Skip to content

VLN-442: Use first-party action for GitHub app tokens #872

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 12, 2025
Merged

VLN-442: Use first-party action for GitHub app tokens #872

merged 2 commits into from
Nov 12, 2025

Conversation

@picatz
Copy link
Contributor

@picatz picatz commented Nov 4, 2025
edited
Loading

Summary

  • .github/workflows/trigger-publish.yml: Set the GitHub App token step to include owner temporalio and added repositories list for cli and docker-builds so the generated token retains access to both repos.
  • .github/workflows/trigger-docs.yml: Upgraded the GitHub App token step to actions/create-github-app-token@v2 and switched repositories input to a multiline list (documentation) with an explanatory comment while keeping the owner scoped to the repository owner.

Previous summary:

Summary

  • .github/workflows/trigger-publish.yml: Replaced tibdex/github-app-token with actions/create-github-app-token@v2 and converted inputs to the new action’s kebab-case names so the workflow continues generating the app token securely.

@picatz
Use first-party action for GitHub app tokens
95083f3 
This change was made by an automated process to ensure all GitHub Actions workflows use the official GitHub application token action.

Assisted-by: GPT-5 Codex via Camper
@picatz picatz requested review from a team as code owners November 4, 2025 16:47
@semgrep-managed-scans
Copy link

semgrep-managed-scans bot commented Nov 4, 2025

Semgrep found 1 missing-explicit-permissions finding:

No explicit GITHUB_TOKEN permissions found at the workflow or job level. Add a permissions: block at the workflow root (applies to all jobs) or per job with least privilege (e.g., contents: read and only specific writes like pull-requests: write if needed).

@picatz
Copy link
Contributor Author

picatz commented Nov 4, 2025

☝️ Should be resolved with #869 (comment)

@picatz
Adjust GitHub App token scope for workflows
a3cce92 
This refresh aligns owner/repositories inputs with actions/create-github-app-token@v2 defaults while preserving necessary repository access.

Assisted-by: GPT-5 Codex via Camper
@semgrep-managed-scans

This comment was marked as duplicate.

Sign in to view
spkane31
spkane31 approved these changes Nov 10, 2025
View reviewed changes
Copy link
Contributor

@spkane31 spkane31 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚢

@picatz
Copy link
Contributor Author

picatz commented Nov 12, 2025

Thank you, @spkane31 and @chris-olszewski! Looks like I don't have the ability to merge this PR, can one of you?

@chris-olszewski chris-olszewski merged commit d1bdd23 into main Nov 12, 2025
8 checks passed
@chris-olszewski chris-olszewski deleted the security-campaign/gha-deprecated-app-token-action branch November 12, 2025 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chris-olszewski chris-olszewski chris-olszewski approved these changes

@spkane31 spkane31 spkane31 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@picatz @chris-olszewski @spkane31