ci: push gomod2nix updates with a GitHub App token#16370
Conversation
Pushes made with the default GITHUB_TOKEN leave the resulting pull_request workflow runs in an approval-required state, so every Renovate go.mod PR needs a maintainer to click "Approve workflows to run" after gomod2nix.toml is regenerated (see argoproj#16369). Push as a GitHub App instead so CI re-triggers normally, falling back to GITHUB_TOKEN on forks without the app secrets. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Signed-off-by: Alan Clucas <alan@clucas.org>
📝 WalkthroughWalkthroughThe GitHub Actions workflow update-gomod2nix.yml is modified to conditionally generate a GitHub App installation token when a GOMOD2NIX_APP_ID secret is present, and uses this token for the checkout step, falling back to the default GITHUB_TOKEN when unavailable. ChangesWorkflow Token Authentication
Estimated code review effort: 1 (Trivial) | ~5 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/update-gomod2nix.yml:
- Around line 21-31: The token generated by create-github-app-token is currently
using the full GOMOD2NIX_APP installation permissions, so scope it down to only
what this workflow needs. Update the Generate a token step in
update-gomod2nix.yml to pass a permissions input on
actions/create-github-app-token and restrict it to the minimal write access
required for pushing gomod2nix.toml, keeping the existing HAS_APP gating and
token generation flow intact.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 56d1f542-0f78-4a4a-8d68-2b7896891a85
📒 Files selected for processing (1)
.github/workflows/update-gomod2nix.yml
| - name: Generate a token | ||
| id: generate-token | ||
| # Pushing with GITHUB_TOKEN leaves the PR's CI runs stuck in an | ||
| # "approval required" state, so push as a GitHub App instead. | ||
| # Skipped on forks without the app; the GITHUB_TOKEN fallback still | ||
| # pushes, it just won't re-trigger CI. | ||
| if: env.HAS_APP == 'true' | ||
| uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 | ||
| with: | ||
| client-id: ${{ secrets.GOMOD2NIX_APP_ID }} | ||
| private-key: ${{ secrets.GOMOD2NIX_APP_PRIVATE_KEY }} |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Scope the App token's permissions.
zizmor flags this: the installation token generated here inherits the full permission set granted to the GOMOD2NIX_APP installation, not just what's needed to push gomod2nix.toml. Add a permissions: input to restrict the blast radius if this token is ever leaked or misused elsewhere in the job.
🔒 Proposed fix to scope token permissions
- name: Generate a token
id: generate-token
if: env.HAS_APP == 'true'
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
client-id: ${{ secrets.GOMOD2NIX_APP_ID }}
private-key: ${{ secrets.GOMOD2NIX_APP_PRIVATE_KEY }}
+ permissions: >-
+ {"contents": "write"}🧰 Tools
🪛 zizmor (1.26.1)
[error] 28-28: dangerous use of GitHub App tokens (github-app): app token inherits blanket installation permissions
(github-app)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/update-gomod2nix.yml around lines 21 - 31, The token
generated by create-github-app-token is currently using the full GOMOD2NIX_APP
installation permissions, so scope it down to only what this workflow needs.
Update the Generate a token step in update-gomod2nix.yml to pass a permissions
input on actions/create-github-app-token and restrict it to the minimal write
access required for pushing gomod2nix.toml, keeping the existing HAS_APP gating
and token generation flow intact.
Source: Linters/SAST tools
Motivation
When the
Update gomod2nixworkflow pushes the regeneratedgomod2nix.tomlback to a Renovate/Dependabot branch, it authenticates with the defaultGITHUB_TOKEN. GitHub deliberately holdspull_requestworkflow runs resulting fromGITHUB_TOKENpushes in an "approval required" state (docs), so every Renovatego.modPR (e.g. #16369) stalls until a maintainer clicks "Approve workflows to run". This isn't the fork-PR approval setting and can't be disabled in repo/org settings.Modifications
Mint an installation token with
actions/create-github-app-token(same action, pin, and pattern ascherry-pick-single.ymlandpr-readiness.yaml) and hand it toactions/checkout, sogit-auto-commit-actionpushes as the app and CI re-triggers normally. If the app secrets aren't configured (e.g. on forks), the workflow falls back toGITHUB_TOKENand behaves exactly as today.Requires an org admin to:
GOMOD2NIX_APP_ID(the app's client ID) andGOMOD2NIX_APP_PRIVATE_KEY.Recursion is already guarded: this workflow's
pathsfilter only matchesgo.mod/go.sum, and the bot commit only touchesgomod2nix.toml.Verification
actionlintpasses. The held runs on #16369 (action_required, triggering actorgithub-actions[bot]) confirm the diagnosis; Renovate's own app-authenticated pushes on the same PR triggered CI without a hold, which is the mechanism this PR adopts.Documentation
None needed — CI-internal change, explained by comments in the workflow.
AI
Prepared with Claude Code (investigation, workflow change, and PR text), reviewed by @Joibel.
Summary by CodeRabbit