Skip to content

chore(ci): migrate all workflows from PAT to GitHub App token [SEC-58] #287

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
lvrach wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

chore(ci): migrate all workflows from PAT to GitHub App token [SEC-58] #287

lvrach wants to merge 4 commits into from

Conversation

@lvrach
Copy link
Member

@lvrach lvrach commented Jan 29, 2026
edited
Loading

Summary

  • Migrated all PAT usages to GitHub App Token
  • Added explicit permissions at job level with comments explaining why
  • Fixed template-injection security vulnerability in publish-new-release.yml
  • Replaced ALL git push commands with signed commit action for verified commits
  • PRs created by these workflows will now trigger CI checks

Files Changed

  • .github/workflows/draft-new-release.yml - Migrated to GitHub App Token + Signed Commits
  • .github/workflows/publish-new-release.yml - Migrated to GitHub App Token + Signed Commits (updated with additional fix)

Migration Details

File Token Type Permissions Changes Made
draft-new-release.yml GitHub App Token contents: write, pull-requests: write - Added token generation step early (before checkout)
- Moved permissions to job level
- Used App Token for checkout and all git operations
- Replaced git push with ryancyq/github-signed-commit action
- PR creation will now trigger CI
publish-new-release.yml GitHub App Token contents: write, pull-requests: write - Added token generation step early
- Moved permissions to job level
- Fixed template-injection vulnerability by moving untrusted input to env var
- Used App Token for all operations
- Replaced git push --delete with GitHub API call and signed commit action
- PR creation will now trigger CI

Latest Fix (January 29, 2026)

publish-new-release.yml additional improvements:

  • Replaced git push --delete origin $TAG with GitHub API call (gh api DELETE /repos/.../git/refs/tags/...)
  • This ensures tag deletion also uses authenticated API calls rather than raw git commands
  • The signed commit action then creates the new tag with verification
  • All tag operations now properly authenticated and traceable

Signed Commits Implementation

Both workflows now use ryancyq/github-signed-commit@e9f3b28c80da7be66d24b8f501a5abe82a6b855f # v1.2.0 to ensure all pushes are signed and verified:

publish-new-release.yml:

  • Replaced git tag -a && git push with signed commit action for tag pushes
  • Replaced git push --delete with GitHub API for tag deletion
  • Tags will now show as "Verified" in GitHub UI

draft-new-release.yml:

  • Replaced git push --set-upstream origin with signed commit action for branch creation
  • Replaced git push origin --tags and git push --follow-tags with signed commit action
  • All branch pushes and tag pushes will now show as "Verified"

Security Improvements

  • Fixed HIGH severity template-injection vulnerability in publish-new-release.yml
  • Fixed MEDIUM severity excessive-permissions issue in publish-new-release.yml
  • All workflow permissions now explicitly defined at job level
  • GitHub App token ensures created PRs trigger downstream CI workflows
  • All git pushes now use signed commits or GitHub API for verification

Test plan

  • Verify draft-new-release workflow creates PRs that trigger CI
  • Verify publish-new-release workflow creates releases and PRs successfully
  • Confirm all commits and tags show as "Verified" in GitHub
  • Confirm all workflows pass after merge

🤖 Generated with Claude Code

@lvrach
chore(ci): migrate all workflows from PAT to GitHub App token [SEC-58]
3609575 
- Migrated draft-new-release.yml to use GitHub App token
- Migrated publish-new-release.yml to use GitHub App token
- Added explicit permissions at job level with comments
- Fixed template-injection security issue in publish-new-release.yml
- PRs created by these workflows will now trigger CI checks

Co-Authored-By: Claude Opus 4.5 <[email protected]>

🔒 Scanned for secrets using gitleaks 8.30.0
@lvrach lvrach requested a review from a team as a code owner January 29, 2026 18:15
@coderabbitai
Copy link

coderabbitai bot commented Jan 29, 2026

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (2)
  • .github/workflows/draft-new-release.yml is excluded by !**/*.yml
  • .github/workflows/publish-new-release.yml is excluded by !**/*.yml

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

  • 🔍 Trigger a full review
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch chore/SEC-58-migrate-pat-to-github-app-token

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

lvrach added 2 commits January 29, 2026 20:05
@lvrach
chore(ci): use signed commits for verified commits [SEC-58]
6e57a6f 
Co-Authored-By: Claude Opus 4.5 <[email protected]>

🔒 Scanned for secrets using gitleaks 8.30.0
@lvrach
chore(ci): replace git push with signed commit pattern in publish-new…
c42d976 
…-release.yml [SEC-58]

🔒 Scanned for secrets using gitleaks 8.30.0
@lvrach
fix: correct ryancyq/github-signed-commit parameters
9f30ae0 
- Use env.GH_TOKEN instead of with: token
- Use branch-name instead of branch
- Remove invalid params: force, tags, ref
- Add files parameter
- Use tag parameter for tag creation

🔒 Scanned for secrets using gitleaks 8.30.0
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 30, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

@1abhishekpandey 1abhishekpandey Awaiting requested review from 1abhishekpandey

@vgupta98 vgupta98 Awaiting requested review from vgupta98

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lvrach