fix: permissions on steps is not a thing (#4134)

* fix: permissions on steps is not a thing

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* add comment in the values about the conversion

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

---------

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

.github/workflows/helm.yml

@@ -69,7 +69,10 @@ jobs:
 
   release:
     permissions:
-      contents: read
+      contents: write  # for helm/chart-releaser-action to push chart release and create a release
+      packages: write  # to push OCI chart package to GitHub Registry
+      id-token: write  # gives the action the ability to mint the OIDC token necessary to request a Sigstore signing certificate
+      attestations: write # this permission is necessary to persist the attestation
     runs-on: ubuntu-latest
     if: |
       github.ref == 'refs/heads/main' ||
@@ -96,9 +99,6 @@ jobs:
           echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --dearmor --output keyring.gpg
           echo -n "${{ secrets.GPG_PASSPHRASE }}" > passphrase-file.txt
       - name: Run chart-releaser
-        permissions:
-          contents: write  # for helm/chart-releaser-action to push chart release and create a release
-          packages: write  # to push OCI chart package to GitHub Registry
         uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
         env:
           CR_KEY: external-secrets <external-secrets@external-secrets.io>
@@ -130,9 +130,6 @@ jobs:
           cosign-release: 'v2.4.1'
 
       - name: Push chart to GHCR
-        permissions:
-          id-token: write  # gives the action the ability to mint the OIDC token necessary to request a Sigstore signing certificate
-          attestations: write # this permission is necessary to persist the attestation
         id: push_chart
         run: |
           shopt -s nullglob
@@ -160,9 +157,6 @@ jobs:
           done
 
       - name: Generate provenance attestation and push to OCI registry
-        permissions:
-          attestation: write
-          packages: write
         uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
         with:
           push-to-registry: true

deploy/charts/external-secrets/README.md

@@ -87,7 +87,7 @@ The command removes all the Kubernetes components associated with the chart and
 | concurrent | int | `1` | Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time. |
 | controllerClass | string | `""` | If set external secrets will filter matching Secret Stores with the appropriate controller values. |
 | crds.annotations | object | `{}` |  |
-| crds.conversion.enabled | bool | `true` |  |
+| crds.conversion.enabled | bool | `true` | If webhook is set to false this also needs to be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint. |
 | crds.createClusterExternalSecret | bool | `true` | If true, create CRDs for Cluster External Secret. |
 | crds.createClusterSecretStore | bool | `true` | If true, create CRDs for Cluster Secret Store. |
 | crds.createPushSecret | bool | `true` | If true, create CRDs for Push Secret. |

deploy/charts/external-secrets/values.yaml

@@ -43,6 +43,7 @@ crds:
   createPushSecret: true
   annotations: {}
   conversion:
+    # -- If webhook is set to false this also needs to be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint.
     enabled: true
 
 imagePullSecrets: []