ci: refactor Docker setup to use GitHub token instead of CR_PAT

- Removed `CR_PAT` as a required input in Docker setup steps and replaced it with Github token for logging into the GitHub Container Registry. - Added explicit permissions for GitHub token in Docker publish actions specifying 'read' for 'contents' and 'write' for 'packages'. - Removed `CR_PAT` from the secrets list in Docker publish actions. - Updated comment about managing Github Actions access in the container settings for GitHub Container Registry login step. Signed-off-by: 陳鈞 <[email protected]>
jim60105 · May 4, 2024 · 0277c27 · 0277c27
1 parent 8df0d59
commit 0277c27
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 9 deletions.
diff --git a/.github/workflows/docker-reused-setup-steps/action.yml b/.github/workflows/docker-reused-setup-steps/action.yml
@@ -11,8 +11,6 @@ inputs:
     required: true
   QUAY_TOKEN:
     required: true
-  CR_PAT:
-    required: true
   tag:
     required: true
 
@@ -55,14 +53,13 @@ runs:
         username: ${{ inputs.DOCKERHUB_USERNAME }}
         password: ${{ inputs.DOCKERHUB_TOKEN }}
 
-    # Create a Access Token with `read:packages` and `write:packages` scopes
-    # CR_PAT
+    # You may need to manage write and read access of GitHub Actions for repositories in the container settings.
     - name: Login to GitHub Container Registry
       uses: docker/login-action@v3
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
-        password: ${{ inputs.CR_PAT }}
+        password: ${{ github.token }}
 
     - name: Login to Quay Container Registry
       uses: docker/login-action@v3

diff --git a/.github/workflows/docker_publish.yml b/.github/workflows/docker_publish.yml
@@ -7,6 +7,11 @@ on:
 
   workflow_dispatch:
 
+# Sets the permissions granted to the GITHUB_TOKEN for the actions in this job.
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   docker-alpine:
     runs-on: ubuntu-latest
@@ -23,7 +28,6 @@ jobs:
           DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
           QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
           QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}
-          CR_PAT: ${{ secrets.CR_PAT }}
           tag: alpine
 
       - name: Build and push
@@ -53,7 +57,6 @@ jobs:
           DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
           QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
           QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}
-          CR_PAT: ${{ secrets.CR_PAT }}
           tag: ubi
 
       - name: Build and push
@@ -83,7 +86,6 @@ jobs:
           DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
           QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
           QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}
-          CR_PAT: ${{ secrets.CR_PAT }}
           tag: distroless
 
       - name: Build and push

diff --git a/.github/workflows/docker_publish_latest.yml b/.github/workflows/docker_publish_latest.yml
@@ -9,6 +9,11 @@ on:
 
   workflow_dispatch:
 
+# Sets the permissions granted to the GITHUB_TOKEN for the actions in this job.
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   docker-latest:
     runs-on: ubuntu-latest
@@ -25,7 +30,6 @@ jobs:
           DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
           QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
           QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}
-          CR_PAT: ${{ secrets.CR_PAT }}
           tag: latest
 
       - name: Build and push