From e2fd2ec4cb311c76ef78f2a80e6ed2917df90b13 Mon Sep 17 00:00:00 2001 From: Eugen Halca Date: Thu, 23 Apr 2026 11:10:42 +0300 Subject: [PATCH 1/4] fix: WIF publish --- composite-actions/nodejs-lib/publish/action.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/composite-actions/nodejs-lib/publish/action.yaml b/composite-actions/nodejs-lib/publish/action.yaml index 2de7353d..8cedff3c 100644 --- a/composite-actions/nodejs-lib/publish/action.yaml +++ b/composite-actions/nodejs-lib/publish/action.yaml @@ -11,6 +11,11 @@ inputs: description: 'GitHub Token to create releases' required: true +permissions: + contents: write + id-token: write + pull-requests: write + runs: using: "composite" steps: From 22b0c50a771077f14e58e0099ebbfc13ad25003d Mon Sep 17 00:00:00 2001 From: Eugen Halca Date: Thu, 23 Apr 2026 11:26:37 +0300 Subject: [PATCH 2/4] fix: Job level permision --- .../nodejs-lib/publish/action.yaml | 37 +++++++++---------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/composite-actions/nodejs-lib/publish/action.yaml b/composite-actions/nodejs-lib/publish/action.yaml index 8cedff3c..df9c5240 100644 --- a/composite-actions/nodejs-lib/publish/action.yaml +++ b/composite-actions/nodejs-lib/publish/action.yaml @@ -1,20 +1,15 @@ -name: 'Publish Library' -description: 'Publishes library to Artifact Registry' +name: "Publish Library" +description: "Publishes library to Artifact Registry" inputs: - SECRET_AUTH: - description: 'GCP Service Account Key with access to Secret Manager and SonarCloud' - required: true - GCLOUD_AUTH_PROD: - description: 'GCP Service Account Key with access to Artifact Registry' - required: true - GITHUB_TOKEN: - description: 'GitHub Token to create releases' - required: true - -permissions: - contents: write - id-token: write - pull-requests: write + SECRET_AUTH: + description: "GCP Service Account Key with access to Secret Manager and SonarCloud" + required: true + GCLOUD_AUTH_PROD: + description: "GCP Service Account Key with access to Artifact Registry" + required: true + GITHUB_TOKEN: + description: "GitHub Token to create releases" + required: true runs: using: "composite" @@ -50,7 +45,7 @@ runs: - uses: extenda/actions/setup-gcloud@v0 with: service-account-key: ${{ inputs.SECRET_AUTH }} - export-default-credentials: 'true' + export-default-credentials: "true" - name: Install dependencies shell: bash @@ -78,7 +73,7 @@ runs: - uses: extenda/actions/setup-gcloud@v0 with: service-account-key: ${{ inputs.GCLOUD_AUTH_PROD }} - export-default-credentials: 'true' + export-default-credentials: "true" - name: Write .npmrc shell: bash @@ -88,4 +83,8 @@ runs: env: GITHUB_TOKEN: ${{ inputs.GITHUB_TOKEN }} shell: bash - run: npm run auth --if-present && NPM_TOKEN=$(gcloud auth print-access-token) npx semantic-release \ No newline at end of file + permissions: + contents: write + id-token: write + pull-requests: write + run: npm run auth --if-present && NPM_TOKEN=$(gcloud auth print-access-token) npx semantic-release From 1883ea9f6252d6b87d22b485b926cc5ac3dc9ab5 Mon Sep 17 00:00:00 2001 From: Eugen Halca Date: Thu, 23 Apr 2026 16:34:42 +0300 Subject: [PATCH 3/4] fix: Formatting revert --- .../nodejs-lib/publish/action.yaml | 31 ++++++++++--------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/composite-actions/nodejs-lib/publish/action.yaml b/composite-actions/nodejs-lib/publish/action.yaml index df9c5240..b4886abe 100644 --- a/composite-actions/nodejs-lib/publish/action.yaml +++ b/composite-actions/nodejs-lib/publish/action.yaml @@ -1,15 +1,16 @@ -name: "Publish Library" -description: "Publishes library to Artifact Registry" +name: 'Publish Library' +description: 'Publishes library to Artifact Registry' inputs: - SECRET_AUTH: - description: "GCP Service Account Key with access to Secret Manager and SonarCloud" - required: true - GCLOUD_AUTH_PROD: - description: "GCP Service Account Key with access to Artifact Registry" - required: true - GITHUB_TOKEN: - description: "GitHub Token to create releases" - required: true + SECRET_AUTH: + description: 'GCP Service Account Key with access to Secret Manager and SonarCloud' + required: true + GCLOUD_AUTH_PROD: + description: 'GCP Service Account Key with access to Artifact Registry' + required: true + GITHUB_TOKEN: + description: 'GitHub Token to create releases' + required: true + runs: using: "composite" @@ -45,7 +46,7 @@ runs: - uses: extenda/actions/setup-gcloud@v0 with: service-account-key: ${{ inputs.SECRET_AUTH }} - export-default-credentials: "true" + export-default-credentials: 'true' - name: Install dependencies shell: bash @@ -73,7 +74,7 @@ runs: - uses: extenda/actions/setup-gcloud@v0 with: service-account-key: ${{ inputs.GCLOUD_AUTH_PROD }} - export-default-credentials: "true" + export-default-credentials: 'true' - name: Write .npmrc shell: bash @@ -84,7 +85,7 @@ runs: GITHUB_TOKEN: ${{ inputs.GITHUB_TOKEN }} shell: bash permissions: - contents: write + contents: write id-token: write pull-requests: write - run: npm run auth --if-present && NPM_TOKEN=$(gcloud auth print-access-token) npx semantic-release + run: npm run auth --if-present && NPM_TOKEN=$(gcloud auth print-access-token) npx semantic-release \ No newline at end of file From 752784358267d7d8f7ed8d350e50f2ab18b01e73 Mon Sep 17 00:00:00 2001 From: Eugen Halca Date: Thu, 23 Apr 2026 16:46:44 +0300 Subject: [PATCH 4/4] fix: Perm level --- composite-actions/nodejs-lib/publish/action.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/composite-actions/nodejs-lib/publish/action.yaml b/composite-actions/nodejs-lib/publish/action.yaml index b4886abe..76f7c7d6 100644 --- a/composite-actions/nodejs-lib/publish/action.yaml +++ b/composite-actions/nodejs-lib/publish/action.yaml @@ -11,6 +11,10 @@ inputs: description: 'GitHub Token to create releases' required: true +permissions: + contents: write + id-token: write + pull-requests: write runs: using: "composite" @@ -84,8 +88,4 @@ runs: env: GITHUB_TOKEN: ${{ inputs.GITHUB_TOKEN }} shell: bash - permissions: - contents: write - id-token: write - pull-requests: write run: npm run auth --if-present && NPM_TOKEN=$(gcloud auth print-access-token) npx semantic-release \ No newline at end of file