Add workflow file for publishing releases to immutable action package by Jcambass · Pull Request #485 · actions/github-script
Merged
Conversation
This workflow file publishes new action releases to the immutable action package of the same name as this repo.
This is part of the Immutable Actions project which is not yet fully released to the public. First party actions like this one are part of our initial testing of this feature.
This workflow file publishes new action releases to the immutable action package of the same name as this repo. This is part of the Immutable Actions project which is not yet fully released to the public. First party actions like this one are part of our initial testing of this feature.
Hello from actions/github-script! (4c33e81)
Comment on lines +20 to +22
| uses: actions/publish-immutable-action@0.0.1 | ||
| with: | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} |
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could update this action to default ot using the GITHUB_TOKEN
| github-token: | |
| description: The GitHub token used to create an authenticated client | |
| default: ${{ github.token }} | |
| required: false |
|
|
||
| on: | ||
| release: | ||
| types: [created] |
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| id-token: write |
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is an OIDC token needed?
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's required for generating the attestation - it uses the id-token to prove the identity and request a Sigstore signing cert. See also: https://github.com/actions/attest-build-provenance?tab=readme-ov-file#usage
The id-token permission gives the action the ability to mint the OIDC token necessary to request a Sigstore signing certificate. The attestations permission is necessary to persist the attestation.
(we don't persist the attestation with GitHub's API so we don't need that second one)
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comments are not blocking
Will follow-up on the review comments in a separate PR across multiple repositories.