From ebc046bc8797874a043952ab4e8f573f14e4ac41 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 2 Jul 2024 12:39:26 +0530 Subject: [PATCH 1/5] fix: support-token-user/pass Signed-off-by: abhash abhashsolanki18@gmail.com Signed-off-by: root --- roles/bmc_fw_update/tasks/main.yml | 174 +++++++++++++++++++---------- 1 file changed, 114 insertions(+), 60 deletions(-) diff --git a/roles/bmc_fw_update/tasks/main.yml b/roles/bmc_fw_update/tasks/main.yml index f5c133a..efc029b 100644 --- a/roles/bmc_fw_update/tasks/main.yml +++ b/roles/bmc_fw_update/tasks/main.yml @@ -14,7 +14,7 @@ ansible.builtin.fail: msg: "{{ bmc_fw_update_mutual_exclusive_msg }}" when: - - ((dpu_bmc_username is defined or dpu_bmc_password is defined) and dpu_bmc_token is defined) + - (dpu_bmc_username is defined or dpu_bmc_password is defined) and (dpu_bmc_token is defined) - name: Get Firmware Inventory ansible.builtin.include_role: @@ -43,61 +43,119 @@ delegate_to: "{{ bmc_fw_update_delegate }}" when: not bmc_fw_update_local_file_check.stat.exists -# Consider replace with 'GetFirmwareUpdateCapabilities' when available -- name: Check multipart support - ansible.builtin.uri: - url: "https://{{ inventory_hostname }}/redfish/v1/UpdateService" - method: GET - return_content: true - status_code: 200 - body_format: json - url_username: "{{ dpu_bmc_username }}" - url_password: "{{ dpu_bmc_password }}" - force_basic_auth: true - validate_certs: false - delegate_to: "{{ bmc_fw_update_delegate }}" - register: bmc_fw_update_multipart_check - -# Deprecated method -- name: Update BMC firmware of DPU using deprecated HttpPushUri - when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is not defined - ansible.builtin.uri: - url: "https://{{ inventory_hostname }}{{ bmc_fw_update_multipart_check.json.HttpPushUri }}" - method: POST - status_code: [200, 202] - src: "{{ bmc_fw_update_image_file }}" - headers: - Content-Type: application/octet-stream - url_username: "{{ dpu_bmc_username }}" - url_password: "{{ dpu_bmc_password }}" - force_basic_auth: true - validate_certs: false - delegate_to: "{{ bmc_fw_update_delegate }}" - register: bmc_fw_update_depecated_http_push - -- name: Extract task id from update task - when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is not defined - ansible.builtin.set_fact: - bmc_firmware_update_taskid: '{{ bmc_fw_update_depecated_http_push.location | urlsplit("path") }}' - -- name: Update BMC firmware of DPU - when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is defined - community.general.redfish_command: - category: Update - command: MultipartHTTPPushUpdate - baseuri: "{{ inventory_hostname }}" - username: "{{ dpu_bmc_username }}" - password: "{{ dpu_bmc_password }}" - # auth_token: "{{ dpu_bmc_token }}" - timeout: 600 - update_image_file: "{{ bmc_fw_update_image_file }}" - register: result_update_task - delegate_to: "{{ bmc_fw_update_delegate }}" - -- name: Extract task id from update task - when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is defined - ansible.builtin.set_fact: - bmc_firmware_update_taskid: "{{ result_update_task.return_values.update_status.handle }}" +# Check multipart support with user/pass authentication +- block: + - name: Check multipart support using user/pass + ansible.builtin.uri: + url: "https://{{ inventory_hostname }}/redfish/v1/UpdateService" + method: GET + return_content: true + status_code: 200 + body_format: json + url_username: "{{ dpu_bmc_username }}" + url_password: "{{ dpu_bmc_password }}" + force_basic_auth: true + validate_certs: false + delegate_to: "{{ bmc_fw_update_delegate }}" + register: bmc_fw_update_multipart_check + + # Deprecated method with user/pass + - name: Update BMC firmware of DPU using deprecated HttpPushUri with user/pass + when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is not defined + ansible.builtin.uri: + url: "https://{{ inventory_hostname }}{{ bmc_fw_update_multipart_check.json.HttpPushUri }}" + method: POST + status_code: [200, 202] + src: "{{ bmc_fw_update_image_file }}" + headers: + Content-Type: application/octet-stream + url_username: "{{ dpu_bmc_username }}" + url_password: "{{ dpu_bmc_password }}" + force_basic_auth: true + validate_certs: false + delegate_to: "{{ bmc_fw_update_delegate }}" + register: bmc_fw_update_depecated_http_push + + - name: Extract task id from update task with user/pass + when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is not defined + ansible.builtin.set_fact: + bmc_firmware_update_taskid: '{{ bmc_fw_update_depecated_http_push.location | urlsplit("path") }}' + + # Update BMC firmware with user/pass + - name: Update BMC firmware of DPU with user/pass + when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is defined + community.general.redfish_command: + category: Update + command: MultipartHTTPPushUpdate + baseuri: "{{ inventory_hostname }}" + username: "{{ dpu_bmc_username }}" + password: "{{ dpu_bmc_password }}" + timeout: 600 + update_image_file: "{{ bmc_fw_update_image_file }}" + register: result_update_task + delegate_to: "{{ bmc_fw_update_delegate }}" + + - name: Extract task id from update task with user/pass + when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is defined + ansible.builtin.set_fact: + bmc_firmware_update_taskid: "{{ result_update_task.return_values.update_status.handle }}" + + when: dpu_bmc_username is defined and dpu_bmc_password is defined + +# Check multipart support with token authentication +- block: + - name: Check multipart support using token + ansible.builtin.uri: + url: "https://{{ inventory_hostname }}/redfish/v1/UpdateService" + method: GET + return_content: true + status_code: 200 + body_format: json + headers: + X-Auth-Token: "{{ dpu_bmc_token }}" + validate_certs: false + delegate_to: "{{ bmc_fw_update_delegate }}" + register: bmc_fw_update_multipart_check + + # Deprecated method with token + - name: Update BMC firmware of DPU using deprecated HttpPushUri with token + when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is not defined + ansible.builtin.uri: + url: "https://{{ inventory_hostname }}{{ bmc_fw_update_multipart_check.json.HttpPushUri }}" + method: POST + status_code: [200, 202] + src: "{{ bmc_fw_update_image_file }}" + headers: + Content-Type: application/octet-stream + X-Auth-Token: "{{ dpu_bmc_token }}" + validate_certs: false + delegate_to: "{{ bmc_fw_update_delegate }}" + register: bmc_fw_update_depecated_http_push + + - name: Extract task id from update task with token + when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is not defined + ansible.builtin.set_fact: + bmc_firmware_update_taskid: '{{ bmc_fw_update_depecated_http_push.location | urlsplit("path") }}' + + # Update BMC firmware with token + - name: Update BMC firmware of DPU with token + when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is defined + community.general.redfish_command: + category: Update + command: MultipartHTTPPushUpdate + baseuri: "{{ inventory_hostname }}" + auth_token: "{{ dpu_bmc_token }}" + timeout: 600 + update_image_file: "{{ bmc_fw_update_image_file }}" + register: result_update_task + delegate_to: "{{ bmc_fw_update_delegate }}" + + - name: Extract task id from update task with token + when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is defined + ansible.builtin.set_fact: + bmc_firmware_update_taskid: "{{ result_update_task.return_values.update_status.handle }}" + + when: dpu_bmc_token is defined - name: Print TASK id for tracking ansible.builtin.debug: @@ -113,10 +171,6 @@ category: Update command: GetUpdateStatus baseuri: "{{ inventory_hostname }}" - username: "{{ dpu_bmc_username }}" - password: "{{ dpu_bmc_password }}" - # auth_token: "{{ dpu_bmc_token }}" - update_handle: "{{ bmc_firmware_update_taskid }}" register: update_progress until: update_progress.redfish_facts.update_status.status != 'Running' retries: 60 From 61dbf13b3631ce8df753a164a887e54020969baf Mon Sep 17 00:00:00 2001 From: Abhash Solanki Date: Thu, 11 Jul 2024 16:18:03 +0530 Subject: [PATCH 2/5] linters fix Signed-off-by: Abhash Solanki --- .github/workflows/ansible.yml | 15 ++++++++------- roles/bmc_fw_update/tasks/main.yml | 7 ++++++- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ansible.yml b/.github/workflows/ansible.yml index 673be37..8b55b17 100644 --- a/.github/workflows/ansible.yml +++ b/.github/workflows/ansible.yml @@ -104,13 +104,14 @@ jobs: strategy: fail-fast: false matrix: - python-version: ["3.9", "3.10", "3.11"] - ansible-version: [stable-2.17, stable-2.15, stable-2.16] - exclude: - # Ansible-core 2.16 is supported only from Python 3.10 onwards - - python-version: "3.9" - ansible-version: stable-2.16 - + python-version: ["3.9", "3.10", "3.11"] + ansible-version: [stable-2.15, stable-2.16, stable-2.17] + exclude: + # Ansible-core 2.16 and 2.17 are supported only from Python 3.10 onwards + - python-version: "3.9" + ansible-version: stable-2.16 + - python-version: "3.9" + ansible-version: stable-2.17 steps: # Important: This sets up your GITHUB_WORKSPACE environment variable - name: Checkout the source code diff --git a/roles/bmc_fw_update/tasks/main.yml b/roles/bmc_fw_update/tasks/main.yml index efc029b..e590ba2 100644 --- a/roles/bmc_fw_update/tasks/main.yml +++ b/roles/bmc_fw_update/tasks/main.yml @@ -171,6 +171,10 @@ category: Update command: GetUpdateStatus baseuri: "{{ inventory_hostname }}" + username: "{{ dpu_bmc_username | default(omit) }}" + password: "{{ dpu_bmc_password | default(omit) }}" + auth_token: "{{ dpu_bmc_token | default(omit) }}" + update_handle: "{{ bmc_firmware_update_taskid }}" register: update_progress until: update_progress.redfish_facts.update_status.status != 'Running' retries: 60 @@ -208,4 +212,5 @@ msg: "{{ bmc_fw_update_version_failure }}" when: - bmc_fw_update_reboot is true - - not bmc_fw_update_image_file is search(bmc_fw_update_got_fw_version | regex_search('[0-9-.]+')) + - not bmc_fw_update_image_file is search(bmc_fw_update_got_fw_version | regex_search('[0-9-.]+'))" + From e5fb95128f966ad86dea0ed0caece621ecc14e97 Mon Sep 17 00:00:00 2001 From: Abhash Solanki Date: Fri, 12 Jul 2024 10:34:48 +0530 Subject: [PATCH 3/5] fix(bmc_fw_update): resolve YAML linting issues This commit resolves multiple YAML linting issues in the `bmc_fw_update` task file. - Removed extra blank lines - Ensured all tasks are named - Improved task key order - Prefixed variable names appropriately These changes should ensure the playbook passes `yamllint` and `ansible-lint` checks. Signed-off-by: Abhash Solanki --- .github/workflows/ansible.yml | 7 +- roles/bmc_fw_update/tasks/main.yml | 186 ++++++++++------------------- 2 files changed, 65 insertions(+), 128 deletions(-) diff --git a/.github/workflows/ansible.yml b/.github/workflows/ansible.yml index 8b55b17..84c1d54 100644 --- a/.github/workflows/ansible.yml +++ b/.github/workflows/ansible.yml @@ -80,13 +80,8 @@ jobs: strategy: fail-fast: false matrix: - python-version: ["3.9", "3.10", "3.11"] + python-version: ["3.10", "3.11", "3.12"] ansible-version: [stable-2.17, stable-2.15, stable-2.16] - exclude: - # Ansible-core 2.16 is supported only from Python 3.10 onwards - - python-version: "3.9" - ansible-version: stable-2.16 - steps: - name: Perform sanity testing uses: ansible-community/ansible-test-gh-action@release/v1 diff --git a/roles/bmc_fw_update/tasks/main.yml b/roles/bmc_fw_update/tasks/main.yml index e590ba2..e37647c 100644 --- a/roles/bmc_fw_update/tasks/main.yml +++ b/roles/bmc_fw_update/tasks/main.yml @@ -23,11 +23,11 @@ - name: Store current fw version ansible.builtin.set_fact: - bmc_fw_update_cur_fw_version: "{{ vars.get_bmc_facts_all_fw_versions[bmc_fw_update_inventory_name] }}" + bmc_fw_update_cur_fw_version: "{{ get_bmc_facts_before.get_bmc_facts_all_fw_versions[bmc_fw_update_inventory_name] }}" - name: Print BMC Version ansible.builtin.debug: - msg: "{{ get_bmc_facts_all_fw_versions }}" + msg: "{{ get_bmc_facts_before.get_bmc_facts_all_fw_versions }}" - name: Check if firmware image exists locally {{ bmc_fw_update_image_file }} ansible.builtin.stat: @@ -43,119 +43,62 @@ delegate_to: "{{ bmc_fw_update_delegate }}" when: not bmc_fw_update_local_file_check.stat.exists -# Check multipart support with user/pass authentication -- block: - - name: Check multipart support using user/pass - ansible.builtin.uri: - url: "https://{{ inventory_hostname }}/redfish/v1/UpdateService" - method: GET - return_content: true - status_code: 200 - body_format: json - url_username: "{{ dpu_bmc_username }}" - url_password: "{{ dpu_bmc_password }}" - force_basic_auth: true - validate_certs: false - delegate_to: "{{ bmc_fw_update_delegate }}" - register: bmc_fw_update_multipart_check - - # Deprecated method with user/pass - - name: Update BMC firmware of DPU using deprecated HttpPushUri with user/pass - when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is not defined - ansible.builtin.uri: - url: "https://{{ inventory_hostname }}{{ bmc_fw_update_multipart_check.json.HttpPushUri }}" - method: POST - status_code: [200, 202] - src: "{{ bmc_fw_update_image_file }}" - headers: - Content-Type: application/octet-stream - url_username: "{{ dpu_bmc_username }}" - url_password: "{{ dpu_bmc_password }}" - force_basic_auth: true - validate_certs: false - delegate_to: "{{ bmc_fw_update_delegate }}" - register: bmc_fw_update_depecated_http_push - - - name: Extract task id from update task with user/pass - when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is not defined - ansible.builtin.set_fact: - bmc_firmware_update_taskid: '{{ bmc_fw_update_depecated_http_push.location | urlsplit("path") }}' - - # Update BMC firmware with user/pass - - name: Update BMC firmware of DPU with user/pass - when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is defined - community.general.redfish_command: - category: Update - command: MultipartHTTPPushUpdate - baseuri: "{{ inventory_hostname }}" - username: "{{ dpu_bmc_username }}" - password: "{{ dpu_bmc_password }}" - timeout: 600 - update_image_file: "{{ bmc_fw_update_image_file }}" - register: result_update_task - delegate_to: "{{ bmc_fw_update_delegate }}" - - - name: Extract task id from update task with user/pass - when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is defined - ansible.builtin.set_fact: - bmc_firmware_update_taskid: "{{ result_update_task.return_values.update_status.handle }}" - - when: dpu_bmc_username is defined and dpu_bmc_password is defined - -# Check multipart support with token authentication -- block: - - name: Check multipart support using token - ansible.builtin.uri: - url: "https://{{ inventory_hostname }}/redfish/v1/UpdateService" - method: GET - return_content: true - status_code: 200 - body_format: json - headers: - X-Auth-Token: "{{ dpu_bmc_token }}" - validate_certs: false - delegate_to: "{{ bmc_fw_update_delegate }}" - register: bmc_fw_update_multipart_check - - # Deprecated method with token - - name: Update BMC firmware of DPU using deprecated HttpPushUri with token - when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is not defined - ansible.builtin.uri: - url: "https://{{ inventory_hostname }}{{ bmc_fw_update_multipart_check.json.HttpPushUri }}" - method: POST - status_code: [200, 202] - src: "{{ bmc_fw_update_image_file }}" - headers: - Content-Type: application/octet-stream - X-Auth-Token: "{{ dpu_bmc_token }}" - validate_certs: false - delegate_to: "{{ bmc_fw_update_delegate }}" - register: bmc_fw_update_depecated_http_push - - - name: Extract task id from update task with token - when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is not defined - ansible.builtin.set_fact: - bmc_firmware_update_taskid: '{{ bmc_fw_update_depecated_http_push.location | urlsplit("path") }}' - - # Update BMC firmware with token - - name: Update BMC firmware of DPU with token - when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is defined - community.general.redfish_command: - category: Update - command: MultipartHTTPPushUpdate - baseuri: "{{ inventory_hostname }}" - auth_token: "{{ dpu_bmc_token }}" - timeout: 600 - update_image_file: "{{ bmc_fw_update_image_file }}" - register: result_update_task - delegate_to: "{{ bmc_fw_update_delegate }}" - - - name: Extract task id from update task with token - when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is defined - ansible.builtin.set_fact: - bmc_firmware_update_taskid: "{{ result_update_task.return_values.update_status.handle }}" - - when: dpu_bmc_token is defined +- name: Check multipart support + ansible.builtin.uri: + url: "https://{{ inventory_hostname }}/redfish/v1/UpdateService" + method: GET + return_content: true + status_code: 200 + body_format: json + url_username: "{{ dpu_bmc_username | default(omit) }}" + url_password: "{{ dpu_bmc_password | default(omit) }}" + headers: + X-Auth-Token: "{{ dpu_bmc_token | default(omit) }}" + force_basic_auth: true + validate_certs: false + delegate_to: "{{ bmc_fw_update_delegate }}" + register: bmc_fw_update_multipart_check + +- name: Update BMC firmware of DPU using deprecated HttpPushUri + ansible.builtin.uri: + url: "https://{{ inventory_hostname }}{{ bmc_fw_update_multipart_check.json.HttpPushUri }}" + method: POST + status_code: [200, 202] + src: "{{ bmc_fw_update_image_file }}" + headers: + Content-Type: application/octet-stream + X-Auth-Token: "{{ dpu_bmc_token | default(omit) }}" + url_username: "{{ dpu_bmc_username | default(omit) }}" + url_password: "{{ dpu_bmc_password | default(omit) }}" + force_basic_auth: true + validate_certs: false + delegate_to: "{{ bmc_fw_update_delegate }}" + register: bmc_fw_update_deprecated_http_push + when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is not defined + +- name: Extract task id from update task + ansible.builtin.set_fact: + bmc_firmware_update_taskid: '{{ bmc_fw_update_deprecated_http_push.location | urlsplit("path") }}' + when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is not defined + +- name: Update BMC firmware of DPU + community.general.redfish_command: + category: Update + command: MultipartHTTPPushUpdate + baseuri: "{{ inventory_hostname }}" + auth_token: "{{ dpu_bmc_token | default(omit) }}" + username: "{{ dpu_bmc_username | default(omit) }}" + password: "{{ dpu_bmc_password | default(omit) }}" + timeout: 600 + update_image_file: "{{ bmc_fw_update_image_file }}" + register: result_update_task + delegate_to: "{{ bmc_fw_update_delegate }}" + when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is defined + +- name: Extract task id from update task + ansible.builtin.set_fact: + bmc_firmware_update_taskid: "{{ result_update_task.return_values.update_status.handle }}" + when: bmc_fw_update_multipart_check.json.MultipartHttpPushUri is defined - name: Print TASK id for tracking ansible.builtin.debug: @@ -166,20 +109,20 @@ seconds: 10 - name: Get the status of an update operation in a loop - when: bmc_fw_update_job_wait is true community.general.redfish_info: category: Update command: GetUpdateStatus baseuri: "{{ inventory_hostname }}" + auth_token: "{{ dpu_bmc_token | default(omit) }}" username: "{{ dpu_bmc_username | default(omit) }}" password: "{{ dpu_bmc_password | default(omit) }}" - auth_token: "{{ dpu_bmc_token | default(omit) }}" update_handle: "{{ bmc_firmware_update_taskid }}" register: update_progress until: update_progress.redfish_facts.update_status.status != 'Running' retries: 60 delay: 30 delegate_to: "{{ bmc_fw_update_delegate }}" + when: bmc_fw_update_job_wait is true - name: Validate task was completed ansible.builtin.fail: @@ -191,8 +134,7 @@ - name: Reboot BMC to apply new firmware of DPU ansible.builtin.include_role: name: bmc_reboot - when: - - bmc_fw_update_reboot is true + when: bmc_fw_update_reboot is true - name: Get Firmware Inventory ansible.builtin.include_role: @@ -201,16 +143,16 @@ - name: Print BMC Version ansible.builtin.debug: - msg: "{{ get_bmc_facts_all_fw_versions }}" + msg: "{{ get_bmc_facts_after.get_bmc_facts_all_fw_versions }}" - name: Store fw version we installed ansible.builtin.set_fact: - bmc_fw_update_got_fw_version: "{{ vars.get_bmc_facts_all_fw_versions[bmc_fw_update_inventory_name] }}" + bmc_fw_update_got_fw_version: "{{ get_bmc_facts_after.get_bmc_facts_all_fw_versions[bmc_fw_update_inventory_name] }}" - name: Validate fw image matches given filename ansible.builtin.fail: msg: "{{ bmc_fw_update_version_failure }}" when: - bmc_fw_update_reboot is true - - not bmc_fw_update_image_file is search(bmc_fw_update_got_fw_version | regex_search('[0-9-.]+'))" + - not (bmc_fw_update_image_file is search(bmc_fw_update_got_fw_version | regex_search('[0-9-.]+'))) From caf19dda8371916351b2880b3d8b9da787a39b5c Mon Sep 17 00:00:00 2001 From: Abhash Solanki Date: Mon, 15 Jul 2024 22:15:48 +0530 Subject: [PATCH 4/5] fix(bmc_fw_update): resolve workflow permission errors Signed-off-by: Abhash Solanki --- .github/workflows/ansible.yml | 15 ++------------- .github/workflows/docker-publish.yml | 4 ++++ .github/workflows/scorecard.yml | 4 ++++ 3 files changed, 10 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ansible.yml b/.github/workflows/ansible.yml index 84c1d54..5d61909 100644 --- a/.github/workflows/ansible.yml +++ b/.github/workflows/ansible.yml @@ -52,13 +52,8 @@ jobs: strategy: fail-fast: false matrix: - python-version: ["3.9", "3.10", "3.11"] + python-version: ["3.10", "3.11", "3.12"] ansible-version: [stable-2.17, stable-2.15, stable-2.16] - exclude: - # Ansible-core 2.16 is supported only from Python 3.10 onwards - - python-version: "3.9" - ansible-version: stable-2.16 - steps: - name: Perform unit testing with ansible-test uses: ansible-community/ansible-test-gh-action@release/v1 @@ -99,14 +94,8 @@ jobs: strategy: fail-fast: false matrix: - python-version: ["3.9", "3.10", "3.11"] + python-version: ["3.10", "3.11", "3.12"] ansible-version: [stable-2.15, stable-2.16, stable-2.17] - exclude: - # Ansible-core 2.16 and 2.17 are supported only from Python 3.10 onwards - - python-version: "3.9" - ansible-version: stable-2.16 - - python-version: "3.9" - ansible-version: stable-2.17 steps: # Important: This sets up your GITHUB_WORKSPACE environment variable - name: Checkout the source code diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 86f853b..8345f01 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -9,6 +9,10 @@ on: pull_request: branches: [ main ] +permissions: + id-token: write + contents: read + jobs: call: uses: opiproject/actions/.github/workflows/docker-publish.yml@main diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 518564e..b1271e1 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -7,6 +7,10 @@ on: pull_request: branches: [ main ] +permissions: + id-token: write + contents: read + jobs: call: uses: opiproject/actions/.github/workflows/scorecard.yml@main From 91dee4583817d36ed21bfe8aabae524a3b410c67 Mon Sep 17 00:00:00 2001 From: Abhash Solanki Date: Mon, 15 Jul 2024 22:31:02 +0530 Subject: [PATCH 5/5] fix(bmc_fw_update): resolve workflow permission errors Signed-off-by: Abhash Solanki --- .github/workflows/ansible.yml | 7 ++++++- .github/workflows/docker-publish.yml | 1 + .github/workflows/scorecard.yml | 2 ++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ansible.yml b/.github/workflows/ansible.yml index 5d61909..ce4bd01 100644 --- a/.github/workflows/ansible.yml +++ b/.github/workflows/ansible.yml @@ -52,8 +52,13 @@ jobs: strategy: fail-fast: false matrix: - python-version: ["3.10", "3.11", "3.12"] + python-version: ["3.9", "3.10", "3.11"] ansible-version: [stable-2.17, stable-2.15, stable-2.16] + exclude: + # Ansible-core 2.16 is supported only from Python 3.10 onwards + - python-version: "3.9" + ansible-version: stable-2.16 + steps: - name: Perform unit testing with ansible-test uses: ansible-community/ansible-test-gh-action@release/v1 diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 8345f01..b5d7ff6 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -12,6 +12,7 @@ on: permissions: id-token: write contents: read + packages: write jobs: call: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index b1271e1..d2d33be 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -10,6 +10,8 @@ on: permissions: id-token: write contents: read + actions: read + security-events: write jobs: call: