Skip to content

github-action: use ephemeral tokens with the required permissions (#431) #134

github-action: use ephemeral tokens with the required permissions (#431)

github-action: use ephemeral tokens with the required permissions (#431) #134

Workflow file for this run

name: release-main
on:
push:
branches: [ "main" ]
permissions:
contents: read
env:
DOTNET_VERSION: '6.0.400'
jobs:
release:
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
packages: write
steps:
- uses: actions/checkout@v4
- name: Bootstrap Action Workspace
uses: ./.github/workflows/bootstrap
- name: Generate local nuget packages
run: ./build.sh generatepackages -s true
- name: Validate *.npkg files that were created
run: ./build.sh validatepackages -s true
- name: Inspect public API change
run: ./build.sh generateapichanges -s true
- name: generate build provenance
uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
with:
subject-path: "${{ github.workspace }}/build/output/*.nupkg"
- name: Release to feedz.io
run: dotnet nuget push 'build/output/*.nupkg' -k ${{ secrets.FEEDZ_IO_API_KEY }} -s ${{ secrets.FEEDZ_IO_API_URL }} --skip-duplicate --no-symbols
- name: publish canary packages github package repository
shell: bash
timeout-minutes: 10
continue-on-error: true
run: |
until dotnet nuget push 'build/output/*.nupkg' -k ${{secrets.GITHUB_TOKEN}} --skip-duplicate --no-symbols -s https://nuget.pkg.github.com/elastic/index.json; do echo "Retrying"; sleep 1; done;
- name: Store artifacts
if: success()
uses: actions/upload-artifact@v4
with:
name: nupkg
path: build/output/*.nupkg
- if: ${{ failure() }}
uses: elastic/oblt-actions/slack/send@v1
with:
bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
channel-id: "#apm-agent-dotnet"
message: |
:large_yellow_circle: [${{ github.repository }}] Snapshot could not be published to feedz.io.
Build: (<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|here>)