Commit 51bae95
committed
Fix publish-docker permissions; harden release-bump no-op detection
The first attempt at v0.1.0 failed at workflow startup because
publish-docker.yml declared `contents: read` and `attestations: write`
at the workflow level — permissions that the calling job
(custom-publish-docker in release.yml, generated by cargo-dist) doesn't
grant. GitHub rejects reusable workflows that try to widen permissions
beyond what the caller grants.
Trim publish-docker.yml's top-level permissions to just `packages: write`
and `id-token: write`, matching what cargo-dist gives the custom job.
We never call actions/attest in this workflow (the SLSA attestations are
already attached upstream by the build-local-artifacts job), so dropping
`attestations: write` doesn't cost us anything. `contents: read` is
inherited from the caller's workflow-level `contents: write`.
Also harden `release-bump`: if Cargo.toml is already at the requested
version (true for the first release where the scaffold lands at the
intended version), exit cleanly with a hint pointing at release-tag-main,
instead of creating an empty branch and a doomed PR. Triggered by the
exact path we hit on the first v0.1.0 attempt.1 parent b54c312 commit 51bae95
2 files changed
Lines changed: 10 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
16 | 16 | | |
17 | 17 | | |
18 | 18 | | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
19 | 24 | | |
20 | | - | |
21 | 25 | | |
22 | 26 | | |
23 | | - | |
24 | 27 | | |
25 | 28 | | |
26 | 29 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
67 | 67 | | |
68 | 68 | | |
69 | 69 | | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
70 | 75 | | |
71 | 76 | | |
72 | 77 | | |
| |||
0 commit comments