From 4941aa84f8986c0aec907234aefcc6fd0fd5d24f Mon Sep 17 00:00:00 2001
From: Ryan Cragun <me@ryan.ec>
Date: Fri, 28 Mar 2025 17:10:46 -0600
Subject: [PATCH] actions: set permissions for build and ci and trigger on
 pipeline only changes (#30108)

* actions: set permissions for build and ci
* changed-file: always build and test-go on pipeline changes

Signed-off-by: Ryan Cragun <me@ryan.ec>
---
 .github/workflows/build.yml | 6 +++---
 .github/workflows/ci.yml    | 5 ++++-
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d7ad6c3a81..2edd0aa479 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -83,9 +83,7 @@ jobs:
       github.event_name == 'schedule' ||
       (github.event_name == 'pull_request' && github.event.pull_request.draft == false)
     runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","linux","small"]') }}
-    permissions:
-      id-token: write # vault-auth
-      contents: read
+    permissions: write-all # vault-auth
     outputs:
       build-date: ${{ steps.metadata.outputs.vault-build-date }}
       changed-files: ${{ steps.changed-files.outputs.changed-files }}
@@ -170,6 +168,7 @@ jobs:
         needs.setup.outputs.is-draft == 'false' &&
         (
           contains(fromJSON(needs.setup.outputs.changed-files).groups, 'ui') ||
+          contains(fromJSON(needs.setup.outputs.changed-files).groups, 'pipeline') ||
           contains(fromJSON(needs.setup.outputs.changed-files).groups, 'app')
         )
       )
@@ -220,6 +219,7 @@ jobs:
     if: |
       needs.setup.outputs.workflow-trigger == 'schedule' ||
       contains(fromJSON(needs.setup.outputs.changed-files).groups, 'app') ||
+      contains(fromJSON(needs.setup.outputs.changed-files).groups, 'pipeline') ||
       contains(fromJSON(needs.setup.outputs.labels), 'build/all')
     needs:
       - setup
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6cf301eccf..5274893983 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,6 +19,7 @@ concurrency:
 jobs:
   setup:
     runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","linux","small"]') }}
+    permissions: write-all # vault-auth
     outputs:
       changed-files: ${{ steps.changed-files.outputs.changed-files }}
       checkout-ref: ${{ steps.checkout.outputs.ref }}
@@ -139,7 +140,9 @@ jobs:
 
   test-go:
     # Run Go tests if the vault app changed
-    if: contains(fromJSON(needs.setup.outputs.changed-files).groups, 'app')
+    if: |
+      contains(fromJSON(needs.setup.outputs.changed-files).groups, 'app') ||
+      contains(fromJSON(needs.setup.outputs.changed-files).groups, 'pipeline')
     name: Run Go tests
     needs: setup
     uses: ./.github/workflows/test-go.yml