Skip to content

feat: Add GitHub Actions workflow for publishing to Puppet Forge#774

Merged
maksimu merged 2 commits intorelease/integration/puppet/v1.0.0from
release/integration/puppet/v1.0.0-fixed
Jul 26, 2025
Merged

feat: Add GitHub Actions workflow for publishing to Puppet Forge#774
maksimu merged 2 commits intorelease/integration/puppet/v1.0.0from
release/integration/puppet/v1.0.0-fixed

Conversation

@maksimu
Copy link
Collaborator

@maksimu maksimu commented Jul 26, 2025

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 26, 2025
View reviewed changes
.github/workflows/publish.puppetforge.yml
Comment on lines +79 to +141
needs: generate-sbom
environment: prod
runs-on: ubuntu-latest
timeout-minutes: 10

defaults:
run:
working-directory: ./integration/keeper_secrets_manager_puppet

steps:
- name: Get the source code
uses: actions/checkout@v3

- name: Setup Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: '3.2'
bundler-cache: true
working-directory: ./integration/keeper_secrets_manager_puppet

- name: Install dependencies
run: |
bundle install

- name: Retrieve secrets from KSM
id: ksmsecrets
uses: Keeper-Security/ksm-action@master
with:
keeper-secret-config: ${{ secrets.KSM_KSM_CONFIG }}
secrets: |
_gC1qMMHRcD6Fztyd692kw/field/password > PUPPET_FORGE_API_KEY

- name: Run Puppet Lint
run: |
bundle exec puppet-lint \
--no-140chars-check \
--no-autoloader_layout-check \
--no-documentation-check \
--no-class_inherits_from_params_class-check \
manifests/

- name: Validate Puppet manifests
run: |
bundle exec puppet parser validate manifests/*.pp

- name: Run metadata lint
run: |
bundle exec metadata-json-lint metadata.json

- name: Run RSpec tests
run: |
bundle exec rake spec

- name: Build module
run: |
bundle exec pdk build

- name: Publish to Puppet Forge
env:
PDK_DISABLE_ANALYTICS: true
run: |
# Use PDK to publish with API key
bundle exec pdk release publish --forge-token=${{ secrets.PUPPET_FORGE_API_KEY }} --force No newline at end of file

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 8 months ago

To fix the issue, we need to add a permissions block to the workflow. This block should specify the minimal permissions required for the workflow to function correctly. Based on the provided workflow, it appears that the contents: read permission is sufficient for the GITHUB_TOKEN since the workflow primarily interacts with external tools and does not perform any write operations on the repository.

The permissions block can be added at the root level of the workflow to apply to all jobs or at the job level for more granular control. In this case, adding it at the root level is appropriate to ensure consistency across all jobs.

Suggested changeset 1
.github/workflows/publish.puppetforge.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/publish.puppetforge.yml b/.github/workflows/publish.puppetforge.yml
--- a/.github/workflows/publish.puppetforge.yml
+++ b/.github/workflows/publish.puppetforge.yml
@@ -4,2 +4,5 @@
 
+permissions:
+  contents: read
+
 jobs:
EOF
@@ -4,2 +4,5 @@

permissions:
contents: read

jobs:
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
@maksimu maksimu merged commit 3454600 into release/integration/puppet/v1.0.0 Jul 26, 2025
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@maksimu