From b89c534f9b9dac118ed5cb257aa1cfc3106b870c Mon Sep 17 00:00:00 2001
From: "JM (Jason Meridth)" <jmeridth@gmail.com>
Date: Sat, 25 Jan 2025 03:10:51 -0600
Subject: [PATCH] ci: reduce permissions on auto-labeler and set to not release
 (#38)

We were seeing random draft releases after a release occurred. I
realized the auto-labeler workflow (also using draft-release action)
was still doing a draft release.  This was the culprit.  By adding
`disable-releaser: true`, we prevent this.  Since this workflow no
longer needs to create a release we can remove the `contents: write`
permissions also.

- [x] change image-name from hard-coded to github.repository in test-release

Signed-off-by: jmeridth <jmeridth@gmail.com>
---
 .github/workflows/auto-labeler.yaml      | 2 +-
 .github/workflows/test-auto-labeler.yaml | 1 -
 .github/workflows/test-release.yaml      | 2 +-
 3 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/auto-labeler.yaml b/.github/workflows/auto-labeler.yaml
index f77ee1f..dd32570 100644
--- a/.github/workflows/auto-labeler.yaml
+++ b/.github/workflows/auto-labeler.yaml
@@ -14,7 +14,6 @@ permissions:
 jobs:
   main:
     permissions:
-      contents: write
       pull-requests: write
     name: Auto label pull requests
     runs-on: ubuntu-latest
@@ -24,3 +23,4 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.github-token }}
         with:
           config-name: ${{ inputs.config-name }}
+          disable-releaser: true
diff --git a/.github/workflows/test-auto-labeler.yaml b/.github/workflows/test-auto-labeler.yaml
index df54ba3..e22eb6e 100644
--- a/.github/workflows/test-auto-labeler.yaml
+++ b/.github/workflows/test-auto-labeler.yaml
@@ -9,7 +9,6 @@ permissions:
 jobs:
   auto_labeler:
     permissions:
-      contents: write
       pull-requests: write
     uses: ./.github/workflows/auto-labeler.yaml
     with:
diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml
index efaf690..31587e1 100644
--- a/.github/workflows/test-release.yaml
+++ b/.github/workflows/test-release.yaml
@@ -26,7 +26,7 @@ jobs:
       attestations: write
     uses: ./.github/workflows/release-image.yaml
     with:
-      image-name: github/ospo-reusable-workflows
+      image-name: ${{ github.repository }}
       full-tag: ${{ needs.release.outputs.full-tag }}
       short-tag: ${{ needs.release.outputs.short-tag }}
       create-attestation: true