fix: permissions on steps is not a thing (#4134)

* fix: permissions on steps is not a thing Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> * add comment in the values about the conversion Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> --------- Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
2024-12-14 11:57:59 +00:00 · 2024-11-20 20:58:44 +01:00 · 2024-11-20 20:58:44 +01:00 · 1ae44e4167
commit 1ae44e4167
parent f68c0a96ad
3 changed files with 6 additions and 11 deletions
--- a/.github/workflows/helm.yml
+++ b/.github/workflows/helm.yml
@ -69,7 +69,10 @@ jobs:

  release:
    permissions:
-      contents: read
+      contents: write  # for helm/chart-releaser-action to push chart release and create a release
+      packages: write  # to push OCI chart package to GitHub Registry
+      id-token: write  # gives the action the ability to mint the OIDC token necessary to request a Sigstore signing certificate
+      attestations: write # this permission is necessary to persist the attestation
    runs-on: ubuntu-latest
    if: |
      github.ref == 'refs/heads/main' ||
@ -96,9 +99,6 @@ jobs:
          echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --dearmor --output keyring.gpg
          echo -n "${{ secrets.GPG_PASSPHRASE }}" > passphrase-file.txt
      - name: Run chart-releaser
-        permissions:
-          contents: write  # for helm/chart-releaser-action to push chart release and create a release
-          packages: write  # to push OCI chart package to GitHub Registry
        uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
        env:
          CR_KEY: external-secrets <external-secrets@external-secrets.io>
@ -130,9 +130,6 @@ jobs:
          cosign-release: 'v2.4.1'

      - name: Push chart to GHCR
-        permissions:
-          id-token: write  # gives the action the ability to mint the OIDC token necessary to request a Sigstore signing certificate
-          attestations: write # this permission is necessary to persist the attestation
        id: push_chart
        run: |
          shopt -s nullglob
@ -160,9 +157,6 @@ jobs:
          done

      - name: Generate provenance attestation and push to OCI registry
-        permissions:
-          attestation: write
-          packages: write
        uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
        with:
          push-to-registry: true
--- a/deploy/charts/external-secrets/README.md
+++ b/deploy/charts/external-secrets/README.md
@ -87,7 +87,7 @@ The command removes all the Kubernetes components associated with the chart and
 | concurrent | int | `1` | Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time. |
 | controllerClass | string | `""` | If set external secrets will filter matching Secret Stores with the appropriate controller values. |
 | crds.annotations | object | `{}` |  |
-| crds.conversion.enabled | bool | `true` |  |
+| crds.conversion.enabled | bool | `true` | If webhook is set to false this also needs to be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint. |
 | crds.createClusterExternalSecret | bool | `true` | If true, create CRDs for Cluster External Secret. |
 | crds.createClusterSecretStore | bool | `true` | If true, create CRDs for Cluster Secret Store. |
 | crds.createPushSecret | bool | `true` | If true, create CRDs for Push Secret. |
--- a/deploy/charts/external-secrets/values.yaml
+++ b/deploy/charts/external-secrets/values.yaml
@ -43,6 +43,7 @@ crds:
  createPushSecret: true
  annotations: {}
  conversion:
+    # -- If webhook is set to false this also needs to be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint.
    enabled: true

 imagePullSecrets: []