissions block? --- .github/workflows/build-image.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index e7a412f82..7169fd792 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -12,17 +12,15 @@ on: schedule: - cron: 00 00 * * 0 -permissions: - contents: read - # for docker/build-push-action to publish docker image - packages: write - env: REGISTRY: ghcr.io jobs: docker: runs-on: ubuntu-latest + permissions: + contents: read + packages: write strategy: matrix: include: From a6d1043f0a1130e0433888324eed395117558e96 Mon Sep 17 00:00:00 2001 From: ActuarySailor <24359398+actuarysailor@users.noreply.github.com> Date: Tue, 12 Aug 2025 12:27:20 -0400 Subject: [PATCH 3/9] chore: Add a test to workflow to check things --- .github/workflows/build-image.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 7169fd792..05484dccb 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -16,6 +16,30 @@ env: REGISTRY: ghcr.io jobs: + + test: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - name: Verify GHCR token permissions + run: | + echo "Checking GHCR permissions for ${{ env.REGISTRY }}/${{ matrix.image_name }}" + response=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ + "https://${{ env.REGISTRY }}/v2/${{ matrix.image_name }}/tags/list") + if [ "$response" = "200" ]; then + echo "Token has access to list tags for ${{ matrix.image_name }}." + else + echo "Token does NOT have access to list tags for ${{ matrix.image_name }}. HTTP status: $response" + exit 1 + fi + + - name: Echo GITHUB_TOKEN x-oauth-scopes header + run: | + echo "Checking x-oauth-scopes header for GITHUB_TOKEN..." + curl -sS -I -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" https://api.github.com | grep -i x-oauth-scopes || echo "No x-oauth-scopes header found." + docker: runs-on: ubuntu-latest permissions: From e8dc013c35e16e2f51d57438f7e51c2e8a2b7253 Mon Sep 17 00:00:00 2001 From: ActuarySailor <24359398+actuarysailor@users.noreply.github.com> Date: Tue, 12 Aug 2025 12:29:20 -0400 Subject: [PATCH 4/9] fix: Debugging snippet needed the matrix --- .github/workflows/build-image.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 05484dccb..e95a10daa 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -22,6 +22,13 @@ jobs: permissions: contents: read packages: write + strategy: + matrix: + include: + - dockerfile: Dockerfile + image_name: ${{ github.repository }} + - dockerfile: Dockerfile.tools + image_name: ${{ github.repository }}-tools steps: - name: Verify GHCR token permissions run: | @@ -36,6 +43,7 @@ jobs: fi - name: Echo GITHUB_TOKEN x-oauth-scopes header + if: always() run: | echo "Checking x-oauth-scopes header for GITHUB_TOKEN..." curl -sS -I -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" https://api.github.com | grep -i x-oauth-scopes || echo "No x-oauth-scopes header found." From df06249f190a6b6cb3fd8d48cd05af59a4d2a679 Mon Sep 17 00:00:00 2001 From: ActuarySailor <24359398+actuarysailor@users.noreply.github.com> Date: Tue, 12 Aug 2025 12:41:30 -0400 Subject: [PATCH 5/9] fix: Output entire JSON from REST API --- .github/workflows/build-image.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index e95a10daa..ff8c94b99 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -23,6 +23,7 @@ jobs: contents: read packages: write strategy: + fail-fast: false matrix: include: - dockerfile: Dockerfile @@ -42,11 +43,11 @@ jobs: exit 1 fi - - name: Echo GITHUB_TOKEN x-oauth-scopes header + - name: Output GitHub API JSON with GITHUB_TOKEN if: always() run: | - echo "Checking x-oauth-scopes header for GITHUB_TOKEN..." - curl -sS -I -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" https://api.github.com | grep -i x-oauth-scopes || echo "No x-oauth-scopes header found." + echo "Full JSON response from GitHub API using GITHUB_TOKEN:" + curl -sS -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" https://api.github.com | jq . || cat docker: runs-on: ubuntu-latest @@ -54,6 +55,7 @@ jobs: contents: read packages: write strategy: + fail-fast: false matrix: include: - dockerfile: Dockerfile From c261711e846875c10ede73676ece4cb2273012c9 Mon Sep 17 00:00:00 2001 From: ActuarySailor <24359398+actuarysailor@users.noreply.github.com> Date: Tue, 12 Aug 2025 12:46:45 -0400 Subject: [PATCH 6/9] fix: Still trying to debug --- .github/workflows/build-image.yaml | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index ff8c94b99..63411faa3 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -34,20 +34,32 @@ jobs: - name: Verify GHCR token permissions run: | echo "Checking GHCR permissions for ${{ env.REGISTRY }}/${{ matrix.image_name }}" - response=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ + response=$(curl -s -w "\n%{http_code}" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ "https://${{ env.REGISTRY }}/v2/${{ matrix.image_name }}/tags/list") - if [ "$response" = "200" ]; then + body=$(echo "$response" | sed '$d') + status=$(echo "$response" | tail -n1) + if [ "$status" = "200" ]; then echo "Token has access to list tags for ${{ matrix.image_name }}." else - echo "Token does NOT have access to list tags for ${{ matrix.image_name }}. HTTP status: $response" + echo "Token does NOT have access to list tags for ${{ matrix.image_name }}. HTTP status: $status" + echo "Response body:" + echo "$body" | jq . || echo "$body" exit 1 fi - name: Output GitHub API JSON with GITHUB_TOKEN if: always() run: | - echo "Full JSON response from GitHub API using GITHUB_TOKEN:" - curl -sS -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" https://api.github.com | jq . || cat + echo "Full JSON response from GitHub API /user endpoint using GITHUB_TOKEN:" + user_json=$(curl -sS -D headers.txt -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/user) + echo "$user_json" | jq . || cat + echo + echo "Response headers from /user endpoint as JSON:" + # Convert headers to JSON (simple key-value, not handling multi-line headers) + awk -F': ' 'NF==2{gsub(/\r/,"",$2); printf "\"%s\": \"%s\",\n", $1, $2}' headers.txt | \ + sed '$ s/,$//' | \ + awk 'BEGIN{print "{"} {print} END{print "}"}' + rm -f headers.txt docker: runs-on: ubuntu-latest From 5f0e90fe408597313b136a5d38223cb8b7c02d8d Mon Sep 17 00:00:00 2001 From: ActuarySailor <24359398+actuarysailor@users.noreply.github.com> Date: Tue, 12 Aug 2025 12:52:26 -0400 Subject: [PATCH 7/9] fix: One last verification of the token --- .github/workflows/build-image.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 63411faa3..2b8a1f322 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -50,12 +50,12 @@ jobs: - name: Output GitHub API JSON with GITHUB_TOKEN if: always() run: | - echo "Full JSON response from GitHub API /user endpoint using GITHUB_TOKEN:" - user_json=$(curl -sS -D headers.txt -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/user) - echo "$user_json" | jq . || cat + echo "Full JSON response from GitHub API /repos/:owner/:repo endpoint using GITHUB_TOKEN (should always work):" + repo_json=$(curl -sS -D headers.txt -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ + "https://api.github.com/repos/${{ github.repository }}") + echo "$repo_json" | jq . || cat echo - echo "Response headers from /user endpoint as JSON:" - # Convert headers to JSON (simple key-value, not handling multi-line headers) + echo "Response headers from /repos/:owner/:repo endpoint as JSON:" awk -F': ' 'NF==2{gsub(/\r/,"",$2); printf "\"%s\": \"%s\",\n", $1, $2}' headers.txt | \ sed '$ s/,$//' | \ awk 'BEGIN{print "{"} {print} END{print "}"}' From cc7066120675558af9d0fc19767214647b4289a8 Mon Sep 17 00:00:00 2001 From: ActuarySailor <24359398+actuarysailor@users.noreply.github.com> Date: Tue, 12 Aug 2025 12:58:42 -0400 Subject: [PATCH 8/9] fix: Test permissions --- .github/workflows/build-image.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 2b8a1f322..9e48d6237 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -22,6 +22,8 @@ jobs: permissions: contents: read packages: write + attestations: write + id-token: write strategy: fail-fast: false matrix: @@ -66,6 +68,8 @@ jobs: permissions: contents: read packages: write + attestations: write + id-token: write strategy: fail-fast: false matrix: From 0185e59b64f48a06df73121f2ca3dda02fa85f5e Mon Sep 17 00:00:00 2001 From: ActuarySailor <24359398+actuarysailor@users.noreply.github.com> Date: Tue, 12 Aug 2025 13:56:44 -0400 Subject: [PATCH 9/9] fix: Restore workflow --- .github/workflows/build-image.yaml | 49 +----------------------------- 1 file changed, 1 insertion(+), 48 deletions(-) diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 9e48d6237..355f9a07e 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -10,59 +10,12 @@ on: types: - created schedule: - - cron: 00 00 * * 0 + - cron: 00 00 * * * env: REGISTRY: ghcr.io jobs: - - test: - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - attestations: write - id-token: write - strategy: - fail-fast: false - matrix: - include: - - dockerfile: Dockerfile - image_name: ${{ github.repository }} - - dockerfile: Dockerfile.tools - image_name: ${{ github.repository }}-tools - steps: - - name: Verify GHCR token permissions - run: | - echo "Checking GHCR permissions for ${{ env.REGISTRY }}/${{ matrix.image_name }}" - response=$(curl -s -w "\n%{http_code}" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ - "https://${{ env.REGISTRY }}/v2/${{ matrix.image_name }}/tags/list") - body=$(echo "$response" | sed '$d') - status=$(echo "$response" | tail -n1) - if [ "$status" = "200" ]; then - echo "Token has access to list tags for ${{ matrix.image_name }}." - else - echo "Token does NOT have access to list tags for ${{ matrix.image_name }}. HTTP status: $status" - echo "Response body:" - echo "$body" | jq . || echo "$body" - exit 1 - fi - - - name: Output GitHub API JSON with GITHUB_TOKEN - if: always() - run: | - echo "Full JSON response from GitHub API /repos/:owner/:repo endpoint using GITHUB_TOKEN (should always work):" - repo_json=$(curl -sS -D headers.txt -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ - "https://api.github.com/repos/${{ github.repository }}") - echo "$repo_json" | jq . || cat - echo - echo "Response headers from /repos/:owner/:repo endpoint as JSON:" - awk -F': ' 'NF==2{gsub(/\r/,"",$2); printf "\"%s\": \"%s\",\n", $1, $2}' headers.txt | \ - sed '$ s/,$//' | \ - awk 'BEGIN{print "{"} {print} END{print "}"}' - rm -f headers.txt - docker: runs-on: ubuntu-latest permissions: