ci(release): authenticate semantic-release via Flanksource GitHub App#323
ci(release): authenticate semantic-release via Flanksource GitHub App#323moshloop wants to merge 1 commit into
Conversation
The Create Release workflow failed at job setup with "Repository access blocked" and the default GITHUB_TOKEN cannot push release tags / create releases under current org policy, so no semver tag was being cut on push to master. Mint a GitHub App installation token (actions/create-github-app-token) from the Flanksource App credentials (FLANKSOURCE_APP_ID / FLANKSOURCE_APP_SECRET) and use it for both the checkout and the semantic-release step.
WalkthroughThe ChangesRelease Workflow Token Update
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Gavel summary
Totals: 412 passed · 4 failed · 4 skipped · 16.5s Failing testsgithub.com/flanksource/commons/http — TestHTTP/Host_Headergithub.com/flanksource/commons/http — TestHTTP/No_Authgithub.com/flanksource/commons/http — TestHTTPFailing lintersgolangci-lint — error |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release.yml:
- Around line 22-35: Add an explicit permissions block for the release
job/workflow so the default repository-scoped GITHUB_TOKEN is disabled now that
the release steps use the GitHub App token. Update the workflow around the
actions/create-github-app-token, actions/checkout, and
codfish/semantic-release-action steps to grant only the minimum permissions
needed for release, ensuring no implicit extra permissions remain available.
- Around line 22-27: The GitHub App token created in the release workflow is too
broadly scoped for this job. Update the Generate GitHub App token step to
request only repository contents access by adding the appropriate contents write
permission on the actions/create-github-app-token use, so the token is limited
to the release path. Refer to the app-token step in the release workflow and
keep the rest of the release job unchanged.
- Around line 29-31: Set actions/checkout in the release workflow to avoid
persisting the App token in the local git config. Update the checkout step in
the release job to include persist-credentials: false alongside the existing
token input, since semantic-release already uses GITHUB_TOKEN and should not
rely on credentials written by checkout. Use the actions/checkout step in
release.yml as the place to make this change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: e4d9a897-d210-42fa-9256-17fd558c34aa
📒 Files selected for processing (1)
.github/workflows/release.yml
| - name: Generate GitHub App token | ||
| id: app-token | ||
| uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 | ||
| with: | ||
| app-id: ${{ secrets.FLANKSOURCE_APP_ID }} | ||
| private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }} |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify the pinned action supports permission-scoped inputs.
curl -fsSL https://raw.githubusercontent.com/actions/create-github-app-token/v3.2.0/action.yml \
| grep -A3 -n 'permission-contents'Repository: flanksource/commons
Length of output: 609
🏁 Script executed:
#!/bin/bash
set -euo pipefail
sed -n '1,220p' .github/workflows/release.ymlRepository: flanksource/commons
Length of output: 6318
Narrow the GitHub App token to contents: write. This release job only needs repository contents access for tag and release writes, but the App token currently inherits every permission on the installation. Pass permission-contents: write here to keep the token scoped to the release path.
Proposed change
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ secrets.FLANKSOURCE_APP_ID }}
private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }}
+ permission-contents: write📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Generate GitHub App token | |
| id: app-token | |
| uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 | |
| with: | |
| app-id: ${{ secrets.FLANKSOURCE_APP_ID }} | |
| private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }} | |
| - name: Generate GitHub App token | |
| id: app-token | |
| uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 | |
| with: | |
| app-id: ${{ secrets.FLANKSOURCE_APP_ID }} | |
| private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }} | |
| permission-contents: write |
🧰 Tools
🪛 zizmor (1.26.1)
[error] 24-24: dangerous use of GitHub App tokens (github-app): app token inherits blanket installation permissions
(github-app)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yml around lines 22 - 27, The GitHub App token
created in the release workflow is too broadly scoped for this job. Update the
Generate GitHub App token step to request only repository contents access by
adding the appropriate contents write permission on the
actions/create-github-app-token use, so the token is limited to the release
path. Refer to the app-token step in the release workflow and keep the rest of
the release job unchanged.
Source: Linters/SAST tools
| - name: Generate GitHub App token | ||
| id: app-token | ||
| uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 | ||
| with: | ||
| app-id: ${{ secrets.FLANKSOURCE_APP_ID }} | ||
| private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }} | ||
|
|
||
| - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | ||
| with: | ||
| token: ${{ steps.app-token.outputs.token }} | ||
| - uses: codfish/semantic-release-action@b621d34fabe0940f031e89b6ebfea28322892a10 # v3.5.0 | ||
| id: semantic | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Disable the unused default GITHUB_TOKEN permissions.
Now that release writes use the App token, add an explicit job/workflow permissions block so the implicit token is not available with repository defaults.
Proposed change
semantic-release:
runs-on: ubuntu-latest
+ permissions: {}
outputs:
release-version: ${{ steps.semantic.outputs.release-version }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Generate GitHub App token | |
| id: app-token | |
| uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 | |
| with: | |
| app-id: ${{ secrets.FLANKSOURCE_APP_ID }} | |
| private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }} | |
| - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | |
| with: | |
| token: ${{ steps.app-token.outputs.token }} | |
| - uses: codfish/semantic-release-action@b621d34fabe0940f031e89b6ebfea28322892a10 # v3.5.0 | |
| id: semantic | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} | |
| semantic-release: | |
| runs-on: ubuntu-latest | |
| permissions: {} | |
| outputs: | |
| release-version: ${{ steps.semantic.outputs.release-version }} | |
| steps: | |
| - name: Generate GitHub App token | |
| id: app-token | |
| uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 | |
| with: | |
| app-id: ${{ secrets.FLANKSOURCE_APP_ID }} | |
| private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }} | |
| - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | |
| with: | |
| token: ${{ steps.app-token.outputs.token }} | |
| - uses: codfish/semantic-release-action@b621d34fabe0940f031e89b6ebfea28322892a10 # v3.5.0 | |
| id: semantic | |
| env: | |
| GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 29-31: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[warning] 8-35: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block
(excessive-permissions)
[error] 24-24: dangerous use of GitHub App tokens (github-app): app token inherits blanket installation permissions
(github-app)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yml around lines 22 - 35, Add an explicit
permissions block for the release job/workflow so the default repository-scoped
GITHUB_TOKEN is disabled now that the release steps use the GitHub App token.
Update the workflow around the actions/create-github-app-token,
actions/checkout, and codfish/semantic-release-action steps to grant only the
minimum permissions needed for release, ensuring no implicit extra permissions
remain available.
Source: Linters/SAST tools
| - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | ||
| with: | ||
| token: ${{ steps.app-token.outputs.token }} |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify the pinned checkout action's persist-credentials default.
curl -fsSL https://raw.githubusercontent.com/actions/checkout/v4.1.6/action.yml \
| grep -A6 -n 'persist-credentials'Repository: flanksource/commons
Length of output: 508
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Show the relevant workflow section with line numbers.
sed -n '1,120p' .github/workflows/release.yml | cat -n
# Look for how the semantic-release action is configured.
rg -n "semantic-release-action|GITHUB_TOKEN|app-token|persist-credentials|checkout@" .github/workflows/release.ymlRepository: flanksource/commons
Length of output: 6133
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the checkout action's documented behavior and the release workflow's surrounding steps.
python3 - <<'PY'
from pathlib import Path
p = Path('.github/workflows/release.yml')
text = p.read_text()
for i, line in enumerate(text.splitlines(), 1):
if 1 <= i <= 120:
print(f"{i:4d}: {line}")
PYRepository: flanksource/commons
Length of output: 5284
🏁 Script executed:
#!/bin/bash
set -euo pipefail
sed -n '1,120p' .github/workflows/release.yml | cat -n
rg -n "semantic-release-action|GITHUB_TOKEN|app-token|persist-credentials|checkout@" .github/workflows/release.ymlRepository: flanksource/commons
Length of output: 6133
🌐 Web query:
codfish/semantic-release-action GITHUB_TOKEN checkout persist-credentials false git push authentication
💡 Result:
When using plugins like @semantic-release/git in GitHub Actions, setting persist-credentials: false in the actions/checkout step is a necessary configuration to allow semantic-release to use a custom authentication token [1][2][3]. By default, actions/checkout automatically populates the local git configuration with the repository's default GITHUB_TOKEN [4][1]. If you need to perform git operations that the default token cannot handle—such as pushing to a protected branch—you must provide a custom token (e.g., a Personal Access Token or a GitHub App token) [5][6][7]. If persist-credentials is left at its default value (true), the actions/checkout step will persist the default GITHUB_TOKEN in the local git config, which takes precedence and causes your custom authentication to be ignored [4][2][7]. Setting it to false prevents this, ensuring that git uses the credentials you explicitly provide in your environment variables or configuration for semantic-release [6][7]. For secure implementations on protected branches, official documentation and community best practices recommend using a GitHub App token rather than a Personal Access Token (PAT) [8][7]. GitHub App tokens provide fine-grained permissions and short-lived credentials, which are more secure than long-lived PATs [7]. Summary of the required configuration: - In your GitHub Actions workflow, set persist-credentials: false in the actions/checkout step [1][2]. - Use a custom token (via GitHub App or PAT) with appropriate permissions for pushing [6][7]. - Pass this token to semantic-release via the GITHUB_TOKEN environment variable [4][6].
Citations:
- 1: https://github.com/semantic-release/semantic-release/blob/master/docs/recipes/ci-configurations/github-actions.md
- 2: https://semantic-release.gitbook.io/semantic-release/recipes/ci-configurations/github-actions
- 3: Docs on GitHub Actions recipe can be improved on @semantic-release/git plugin semantic-release/semantic-release#1625
- 4: semantic-release(/git) not using GH_TOKEN semantic-release/git#196
- 5: https://github.com/cycjimmy/semantic-release-action
- 6: unable to push git tag on protected branch with required status checks semantic-release/semantic-release#2557
- 7: https://zenn.dev/wakamsha/articles/semantic-release-and-protected-branches?locale=en
- 8: https://semantic-release.org/recipes/ci-configurations/github-actions/
Set persist-credentials: false on checkout. actions/checkout writes the App token into .git/config by default; semantic-release already gets the same token via GITHUB_TOKEN, so there’s no need to persist it here. .github/workflows/release.yml:29-35
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 29-31: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yml around lines 29 - 31, Set actions/checkout in
the release workflow to avoid persisting the App token in the local git config.
Update the checkout step in the release job to include persist-credentials:
false alongside the existing token input, since semantic-release already uses
GITHUB_TOKEN and should not rely on credentials written by checkout. Use the
actions/checkout step in release.yml as the place to make this change.
Source: Linters/SAST tools
Problem
The
Create Releaseworkflow has been failing on push tomaster— thesemantic-releasejob dies at job setup withRepository access blocked, and the defaultGITHUB_TOKENcannot push release tags / create releases under current org policy. As a result no semver tag is cut (latest release is stillv1.53.1, even thoughmastercarries newer commits such as the HAR body-key redaction feature).This blocks downstream consumers that need a tagged release of those commits (e.g.
har.HARConfig.RedactedBodyKeys).Change
Mint a GitHub App installation token via
actions/create-github-app-token@v3.2.0from the Flanksource App credentials (FLANKSOURCE_APP_ID/FLANKSOURCE_APP_SECRET) and use it for both thecheckoutand thesemantic-releasestep, replacingsecrets.GITHUB_TOKEN.Notes / follow-ups
FLANKSOURCE_APP_IDandFLANKSOURCE_APP_SECRETare available as repo/org secrets and the App is installed onflanksource/commonswithcontents: write. IfAPP_IDis stored as a variable instead, changesecrets.FLANKSOURCE_APP_ID→vars.FLANKSOURCE_APP_ID.bump-clientsandhx-upload-releasejobs still usesecrets.FLANKBOT/secrets.GITHUB_TOKEN; left unchanged since they only run after a release is published. Can be migrated to the App token in a follow-up if FLANKBOT is also being retired.Summary by CodeRabbit