Skip to content

ci(release): use short-lived GitHub App token instead of long-lived PAT#13604

Merged
ilhan007 merged 4 commits into
mainfrom
ci/release-app-token
Jun 3, 2026
Merged

ci(release): use short-lived GitHub App token instead of long-lived PAT#13604
ilhan007 merged 4 commits into
mainfrom
ci/release-app-token

Conversation

@ilhan007
Copy link
Copy Markdown
Collaborator

@ilhan007 ilhan007 commented May 28, 2026
edited
Loading

Background

Aligns release.yaml with OSPO Guideline # 4.Replace long-lived secrets with OIDC

Change

Replace every secrets.UI5_WEBCOMP_BOT_GH_TOKEN usage in the release workflow with a per-run installation token generated by actions/create-github-app-token@v3. App tokens are valid for ~1 hour and disappear when the run ends, drastically reducing the blast radius compared to a long-lived PAT.

Prerequisite (one-time, before merge ):

by OSPO team

  • Register a GitHub App with Contents/Issues/Pull-requests: write
  • Install it on UI5/webcomponents
  • Add it to the branch-protection bypass list for release branches

by us

  • Add repo secrets RELEASE_APP_ID and RELEASE_APP_PRIVATE_KEY

@ilhan007 ilhan007 requested a review from ajinkyapatil8190 May 29, 2026 13:26
ilhan007 added a commit that referenced this pull request Jun 1, 2026
@ilhan007
ci(release): swap PAT for GITHUB_TOKEN in experimental-release job
49bade4 
The experimental flow only publishes to npm — it does not push commits,
tags, or anything else back to GitHub. The long-lived PAT was therefore
unnecessary in this job; the auto-issued GITHUB_TOKEN suffices.

Also downgrades 'contents' permission from 'write' to 'read' to match
what the job actually needs (checkout only).

Other release jobs (stable, rc, hotfix, v1) still push to protected
branches and continue to use UI5_WEBCOMP_BOT_GH_TOKEN; they will be
migrated separately (see #13604).
ilhan007 added a commit that referenced this pull request Jun 2, 2026
@ilhan007
ci(release): pin create-github-app-token to v3.2.0 SHA, drop BOT pref…
3b9a0aa 
…ix from secret names

Addresses review feedback on #13604:
- pin actions/create-github-app-token to v3.2.0 commit SHA per GitHub
  third-party action security guidance (tags can be moved, SHAs cannot)
- v3 is safe for us: breaking changes are Node 24 (we use ubuntu-latest
  hosted runners which support it) and removed custom proxy handling
  (we do not use proxies)
- rename RELEASE_BOT_APP_ID / RELEASE_BOT_APP_PRIVATE_KEY to
  RELEASE_APP_ID / RELEASE_APP_PRIVATE_KEY to match repo secret names
@ilhan007 ilhan007 had a problem deploying to npmjs:@ui5/webcomponents June 2, 2026 14:59 — with GitHub Actions Failure
@ilhan007 ilhan007 had a problem deploying to npmjs:@ui5/webcomponents June 2, 2026 15:01 — with GitHub Actions Failure
@ilhan007 ilhan007 requested a review from dellagustin-sap June 2, 2026 15:21
dellagustin-sap
dellagustin-sap reviewed Jun 2, 2026
View reviewed changes
Comment thread .github/workflows/release.yaml Outdated
@ilhan007 ilhan007 requested a review from dellagustin-sap June 3, 2026 05:29
ilhan007 added 4 commits June 3, 2026 08:30
@ilhan007
ci(release): use short-lived GitHub App token instead of long-lived PAT
ce85122 
Replace every `secrets.UI5_WEBCOMP_BOT_GH_TOKEN` usage in the release
workflow with a per-run installation token generated by
`actions/create-github-app-token@v2`. App tokens are valid for ~1 hour
and disappear when the run ends, drastically reducing the blast radius
compared to a long-lived PAT.

Aligns release.yaml with OSPO Guideline #4 ("Replace long-lived secrets
with OIDC"). The same PAT is still consumed by deploy-preview.yaml,
reset-preview-deploy.yaml, reset-gh-pages.yaml and
issue-monthly-report.yaml; those workflows are intentionally out of
scope and will be migrated in follow-up PRs.

Requires (one-time, before merge):
- Register a GitHub App with Contents/Issues/Pull-requests: write
- Install it on SAP/ui5-webcomponents
- Add it to the branch-protection bypass list for release branches
- Add repo secrets RELEASE_BOT_APP_ID and RELEASE_BOT_APP_PRIVATE_KEY

The npm publish flow already uses OIDC (id-token: write, no NPM_TOKEN);
no changes there. UI5_WEBCOMP_BOT_NAME / _EMAIL are kept as-is — they
are git identity strings, not credentials.
@ilhan007
ci(release): pin create-github-app-token to v3.2.0 SHA, drop BOT pref…
f8a1d4d 
…ix from secret names

Addresses review feedback on #13604:
- pin actions/create-github-app-token to v3.2.0 commit SHA per GitHub
  third-party action security guidance (tags can be moved, SHAs cannot)
- v3 is safe for us: breaking changes are Node 24 (we use ubuntu-latest
  hosted runners which support it) and removed custom proxy handling
  (we do not use proxies)
- rename RELEASE_BOT_APP_ID / RELEASE_BOT_APP_PRIVATE_KEY to
  RELEASE_APP_ID / RELEASE_APP_PRIVATE_KEY to match repo secret names
@ilhan007
ci(release): keep GITHUB_TOKEN for experimental, drop App-token step
df951c8 
Resolves the merge conflict between this PR and main introduced by
49bade4 ("swap PAT for GITHUB_TOKEN in experimental-release job").

experimental-release does not push tags or branches, does not create a
GitHub release, and does not need elevated privileges — GITHUB_TOKEN is
sufficient. Removes the now-unused 'Generate App Token' step from this
job and reverts contents permission from write back to read.

App tokens remain in stable/rc/hotfix/v1 jobs where they're needed for
tag pushes against branch-protected refs.
@ilhan007
ci(release): drop redundant GITHUB_TOKEN in experimental flow
8773e48 
actions/checkout@v4 already defaults to github.token, and lerna version
--no-push + lerna publish in this job do not need GH_TOKEN in env.

Addresses review feedback on #13571.
@ilhan007 ilhan007 force-pushed the ci/release-app-token branch from 0bd5242 to 8773e48 Compare June 3, 2026 05:30
@ilhan007 ilhan007 requested a review from nnaydenow June 3, 2026 07:29
@ilhan007 ilhan007 merged commit 10f3c0d into main Jun 3, 2026
24 of 27 checks passed
@ilhan007 ilhan007 deleted the ci/release-app-token branch June 3, 2026 07:50
@ilhan007 ilhan007 mentioned this pull request Jun 3, 2026
Merged
ilhan007 added a commit that referenced this pull request Jun 3, 2026
@ilhan007
ci: migrate remaining workflows from PAT to GitHub App token (#13629)
d3eb719 
Replace secrets.UI5_WEBCOMP_BOT_GH_TOKEN with a per-run installation
token from actions/create-github-app-token@v3.2.0 (pinned by SHA) in:

- deploy-preview.yaml
- reset-preview-deploy.yaml
- reset-gh-pages.yaml
- issue-monthly-report.yaml

Completes the OSPO Hardening Control #4 ("Replace long-lived secrets
with OIDC") migration started in #13604. release.yaml was migrated
there; this PR covers the four remaining workflows that were called
out as out-of-scope at the time.

Once merged and one run of each workflow is verified green, the
UI5_WEBCOMP_BOT_GH_TOKEN secret can be deleted and the underlying PAT
revoked. The UI5_WEBCOMP_BOT_NAME and UI5_WEBCOMP_BOT_EMAIL secrets
are kept — they are git identity strings, not credentials.
@ilhan007
Copy link
Copy Markdown
Collaborator Author

ilhan007 commented Jun 3, 2026

@dellagustin-sap after the token generation has been tested and worked, I replaced all the usages of the classic long-lived token with this PR
#13629 which is also merged

The ui5-webcomponents-bot is no longer an admin.
The UI5_WEBCOMP_BOT_GH_TOKEN secrets are not used anywhere, will be removed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ajinkyapatil8190 ajinkyapatil8190 Awaiting requested review from ajinkyapatil8190

@dellagustin-sap dellagustin-sap Awaiting requested review from dellagustin-sap

@nnaydenow nnaydenow Awaiting requested review from nnaydenow

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ilhan007 @dellagustin-sap