ci: use GitHub App token to trigger CI on version PR#476
Conversation
Replace GITHUB_TOKEN with a GitHub App token so that the version PR can trigger CI workflows. GITHUB_TOKEN cannot trigger workflows by design (to prevent infinite loops). Requires APP_ID variable and APP_PRIVATE_KEY secret to be configured.
📝 WalkthroughWalkthroughAdds a new step to Changes
Sequence Diagram(s)sequenceDiagram
participant Runner as Actions Runner
participant CreateToken as create-github-app-token@v2
participant GitHub as GitHub API
participant Steps as Publish / Auto-merge Steps
Runner ->> CreateToken: invoke action (app id, private key)
CreateToken ->> GitHub: request app installation token
GitHub -->> CreateToken: return token
CreateToken -->> Runner: output token (GITHUB_TOKEN, GH_TOKEN)
Runner ->> Steps: run publish/auto-merge with generated tokens
Steps ->> GitHub: perform publish / create PR / merge using app token
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. 📜 Recent review detailsConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro 📒 Files selected for processing (1)
🔇 Additional comments (3)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Review CompleteYour review story is ready! Comment !reviewfast on this PR to re-generate the story. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In @.github/workflows/release-prepare.yml:
- Around line 37-44: The workflow step with id "app-token" currently uses
actions/create-github-app-token@v1; update it to the v2 release pinned to a full
commit SHA instead of a floating tag to follow security hardening. Replace the
"uses: actions/create-github-app-token@v1" line in the "Generate GitHub App
Token" step with the v2 equivalent pinned to the specific commit SHA (e.g.,
actions/create-github-app-token@<full-commit-sha>) so the action is on the v2
code but immutable.
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/release-prepare.yml
🔇 Additional comments (2)
.github/workflows/release-prepare.yml (2)
57-57: LGTM! Correct token replacement for triggering CI.The App token will allow the version PR to trigger CI workflows, which is the intended behavior and resolves the limitation of
GITHUB_TOKEN.
65-65: LGTM! Consistent token usage for auto-merge.The App token is correctly used for the
ghCLI command. Ensure the GitHub App has thepull_requests: writepermission configured (mentioned as already set up in the prerequisites).
| # Generate GitHub App token to allow version PR to trigger CI workflows | ||
| # (GITHUB_TOKEN cannot trigger workflows by design) | ||
| - name: Generate GitHub App Token | ||
| id: app-token | ||
| uses: actions/create-github-app-token@v1 | ||
| with: | ||
| app-id: ${{ vars.APP_ID }} | ||
| private-key: ${{ secrets.APP_PRIVATE_KEY }} |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
actions/create-github-app-token latest version releases GitHub Actions
💡 Result:
The current released major version is v2 — use actions/create-github-app-token@v2. [1][2]
Sources:
[1] actions/create-github-app-token (GitHub repo).
[2] Create GitHub App Token (GitHub Marketplace).
🌐 Web query:
GitHub Actions version pinning best practices floating tags security
💡 Result:
Concise best-practices for pinning GitHub Actions and avoiding floating-tag risks:
- Pin to a full commit SHA (immutable) whenever possible — SHA pinning is the strongest protection against tag moves/compromise. (docs.github.com)
- Avoid floating refs like @main, @master, @latest or loose major tags (e.g., @V3) for third‑party actions; they can change unexpectedly. (docs.github.com)
- If you must use tags for convenience, prefer immutable/release tags from trusted/verified creators and record the corresponding SHA in a comment. (docs.github.com)
- Enforce org/repo policies that require SHA pinning or block unpinned/floating actions (use Allowed Actions / reusable-workflows policy). (docs.github.com)
- Automate safe updates: use Dependabot / Renovate or pinning tools to raise PRs that update SHAs so changes are reviewed before merging. (github.com)
- Restrict runtime blast radius: least‑privilege GITHUB_TOKEN permissions, avoid passing secrets to untrusted actions, and require approvals for sensitive workflows/environments. (docs.github.com)
- Audit action code (or favor official/verified authors) and monitor for security advisories or compromises. (docs.github.com)
Example (recommended):
- uses: actions/checkout@ # vX.Y.Z
If you want, I can: scan a repo/workflows for floating tags and produce a PR-ready list of replacements (SHAs + comments).
Citations:
- 1: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions?utm_source=openai
- 2: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions?utm_source=openai
- 3: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions?utm_source=openai
- 4: https://docs.github.com/enterprise-cloud%40latest/actions/security-guides/security-hardening-for-github-actions?utm_source=openai
- 5: For actions that are pinned-by-hash, bump the human readable version number in the code comment dependabot/dependabot-core#4691
- 6: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions?utm_source=openai
- 7: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions?utm_source=openai
Upgrade to actions/create-github-app-token@v2 and pin to a specific commit SHA.
The action is using @v1, which is outdated; the current released version is @v2. More importantly, using floating major version tags (whether @v1 or @v2) carries security risks. Per GitHub's security hardening guidelines, pin to a full commit SHA for immutability and to prevent unexpected behavior from tag updates. Example:
uses: actions/create-github-app-token@<full-commit-sha> # v2.Y.Z
🤖 Prompt for AI Agents
In @.github/workflows/release-prepare.yml around lines 37 - 44, The workflow
step with id "app-token" currently uses actions/create-github-app-token@v1;
update it to the v2 release pinned to a full commit SHA instead of a floating
tag to follow security hardening. Replace the "uses:
actions/create-github-app-token@v1" line in the "Generate GitHub App Token" step
with the v2 equivalent pinned to the specific commit SHA (e.g.,
actions/create-github-app-token@<full-commit-sha>) so the action is on the v2
code but immutable.
1 participant
Summary
GITHUB_TOKENfor the changesets actionGITHUB_TOKENcannot trigger workflows by design (prevents infinite loops)Changes
actions/create-github-app-token@v1step to generate tokenchangesets/actionto use the app tokenPrerequisites
Already configured:
openspec-release-bot)APP_IDvariable addedAPP_PRIVATE_KEYsecret addedExpected Flow After Merge
Test plan
🤖 Generated with Claude Code
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.