Skip to content

workflows: Add id-token permission to call-publish-helm job#43717

Merged
aanm merged 1 commit intomainfrom
pr/fix-helm-permisisons
Jan 13, 2026
Merged

workflows: Add id-token permission to call-publish-helm job#43717
aanm merged 1 commit intomainfrom
pr/fix-helm-permisisons

Conversation

@aanm
Copy link
Copy Markdown
Member

@aanm aanm commented Jan 13, 2026

The call-publish-helm job calls a reusable workflow (release.yaml) which needs to sign Helm charts using cosign with GitHub Actions OIDC tokens.

According to GitHub Actions documentation1:

If jobs.<job_id>.permissions is not specified in the calling job, the
called workflow will have the default permissions for the GITHUB_TOKEN.

Since the default permissions don't include 'id-token: write', cosign was unable to obtain OIDC tokens and fell back to device flow, which then failed with expired_token errors.

Fixes: 32d801791fdd ("workflows: Add id-token permission to call-publish-helm job")

@aanm
workflows: Add id-token permission to call-publish-helm job
d4bbb42 
The call-publish-helm job calls a reusable workflow (release.yaml) which
needs to sign Helm charts using cosign with GitHub Actions OIDC tokens.

According to GitHub Actions documentation[1]:

> If jobs.<job_id>.permissions is not specified in the calling job, the
  called workflow will have the default permissions for the GITHUB_TOKEN.

Since the default permissions don't include 'id-token: write', cosign
was unable to obtain OIDC tokens and fell back to device flow, which
then failed with expired_token errors.

[1]: https://docs.github.com/en/actions/using-workflows/reusing-workflows

Fixes: 32d801791fdd ("workflows: Add id-token permission to call-publish-helm job")
Signed-off-by: André Martins <andre@cilium.io>
@aanm aanm requested review from a team as code owners January 13, 2026 12:24
@aanm aanm requested a review from viktor-kurchenko January 13, 2026 12:24
@aanm aanm added needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Jan 13, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 13, 2026
@aanm aanm added release-note/misc This PR makes changes that have no direct user impact. and removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Jan 13, 2026
@aanm
Copy link
Copy Markdown
Member Author

aanm commented Jan 13, 2026

/test

@aanm aanm enabled auto-merge January 13, 2026 12:25
@aanm aanm added this pull request to the merge queue Jan 13, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jan 13, 2026
Merged via the queue into main with commit 8a2c681 Jan 13, 2026
83 of 84 checks passed
@aanm aanm deleted the pr/fix-helm-permisisons branch January 13, 2026 16:34
@joestringer joestringer removed the needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch label Jan 13, 2026
@gandro gandro mentioned this pull request Jan 15, 2026
Merged
4 tasks
@gandro gandro added backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. and removed needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch labels Jan 15, 2026
@gandro gandro mentioned this pull request Jan 15, 2026
Merged
2 tasks
@gandro gandro added backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. and removed needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch labels Jan 15, 2026
@gandro gandro mentioned this pull request Jan 15, 2026
Merged
2 tasks
@github-actions github-actions bot added backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. and removed backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. labels Jan 15, 2026
@cilium-release-bot cilium-release-bot bot moved this to Released in cilium v1.19.0 Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@viktor-kurchenko viktor-kurchenko viktor-kurchenko approved these changes

Assignees

No one assigned

Labels

backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.

Projects

No open projects
cilium v1.19.0
Status: Released

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@aanm @viktor-kurchenko @gandro @joestringer @msune