From b561a370cdf1be923e09e06af2ee2932d07dc322 Mon Sep 17 00:00:00 2001
From: mmetc <92726601+mmetc@users.noreply.github.com>
Date: Thu, 22 Dec 2022 10:09:18 +0100
Subject: [PATCH] ci: authenticate when looking up release information (#1936)
 (#1939)

---
 .github/workflows/ci-windows-build-msi.yml    | 19 ++++--
 .../workflows/dispatch_create_branch_hub.yaml | 26 ++++---
 .../workflows/dispatch_delete_branch_hub.yaml | 26 ++++---
 .github/workflows/release_publish-package.yml | 67 ++++++++++---------
 4 files changed, 83 insertions(+), 55 deletions(-)

diff --git a/.github/workflows/ci-windows-build-msi.yml b/.github/workflows/ci-windows-build-msi.yml
index 8a2cd7024..e4bc36c55 100644
--- a/.github/workflows/ci-windows-build-msi.yml
+++ b/.github/workflows/ci-windows-build-msi.yml
@@ -11,6 +11,18 @@ on:
       - 'README.md'
 
 jobs:
+  get_latest_release:
+    name: get_latest_release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+    - id: get_latest_release
+      uses: cardinalby/git-get-release-action@cedef2faf69cb7c55b285bad07688d04430b7ada
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      with:
+        latest: true
 
   build:
     name: Build
@@ -23,13 +35,8 @@ jobs:
       id: go
     - name: Check out code into the Go module directory
       uses: actions/checkout@v2
-    - id: get_latest_release
-      uses: pozetroninc/github-action-get-latest-release@master
-      with:
-        repository: crowdsecurity/crowdsec
-        excludes: draft
     - id: set_release_in_env
-      run: echo "BUILD_VERSION=${{ steps.get_latest_release.outputs.release }}" >> $env:GITHUB_ENV
+      run: echo "BUILD_VERSION=${{ jobs.get_latest_release.outputs.tag_name }}" >> $env:GITHUB_ENV
     - name: Build
       run: make windows_installer
     - name: Upload MSI
diff --git a/.github/workflows/dispatch_create_branch_hub.yaml b/.github/workflows/dispatch_create_branch_hub.yaml
index 38d6f11bd..5a5209b64 100644
--- a/.github/workflows/dispatch_create_branch_hub.yaml
+++ b/.github/workflows/dispatch_create_branch_hub.yaml
@@ -2,23 +2,33 @@ name: Dispatch to hub when creating pre-release
 
 on:
   release:
-    types: prereleased
+    types:
+      - prereleased
 
 jobs:
+  get_latest_release:
+    name: get_latest_release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+    - id: get_latest_release
+      uses: cardinalby/git-get-release-action@cedef2faf69cb7c55b285bad07688d04430b7ada
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      with:
+        latest: true
+        draft: false
+        prerelease: false
+
   dispatch:
     name: dispatch to hub-tests
     runs-on: ubuntu-latest
     steps:
-      - id: keydb
-        uses: pozetroninc/github-action-get-latest-release@master
-        with:
-          owner: crowdsecurity
-          repo: crowdsec
-          excludes: prerelease, draft
       - name: Repository Dispatch
         uses: peter-evans/repository-dispatch@v1
         with:
           token: ${{ secrets.DISPATCH_TOKEN }}
           event-type: create_branch
           repository: crowdsecurity/hub
-          client-payload: '{"version": "${{ steps.keydb.outputs.release }}"}'
+          client-payload: '{"version": "${{ jobs.get_latest_release.outputs.tag_name }}"}'
diff --git a/.github/workflows/dispatch_delete_branch_hub.yaml b/.github/workflows/dispatch_delete_branch_hub.yaml
index 6a298691d..9582457a6 100644
--- a/.github/workflows/dispatch_delete_branch_hub.yaml
+++ b/.github/workflows/dispatch_delete_branch_hub.yaml
@@ -2,23 +2,33 @@ name: Dispatch to hub when deleting pre-release
 
 on:
   release:
-    types: deleted
+    types:
+      - deleted
 
 jobs:
+  get_latest_release:
+    name: get_latest_release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - id: get_latest_release
+        uses: cardinalby/git-get-release-action@cedef2faf69cb7c55b285bad07688d04430b7ada
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        with:
+          latest: true
+          draft: false
+          prerelease: false
+
   dispatch:
     name: dispatch to hub-tests
     runs-on: ubuntu-latest
     steps:
-      - id: keydb
-        uses: pozetroninc/github-action-get-latest-release@master
-        with:
-          owner: crowdsecurity
-          repo: crowdsec
-          excludes: prerelease, draft
       - name: Repository Dispatch
         uses: peter-evans/repository-dispatch@v1
         with:
           token: ${{ secrets.DISPATCH_TOKEN }}
           event-type: delete_branch
           repository: crowdsecurity/hub
-          client-payload: '{"version": "${{ steps.keydb.outputs.release }}"}'
+          client-payload: '{"version": "${{ jobs.get_latest_release.outputs.tag_name }}"}'
diff --git a/.github/workflows/release_publish-package.yml b/.github/workflows/release_publish-package.yml
index 8a30ae09c..0293343d4 100644
--- a/.github/workflows/release_publish-package.yml
+++ b/.github/workflows/release_publish-package.yml
@@ -3,46 +3,47 @@ name: build
 
 on:
   release:
-    types: prereleased
+    types:
+      - prereleased
 
 jobs:
   build:
     name: Build and upload binary package
     runs-on: ubuntu-latest
     steps:
-    - name: Set up Go 1.19
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.19
-      id: go
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-    - name: Build the binaries
-      run: make release
-    - name: Upload to release
-      uses: JasonEtco/upload-to-release@master
-      with:
-        args: crowdsec-release.tgz application/x-gzip
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set up Go 1.19
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+        id: go
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3
+      - name: Build the binaries
+        run: make release
+      - name: Upload to release
+        uses: JasonEtco/upload-to-release@master
+        with:
+          args: crowdsec-release.tgz application/x-gzip
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   build_static:
     name: Build and upload binary package
     runs-on: ubuntu-latest
     steps:
-    - name: Set up Go 1.19
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.19
-      id: go
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-    - name: Build the binaries
-      run: |
-        make release BUILD_STATIC=yes
-        mv crowdsec-release.tgz crowdsec-release-static.tgz
-    - name: Upload to release
-      uses: JasonEtco/upload-to-release@master
-      with:
-        args: crowdsec-release-static.tgz application/x-gzip
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set up Go 1.19
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+        id: go
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3
+      - name: Build the binaries
+        run: |
+          make release BUILD_STATIC=yes
+          mv crowdsec-release.tgz crowdsec-release-static.tgz
+      - name: Upload to release
+        uses: JasonEtco/upload-to-release@master
+        with:
+          args: crowdsec-release-static.tgz application/x-gzip
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}