Skip to content

Mcp oauth config changes (AST-160267)#1520

Open
cx-aniket-shinde wants to merge 10 commits into
mainfrom
feature/AST-160267-mcp-oauth-config
Open

Mcp oauth config changes (AST-160267)#1520
cx-aniket-shinde wants to merge 10 commits into
mainfrom
feature/AST-160267-mcp-oauth-config

Conversation

@cx-aniket-shinde

Copy link
Copy Markdown
Contributor

No description provided.

@cx-kedar-bhujade cx-kedar-bhujade left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Update .npmrc to use ECHO_LIBRARIES_ACCESS_KEY environment variable for authenticating with Echo registry (npm.echohq.com and packages.echohq.com). Add ECHO_LIBRARIES_ACCESS_KEY to CI workflows for install steps. Update dependencies: js-yaml to 4.3.0, brace-expansion to latest. Bump checkmarx extension to v2.69.0.
@stepsecurity-app

Copy link
Copy Markdown
Contributor

Security Policy Alert: Secret Policy Violation

This workflow run has been blocked by StepSecurity's secrets policy because it accesses secrets and the workflow file differs from the default branch.

Secret references detected:

  • secrets.GH_TOKEN at line 30
  • secrets.ECHO_LIBRARIES_ACCESS_KEY at line 33
  • secrets.CX_APIKEY_E2E_DEU at line 84
  • secrets.API_KEY at line 138
  • secrets.TEST_SCAN_ID at line 139

To approve this workflow, please add the workflows-approved label to this PR.

Note: The label must be added by someone other than the PR author (cx-atish-jadhav) or automation bots to ensure proper security review.

After the label is added, you can re-run the blocked workflow to proceed.

This workflow will be automatically approved once merged into the default branch.

For more information, see StepSecurity's Secret Exfiltration Policy documentation.

@cx-anurag-dalke cx-anurag-dalke left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

Add a new GitHub Actions job to run Zizmor scans on PRs and centralize npm authentication for the Echo registries. Update ci-linux, release and update-cli-version workflows to authenticate against npm.echohq.com / packages.echohq.com in addition to the GitHub registry. Remove deprecated workflows: auto-merge, issue_automation and pr-label. These changes integrate the internal Echo npm registry and add repository action scanning while removing outdated automation.
secrets.GH_TOKEN doesn't exist in this repo, causing empty auth tokens
and 401s when fetching @checkmarx-scoped packages from npm.pkg.github.com.
Switch to the built-in github.token (already used successfully in
release.yml) and add packages: read permission where missing.
The lockfile's resolved/integrity hash for @checkmarx/ast-cli-javascript-wrapper@0.0.159
was stale relative to the currently published content on npm.pkg.github.com,
causing npm ci to fail with a 409 checksum mismatch in CI.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants