chore: release-please uses gh app to authenticate#1164
Conversation
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
Disabled knowledge base sources:
📝 WalkthroughWalkthroughThe release workflow now generates a GitHub App installation token and uses it (via the step output) for release-please and image tagging, and the job exposes ChangesRelease Workflow Authentication
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR updates the GitHub Actions release workflow to authenticate release-please (and subsequent tagging steps) using a GitHub App installation token instead of a static personal/access token secret.
Changes:
- Add a step to generate a GitHub App token via
actions/create-github-app-token@v2. - Switch
googleapis/release-please-action@v4to use the generated App token. - Switch the
Tag Imagesstep to use the generated App token viaGITHUB_TOKEN.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| build-app: |
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/release.yaml (1)
8-10:⚠️ Potential issue | 🟠 MajorRestrict both GITHUB_TOKEN and GitHub App token scopes in release.yaml
- The workflow-level
permissionsgrantcontents: writeandpull-requests: write, and thereleasejob doesn’t override them—so the defaultGITHUB_TOKENfor this job is still writable.actions/create-github-app-token@v2is created without anypermission-*inputs, so the GitHub App token inherits the App installation’s full granted permissions.actions/checkout@v4uses defaultpersist-credentials: true, which can leave the writableGITHUB_TOKENconfigured in git.Harden by setting the
releasejob’spermissionsto the minimum needed for the default token (often read-only), setpersist-credentials: falseon checkout, and add explicitpermission-*inputs tocreate-github-app-token@v2for only the scopes required byrelease-please-action/tagging.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release.yaml around lines 8 - 10, The workflow grants broad repo token scopes at workflow level; update the release job to restrict the default GITHUB_TOKEN to the minimum needed (e.g., set job-level permissions to read-only like contents: read and only add write where strictly required), set actions/checkout@v4 step to persist-credentials: false, and add explicit permission-* inputs to actions/create-github-app-token@v2 to only request the exact scopes used by release-please/tagging (reference the release job name, the actions/checkout@v4 step, and actions/create-github-app-token@v2 to locate where to apply these changes).Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release.yaml:
- Line 29: The workflow currently references third-party actions by floating
tags; update both actions (`actions/create-github-app-token@v2` and
`googleapis/release-please-action@v4`) to pin them to the exact commit SHAs you
trust by replacing the tag references with their corresponding commit SHA refs
(e.g., `actions/create-github-app-token@<commit-sha>` and
`googleapis/release-please-action@<commit-sha>`), ensuring you fetch the
upstream commit SHAs from the official repos and use those SHAs in the workflow.
---
Outside diff comments:
In @.github/workflows/release.yaml:
- Around line 8-10: The workflow grants broad repo token scopes at workflow
level; update the release job to restrict the default GITHUB_TOKEN to the
minimum needed (e.g., set job-level permissions to read-only like contents: read
and only add write where strictly required), set actions/checkout@v4 step to
persist-credentials: false, and add explicit permission-* inputs to
actions/create-github-app-token@v2 to only request the exact scopes used by
release-please/tagging (reference the release job name, the actions/checkout@v4
step, and actions/create-github-app-token@v2 to locate where to apply these
changes).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 876b8399-52ba-4135-b7a4-fe76da60c3f1
📒 Files selected for processing (1)
.github/workflows/release.yaml
|
|
||
| - name: Generate GitHub App token | ||
| id: app-token | ||
| uses: actions/create-github-app-token@v2 |
There was a problem hiding this comment.
SHA-pin privileged actions in release workflow
.github/workflows/release.yaml mints a GitHub App token and uses it in the same job; the third-party actions are currently referenced by floating tags (not commit SHAs):
actions/create-github-app-token@v2googleapis/release-please-action@v4
Pin both to the exact upstream commit SHAs you intend to trust.
🔒 Suggested fix
- uses: actions/create-github-app-token@v2
+ uses: actions/create-github-app-token@<full-commit-sha>
...
- uses: googleapis/release-please-action@v4
+ uses: googleapis/release-please-action@<full-commit-sha>🧰 Tools
🪛 zizmor (1.25.2)
[error] 29-29: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 29-29: dangerous use of GitHub App tokens (github-app): app token inherits blanket installation permissions
(github-app)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yaml at line 29, The workflow currently references
third-party actions by floating tags; update both actions
(`actions/create-github-app-token@v2` and `googleapis/release-please-action@v4`)
to pin them to the exact commit SHAs you trust by replacing the tag references
with their corresponding commit SHA refs (e.g.,
`actions/create-github-app-token@<commit-sha>` and
`googleapis/release-please-action@<commit-sha>`), ensuring you fetch the
upstream commit SHAs from the official repos and use those SHAs in the workflow.
Summary by CodeRabbit