Skip to content

ci(cli): dispatch Homebrew tap via primitive-ci GitHub App, not PAT #214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
prim-8 merged 2 commits into from
Jun 10, 2026
+38 −6
Merged

ci(cli): dispatch Homebrew tap via primitive-ci GitHub App, not PAT #214

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
219333d
ci(cli): dispatch Homebrew tap via primitive-ci GitHub App, not PAT
prim-8 Jun 10, 2026
ac9d768
ci(cli): source role ARN from a non-secret Actions variable
prim-8 Jun 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 38 additions & 6 deletions .github/workflows/cli-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,19 +152,51 @@ jobs:
--title "CLI v$VERSION" \
--generate-notes

- name: Configure AWS credentials
if: ${{ steps.version.outputs.changed == 'true' }}
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
with:
role-to-assume: ${{ vars.AWS_HOMEBREW_TAP_ROLE_ARN }}
Comment thread
greptile-apps[bot] marked this conversation as resolved.
aws-region: us-west-2

- name: Fetch CI App credential from Secrets Manager
id: app-creds
if: ${{ steps.version.outputs.changed == 'true' }}
run: |
set -euo pipefail
JSON=$(aws secretsmanager get-secret-value \
--secret-id staging/github-ci-app \
--query SecretString --output text)
Comment on lines +167 to +169

@greptile-apps greptile-apps Bot Jun 10, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Staging secret in production release workflow

The secret path staging/github-ci-app is used to mint the GitHub App token for a production CLI release. If this is intentional (i.e., staging/ is just an AWS Secrets Manager namespace convention shared with the tap workflow), it's fine — but if there's a separate production/github-ci-app secret with different credentials or a scoped installation, this step would silently authenticate with the wrong App and could produce a token that lacks contents:write on homebrew-tap. Is staging/github-ci-app the correct Secrets Manager path for a production release, or does this workflow need a production-scoped credential (e.g., production/github-ci-app)?

Fix in Claude Code Fix in Codex

APP_ID=$(printf '%s' "$JSON" | jq -r '.app_id')
PRIVATE_KEY=$(printf '%s' "$JSON" | jq -r '.private_key')
while IFS= read -r line; do
[ -n "$line" ] && echo "::add-mask::$line"
done <<< "$PRIVATE_KEY"
echo "app-id=$APP_ID" >> "$GITHUB_OUTPUT"
{
echo "private-key<<PEMEOF"
printf '%s\n' "$PRIVATE_KEY"
echo "PEMEOF"
} >> "$GITHUB_OUTPUT"

- name: Mint Homebrew tap app token
id: app-token
if: ${{ steps.version.outputs.changed == 'true' }}
uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
with:
app-id: ${{ steps.app-creds.outputs.app-id }}
private-key: ${{ steps.app-creds.outputs.private-key }}
owner: primitivedotdev
repositories: homebrew-tap

- name: Trigger Homebrew tap update
if: ${{ steps.version.outputs.changed == 'true' }}
env:
GH_TOKEN: ${{ secrets.HOMEBREW_TAP_BOT_TOKEN }}
GH_TOKEN: ${{ steps.app-token.outputs.token }}
VERSION: ${{ steps.version.outputs.current }}
run: |
set -euo pipefail

if [ -z "${GH_TOKEN:-}" ]; then
echo "::notice::HOMEBREW_TAP_BOT_TOKEN is not configured; skipping Homebrew tap dispatch."
exit 0
fi

node <<'NODE' > dispatch.json
const payload = {
event_type: 'cli-release',
Expand Down