actions: set permissions for build and ci and trigger on pipeline only changes (#30108)

* actions: set permissions for build and ci * changed-file: always build and test-go on pipeline changes Signed-off-by: Ryan Cragun <me@ryan.ec>
2026-06-03 22:02:19 -04:00 · 2025-03-28 17:10:46 -06:00 · 2025-03-28 17:10:46 -06:00 · 4941aa84f8
commit 4941aa84f8
parent 5f99abe101
2 changed files with 7 additions and 4 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -83,9 +83,7 @@ jobs:
      github.event_name == 'schedule' ||
      (github.event_name == 'pull_request' && github.event.pull_request.draft == false)
    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","linux","small"]') }}
-    permissions:
-      id-token: write # vault-auth
-      contents: read
+    permissions: write-all # vault-auth
    outputs:
      build-date: ${{ steps.metadata.outputs.vault-build-date }}
      changed-files: ${{ steps.changed-files.outputs.changed-files }}
@ -170,6 +168,7 @@ jobs:
        needs.setup.outputs.is-draft == 'false' &&
        (
          contains(fromJSON(needs.setup.outputs.changed-files).groups, 'ui') ||
+          contains(fromJSON(needs.setup.outputs.changed-files).groups, 'pipeline') ||
          contains(fromJSON(needs.setup.outputs.changed-files).groups, 'app')
        )
      )
@ -220,6 +219,7 @@ jobs:
    if: |
      needs.setup.outputs.workflow-trigger == 'schedule' ||
      contains(fromJSON(needs.setup.outputs.changed-files).groups, 'app') ||
+      contains(fromJSON(needs.setup.outputs.changed-files).groups, 'pipeline') ||
      contains(fromJSON(needs.setup.outputs.labels), 'build/all')
    needs:
      - setup
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -19,6 +19,7 @@ concurrency:
 jobs:
  setup:
    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","linux","small"]') }}
+    permissions: write-all # vault-auth
    outputs:
      changed-files: ${{ steps.changed-files.outputs.changed-files }}
      checkout-ref: ${{ steps.checkout.outputs.ref }}
@ -139,7 +140,9 @@ jobs:

  test-go:
    # Run Go tests if the vault app changed
-    if: contains(fromJSON(needs.setup.outputs.changed-files).groups, 'app')
+    if: |
+      contains(fromJSON(needs.setup.outputs.changed-files).groups, 'app') ||
+      contains(fromJSON(needs.setup.outputs.changed-files).groups, 'pipeline')
    name: Run Go tests
    needs: setup
    uses: ./.github/workflows/test-go.yml