[release-v2.10] Permission fix for forks (#5041)

.github/workflows/build.yaml

@@ -13,17 +13,16 @@ jobs:
     container: registry.suse.com/bci/bci-base:latest
     permissions:
       contents: read
-      id-token: write    
+      id-token: write
     steps:
       - name: Install Dependencies
         continue-on-error: false
         env:
           GH_VERSION: 2.63.2
           YQ_VERSION: "v4.44.2"
         run: |
-          echo "installing docker jq git make go awk through zypper"
-          zypper --non-interactive install docker jq git make go awk
-
+          echo "installing docker, jq, git, make, go, awk and patch through zypper"
+          zypper --non-interactive install docker jq git make go awk patch
           echo "installing gh"
           mkdir -p /tmp/gh
           curl -fsL https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz | tar xvzf - --strip-components=1 -C /tmp/gh
@@ -41,23 +40,32 @@ jobs:
         uses: rancher-eio/read-vault-secrets@main
         with:
           secrets: |
-            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME;
-            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD;
+            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD ;
+            secret/data/github/repo/${{ github.repository }}/github/app-credentials appId | APP_ID ;
+            secret/data/github/repo/${{ github.repository }}/github/app-credentials privateKey | PRIVATE_KEY ;
 
-      - name: actions/checkout@v4
-        continue-on-error: false
+      - name: Create App Token
+        continue-on-error: true
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ env.APP_ID }}
+          private-key: ${{ env.PRIVATE_KEY }}
+
+      - name: Checkout repository
         uses: actions/checkout@v4
 
       - name: Git Checkout PR and into new branch
         continue-on-error: false
-        env:
-            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          echo  "git global configuration"
+          echo "git global configuration"
           git config --global --add safe.directory "$PWD"
           echo $PATH >> $GITHUB_PATH
+          echo "fetch the pull request"
+          git fetch origin pull/${{ github.event.pull_request.number }}/head:pr-${{ github.event.pull_request.number }}
           echo "checkout the PR"
-          gh pr checkout ${{ github.event.pull_request.number }}
+          git checkout pr-${{ github.event.pull_request.number }}
           echo "checkout into a new branch for safety"
           git checkout -b staging-pr-workflow
 
@@ -72,7 +80,9 @@ jobs:
       - name: Release PR Validation Chekpoints
         continue-on-error: false
         if: contains(github.base_ref, 'release-v')
-        run: make validate-release-charts BRANCH=${{ github.event.pull_request.base.ref }} GH_TOKEN=${{ secrets.GITHUB_TOKEN }} PR_NUMBER=${{ github.event.pull_request.number }}
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: make validate-release-charts BRANCH=${{ github.event.pull_request.base.ref }} GH_TOKEN=${{ env.GH_TOKEN }} PR_NUMBER=${{ github.event.pull_request.number }}
 
       - name: Validate index.yaml Vs assets/ dir
         continue-on-error: false
@@ -97,3 +107,7 @@ jobs:
         continue-on-error: false
         if: contains(github.base_ref, 'release-v')
         run: make check-rc
+
+      - name: Run Hull tests
+        if: contains(github.base_ref, 'dev-v')
+        run: cd tests && go test -v ./...

release.yaml

@@ -1,10 +1 @@
-neuvector:
-  - 105.0.1+up2.8.4
-neuvector-crd:
-  - 105.0.1+up2.8.4
-neuvector-monitor:
-  - 105.0.1+up2.8.4
-rancher-logging:
-  - 105.2.0+up4.10.0
-rancher-logging-crd:
-  - 105.2.0+up4.10.0
+