Skip to content

ci(release): authenticate semantic-release via Flanksource GitHub App#323

Open
moshloop wants to merge 1 commit into
masterfrom
fix/release-github-app-auth
Open

ci(release): authenticate semantic-release via Flanksource GitHub App#323
moshloop wants to merge 1 commit into
masterfrom
fix/release-github-app-auth

Conversation

@moshloop

@moshloop moshloop commented Jun 29, 2026

Copy link
Copy Markdown
Member

Problem

The Create Release workflow has been failing on push to master — the semantic-release job dies at job setup with Repository access blocked, and the default GITHUB_TOKEN cannot push release tags / create releases under current org policy. As a result no semver tag is cut (latest release is still v1.53.1, even though master carries newer commits such as the HAR body-key redaction feature).

This blocks downstream consumers that need a tagged release of those commits (e.g. har.HARConfig.RedactedBodyKeys).

Change

Mint a GitHub App installation token via actions/create-github-app-token@v3.2.0 from the Flanksource App credentials (FLANKSOURCE_APP_ID / FLANKSOURCE_APP_SECRET) and use it for both the checkout and the semantic-release step, replacing secrets.GITHUB_TOKEN.

Notes / follow-ups

  • Assumes FLANKSOURCE_APP_ID and FLANKSOURCE_APP_SECRET are available as repo/org secrets and the App is installed on flanksource/commons with contents: write. If APP_ID is stored as a variable instead, change secrets.FLANKSOURCE_APP_IDvars.FLANKSOURCE_APP_ID.
  • The bump-clients and hx-upload-release jobs still use secrets.FLANKBOT / secrets.GITHUB_TOKEN; left unchanged since they only run after a release is published. Can be migrated to the App token in a follow-up if FLANKBOT is also being retired.

Summary by CodeRabbit

  • Chores
    • Improved the release process to use a GitHub App token for publishing, helping releases and tags complete more reliably under organization policies.

The Create Release workflow failed at job setup with "Repository access
blocked" and the default GITHUB_TOKEN cannot push release tags / create
releases under current org policy, so no semver tag was being cut on push
to master.

Mint a GitHub App installation token (actions/create-github-app-token) from
the Flanksource App credentials (FLANKSOURCE_APP_ID / FLANKSOURCE_APP_SECRET)
and use it for both the checkout and the semantic-release step.
@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

The release.yml workflow adds a step to mint a GitHub App installation token using FLANKSOURCE_APP_ID and FLANKSOURCE_APP_SECRET secrets, then updates both actions/checkout and codfish/semantic-release-action to use that token instead of the default GITHUB_TOKEN.

Changes

Release Workflow Token Update

Layer / File(s) Summary
GitHub App token minting and wiring
.github/workflows/release.yml
Adds a tibdex/github-app-token step to generate an installation token, then passes it to actions/checkout and sets it as GITHUB_TOKEN for the semantic-release action.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: switching semantic-release authentication to a Flanksource GitHub App token.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/release-github-app-auth
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch fix/release-github-app-auth

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

Copy link
Copy Markdown

Gavel summary

Source Pass Fail Skip Duration
github.com/flanksource/commons/http 92 3 2 13.0s
lint: golangci-lint 0 1 0 604.137µs
collections 49 0 0 3.0s
files 41 0 0 99ms
github.com/flanksource/commons/certs 4 0 0 360ms
github.com/flanksource/commons/cmd/hx 8 0 0 -
github.com/flanksource/commons/cmd/hx/parse 26 0 0 -
github.com/flanksource/commons/collections/syncmap 10 0 0 -
github.com/flanksource/commons/context 1 0 0 -
github.com/flanksource/commons/duration 2 0 0 -
github.com/flanksource/commons/files 16 0 0 -
github.com/flanksource/commons/har 30 0 0 20ms
github.com/flanksource/commons/hash 13 0 0 -
github.com/flanksource/commons/logger 40 0 0 10ms
github.com/flanksource/commons/logger/httpretty/internal/color 15 0 0 -
github.com/flanksource/commons/logger/httpretty/internal/header 1 0 0 -
github.com/flanksource/commons/lookup 7 0 0 -
github.com/flanksource/commons/test 5 0 1 10ms
github.com/flanksource/commons/text 1 0 0 -
github.com/flanksource/commons/tokenizer 3 0 0 -
lint: betterleaks 0 0 1 -
logger 41 0 0 1ms
set 7 0 0 552.288µs

Totals: 412 passed · 4 failed · 4 skipped · 16.5s

Failing tests

github.com/flanksource/commons/http — TestHTTP/Host_Header

�[2m06:42:42.382�[0m �[92mINF�[0m �[34;1mGET�[0m �[33mhttps://54.173.41.1/headers�[0m
> �[34;1mHost�[0m�[31m:�[0m �[33mhttpbin.org�[0m
> �[34;1mAccept�[0m�[31m:�[0m �[33m*/*�[0m
> �[34;1mUser-Agent�[0m�[31m:�[0m �[33mflanksource-commons/0�[0m
... (16 more lines truncated)

github.com/flanksource/commons/http — TestHTTP/No_Auth

http_test.go:187: invalid character '<' looking for beginning of value
    http_test.go:192: Expected response headers map[]

github.com/flanksource/commons/http — TestHTTP

Failing linters

golangci-lint — error

golangci-lint execution failed: fork/exec /home/runner/work/commons/commons/.gavel/golangci-lint: exec format error
Output:

View full results

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 22-35: Add an explicit permissions block for the release
job/workflow so the default repository-scoped GITHUB_TOKEN is disabled now that
the release steps use the GitHub App token. Update the workflow around the
actions/create-github-app-token, actions/checkout, and
codfish/semantic-release-action steps to grant only the minimum permissions
needed for release, ensuring no implicit extra permissions remain available.
- Around line 22-27: The GitHub App token created in the release workflow is too
broadly scoped for this job. Update the Generate GitHub App token step to
request only repository contents access by adding the appropriate contents write
permission on the actions/create-github-app-token use, so the token is limited
to the release path. Refer to the app-token step in the release workflow and
keep the rest of the release job unchanged.
- Around line 29-31: Set actions/checkout in the release workflow to avoid
persisting the App token in the local git config. Update the checkout step in
the release job to include persist-credentials: false alongside the existing
token input, since semantic-release already uses GITHUB_TOKEN and should not
rely on credentials written by checkout. Use the actions/checkout step in
release.yml as the place to make this change.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e4d9a897-d210-42fa-9256-17fd558c34aa

📥 Commits

Reviewing files that changed from the base of the PR and between 516bc6d and 33419da.

📒 Files selected for processing (1)
  • .github/workflows/release.yml

Comment on lines +22 to +27
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ secrets.FLANKSOURCE_APP_ID }}
private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the pinned action supports permission-scoped inputs.
curl -fsSL https://raw.githubusercontent.com/actions/create-github-app-token/v3.2.0/action.yml \
  | grep -A3 -n 'permission-contents'

Repository: flanksource/commons

Length of output: 609


🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,220p' .github/workflows/release.yml

Repository: flanksource/commons

Length of output: 6318


Narrow the GitHub App token to contents: write. This release job only needs repository contents access for tag and release writes, but the App token currently inherits every permission on the installation. Pass permission-contents: write here to keep the token scoped to the release path.

Proposed change
       - name: Generate GitHub App token
         id: app-token
         uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         with:
           app-id: ${{ secrets.FLANKSOURCE_APP_ID }}
           private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }}
+          permission-contents: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ secrets.FLANKSOURCE_APP_ID }}
private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }}
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ secrets.FLANKSOURCE_APP_ID }}
private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }}
permission-contents: write
🧰 Tools
🪛 zizmor (1.26.1)

[error] 24-24: dangerous use of GitHub App tokens (github-app): app token inherits blanket installation permissions

(github-app)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 22 - 27, The GitHub App token
created in the release workflow is too broadly scoped for this job. Update the
Generate GitHub App token step to request only repository contents access by
adding the appropriate contents write permission on the
actions/create-github-app-token use, so the token is limited to the release
path. Refer to the app-token step in the release workflow and keep the rest of
the release job unchanged.

Source: Linters/SAST tools

Comment on lines +22 to +35
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ secrets.FLANKSOURCE_APP_ID }}
private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }}

- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
token: ${{ steps.app-token.outputs.token }}
- uses: codfish/semantic-release-action@b621d34fabe0940f031e89b6ebfea28322892a10 # v3.5.0
id: semantic
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Disable the unused default GITHUB_TOKEN permissions.

Now that release writes use the App token, add an explicit job/workflow permissions block so the implicit token is not available with repository defaults.

Proposed change
   semantic-release:
     runs-on: ubuntu-latest
+    permissions: {}
     outputs:
       release-version: ${{ steps.semantic.outputs.release-version }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ secrets.FLANKSOURCE_APP_ID }}
private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }}
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
token: ${{ steps.app-token.outputs.token }}
- uses: codfish/semantic-release-action@b621d34fabe0940f031e89b6ebfea28322892a10 # v3.5.0
id: semantic
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
semantic-release:
runs-on: ubuntu-latest
permissions: {}
outputs:
release-version: ${{ steps.semantic.outputs.release-version }}
steps:
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ secrets.FLANKSOURCE_APP_ID }}
private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }}
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
token: ${{ steps.app-token.outputs.token }}
- uses: codfish/semantic-release-action@b621d34fabe0940f031e89b6ebfea28322892a10 # v3.5.0
id: semantic
env:
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 29-31: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[warning] 8-35: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)


[error] 24-24: dangerous use of GitHub App tokens (github-app): app token inherits blanket installation permissions

(github-app)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 22 - 35, Add an explicit
permissions block for the release job/workflow so the default repository-scoped
GITHUB_TOKEN is disabled now that the release steps use the GitHub App token.
Update the workflow around the actions/create-github-app-token,
actions/checkout, and codfish/semantic-release-action steps to grant only the
minimum permissions needed for release, ensuring no implicit extra permissions
remain available.

Source: Linters/SAST tools

Comment on lines 29 to +31
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
token: ${{ steps.app-token.outputs.token }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the pinned checkout action's persist-credentials default.
curl -fsSL https://raw.githubusercontent.com/actions/checkout/v4.1.6/action.yml \
  | grep -A6 -n 'persist-credentials'

Repository: flanksource/commons

Length of output: 508


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the relevant workflow section with line numbers.
sed -n '1,120p' .github/workflows/release.yml | cat -n

# Look for how the semantic-release action is configured.
rg -n "semantic-release-action|GITHUB_TOKEN|app-token|persist-credentials|checkout@" .github/workflows/release.yml

Repository: flanksource/commons

Length of output: 6133


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the checkout action's documented behavior and the release workflow's surrounding steps.
python3 - <<'PY'
from pathlib import Path
p = Path('.github/workflows/release.yml')
text = p.read_text()
for i, line in enumerate(text.splitlines(), 1):
    if 1 <= i <= 120:
        print(f"{i:4d}: {line}")
PY

Repository: flanksource/commons

Length of output: 5284


🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,120p' .github/workflows/release.yml | cat -n
rg -n "semantic-release-action|GITHUB_TOKEN|app-token|persist-credentials|checkout@" .github/workflows/release.yml

Repository: flanksource/commons

Length of output: 6133


🌐 Web query:

codfish/semantic-release-action GITHUB_TOKEN checkout persist-credentials false git push authentication

💡 Result:

When using plugins like @semantic-release/git in GitHub Actions, setting persist-credentials: false in the actions/checkout step is a necessary configuration to allow semantic-release to use a custom authentication token [1][2][3]. By default, actions/checkout automatically populates the local git configuration with the repository's default GITHUB_TOKEN [4][1]. If you need to perform git operations that the default token cannot handle—such as pushing to a protected branch—you must provide a custom token (e.g., a Personal Access Token or a GitHub App token) [5][6][7]. If persist-credentials is left at its default value (true), the actions/checkout step will persist the default GITHUB_TOKEN in the local git config, which takes precedence and causes your custom authentication to be ignored [4][2][7]. Setting it to false prevents this, ensuring that git uses the credentials you explicitly provide in your environment variables or configuration for semantic-release [6][7]. For secure implementations on protected branches, official documentation and community best practices recommend using a GitHub App token rather than a Personal Access Token (PAT) [8][7]. GitHub App tokens provide fine-grained permissions and short-lived credentials, which are more secure than long-lived PATs [7]. Summary of the required configuration: - In your GitHub Actions workflow, set persist-credentials: false in the actions/checkout step [1][2]. - Use a custom token (via GitHub App or PAT) with appropriate permissions for pushing [6][7]. - Pass this token to semantic-release via the GITHUB_TOKEN environment variable [4][6].

Citations:


Set persist-credentials: false on checkout. actions/checkout writes the App token into .git/config by default; semantic-release already gets the same token via GITHUB_TOKEN, so there’s no need to persist it here. .github/workflows/release.yml:29-35

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 29-31: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 29 - 31, Set actions/checkout in
the release workflow to avoid persisting the App token in the local git config.
Update the checkout step in the release job to include persist-credentials:
false alongside the existing token input, since semantic-release already uses
GITHUB_TOKEN and should not rely on credentials written by checkout. Use the
actions/checkout step in release.yml as the place to make this change.

Source: Linters/SAST tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant