From 43a0395e8a94abd8c0787c1b5502792aea752684 Mon Sep 17 00:00:00 2001 From: Andy Kenward <4893048+andykenward@users.noreply.github.com> Date: Sun, 31 May 2026 18:13:25 +0000 Subject: [PATCH 1/2] ci: pr automation use github app token --- .github/workflows/sync-readme-versions.yml | 7 ++++++- .github/workflows/update.yml | 21 ++++++++++++++++++--- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sync-readme-versions.yml b/.github/workflows/sync-readme-versions.yml index 0cd917a5..76d5351e 100644 --- a/.github/workflows/sync-readme-versions.yml +++ b/.github/workflows/sync-readme-versions.yml @@ -38,10 +38,15 @@ jobs: run: pnpm run sync:readme env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 #v3.2.0 + id: app-token + with: + client-id: ${{ vars.APP_CLIENT_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} - name: Commit and push version reference updates uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 #v8.1.1 with: - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ steps.app-token.outputs.token }} commit-message: 'docs: update action version references [skip ci]' sign-commits: true title: 'docs: update action version references' diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml index fdb49340..956b8ce0 100644 --- a/.github/workflows/update.yml +++ b/.github/workflows/update.yml @@ -32,11 +32,16 @@ jobs: run: pnpm run download env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 #v3.2.0 + id: app-token + with: + client-id: ${{ vars.APP_CLIENT_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} - name: Create Pull Request id: cpr uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 #v8.1.1 with: - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ steps.app-token.outputs.token }} commit-message: 'chore: update payloads' sign-commits: true branch: 'chore/update-payloads' @@ -58,11 +63,16 @@ jobs: - uses: ./.github/actions/setup-pnpm - name: cli all run: pnpm run tsc:types + - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 #v3.2.0 + id: app-token + with: + client-id: ${{ vars.APP_CLIENT_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} - name: Create Pull Request id: cpr uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 #v8.1.1 with: - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ steps.app-token.outputs.token }} commit-message: 'chore: update types' sign-commits: true branch: 'chore/types' @@ -92,11 +102,16 @@ jobs: | jq -r '.data' \ > schema/github/schema.graphql echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 #v3.2.0 + id: app-token + with: + client-id: ${{ vars.APP_CLIENT_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} - name: Create Pull Request id: cpr uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 #v8.1.1 with: - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ steps.app-token.outputs.token }} commit-message: 'chore: update GitHub GraphQL schema' sign-commits: true branch: 'chore/update-graphql-schema' From c7602e430724f703c30bc16e1a86b42c8c6bfc87 Mon Sep 17 00:00:00 2001 From: Andy Kenward <4893048+andykenward@users.noreply.github.com> Date: Sun, 31 May 2026 18:16:51 +0000 Subject: [PATCH 2/2] ci: scope app token to contents and pull-requests Limit the minted GitHub App token to the permissions each automation job actually needs (contents:write to push the branch, pull-requests:write to open the PR) instead of inheriting the App's blanket installation permissions, per zizmor. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/sync-readme-versions.yml | 2 ++ .github/workflows/update.yml | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/sync-readme-versions.yml b/.github/workflows/sync-readme-versions.yml index 76d5351e..faf2e677 100644 --- a/.github/workflows/sync-readme-versions.yml +++ b/.github/workflows/sync-readme-versions.yml @@ -43,6 +43,8 @@ jobs: with: client-id: ${{ vars.APP_CLIENT_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} + permission-contents: write + permission-pull-requests: write - name: Commit and push version reference updates uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 #v8.1.1 with: diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml index 956b8ce0..a7e93218 100644 --- a/.github/workflows/update.yml +++ b/.github/workflows/update.yml @@ -37,6 +37,8 @@ jobs: with: client-id: ${{ vars.APP_CLIENT_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} + permission-contents: write + permission-pull-requests: write - name: Create Pull Request id: cpr uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 #v8.1.1 @@ -68,6 +70,8 @@ jobs: with: client-id: ${{ vars.APP_CLIENT_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} + permission-contents: write + permission-pull-requests: write - name: Create Pull Request id: cpr uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 #v8.1.1 @@ -107,6 +111,8 @@ jobs: with: client-id: ${{ vars.APP_CLIENT_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} + permission-contents: write + permission-pull-requests: write - name: Create Pull Request id: cpr uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 #v8.1.1