Skip to content

ci: push gomod2nix updates with a GitHub App token#16370

Merged
Joibel merged 2 commits into
argoproj:mainfrom
Joibel:update-gomod2nix-app-token
Jul 3, 2026
Merged

ci: push gomod2nix updates with a GitHub App token#16370
Joibel merged 2 commits into
argoproj:mainfrom
Joibel:update-gomod2nix-app-token

Conversation

@Joibel

@Joibel Joibel commented Jul 2, 2026

Copy link
Copy Markdown
Member

Motivation

When the Update gomod2nix workflow pushes the regenerated gomod2nix.toml back to a Renovate/Dependabot branch, it authenticates with the default GITHUB_TOKEN. GitHub deliberately holds pull_request workflow runs resulting from GITHUB_TOKEN pushes in an "approval required" state (docs), so every Renovate go.mod PR (e.g. #16369) stalls until a maintainer clicks "Approve workflows to run". This isn't the fork-PR approval setting and can't be disabled in repo/org settings.

Modifications

Mint an installation token with actions/create-github-app-token (same action, pin, and pattern as cherry-pick-single.yml and pr-readiness.yaml) and hand it to actions/checkout, so git-auto-commit-action pushes as the app and CI re-triggers normally. If the app secrets aren't configured (e.g. on forks), the workflow falls back to GITHUB_TOKEN and behaves exactly as today.

Requires an org admin to:

  1. Register a GitHub App (permissions: Contents: Read and write only) and install it on this repository.
  2. Add repo/org secrets GOMOD2NIX_APP_ID (the app's client ID) and GOMOD2NIX_APP_PRIVATE_KEY.

Recursion is already guarded: this workflow's paths filter only matches go.mod/go.sum, and the bot commit only touches gomod2nix.toml.

Verification

actionlint passes. The held runs on #16369 (action_required, triggering actor github-actions[bot]) confirm the diagnosis; Renovate's own app-authenticated pushes on the same PR triggered CI without a hold, which is the mechanism this PR adopts.

Documentation

None needed — CI-internal change, explained by comments in the workflow.

AI

Prepared with Claude Code (investigation, workflow change, and PR text), reviewed by @Joibel.

Summary by CodeRabbit

  • Bug Fixes
    • Improved automation authentication so update jobs can complete without getting stuck in an “approval required” state.
    • Added a fallback for repository access when the preferred token is unavailable, helping keep CI runs more reliable.

Joibel and others added 2 commits July 2, 2026 14:32
Pushes made with the default GITHUB_TOKEN leave the resulting
pull_request workflow runs in an approval-required state, so every
Renovate go.mod PR needs a maintainer to click "Approve workflows to
run" after gomod2nix.toml is regenerated (see argoproj#16369). Push as a
GitHub App instead so CI re-triggers normally, falling back to
GITHUB_TOKEN on forks without the app secrets.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Alan Clucas <alan@clucas.org>
@Joibel
Joibel marked this pull request as ready for review July 2, 2026 14:06
@Joibel
Joibel requested a review from a team as a code owner July 2, 2026 14:06
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

The GitHub Actions workflow update-gomod2nix.yml is modified to conditionally generate a GitHub App installation token when a GOMOD2NIX_APP_ID secret is present, and uses this token for the checkout step, falling back to the default GITHUB_TOKEN when unavailable.

Changes

Workflow Token Authentication

Layer / File(s) Summary
Conditional App token generation and checkout
.github/workflows/update-gomod2nix.yml
Adds a HAS_APP env flag and a step to generate a GitHub App installation token via actions/create-github-app-token when the app ID secret is present; updates actions/checkout to use this token, falling back to secrets.GITHUB_TOKEN.

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise, specific, and accurately describes the main workflow change.
Description check ✅ Passed The description covers motivation, modifications, verification, documentation, and AI use, matching the template closely.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/update-gomod2nix.yml:
- Around line 21-31: The token generated by create-github-app-token is currently
using the full GOMOD2NIX_APP installation permissions, so scope it down to only
what this workflow needs. Update the Generate a token step in
update-gomod2nix.yml to pass a permissions input on
actions/create-github-app-token and restrict it to the minimal write access
required for pushing gomod2nix.toml, keeping the existing HAS_APP gating and
token generation flow intact.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 56d1f542-0f78-4a4a-8d68-2b7896891a85

📥 Commits

Reviewing files that changed from the base of the PR and between d6f8fa1 and acfa7a4.

📒 Files selected for processing (1)
  • .github/workflows/update-gomod2nix.yml

Comment on lines +21 to +31
- name: Generate a token
id: generate-token
# Pushing with GITHUB_TOKEN leaves the PR's CI runs stuck in an
# "approval required" state, so push as a GitHub App instead.
# Skipped on forks without the app; the GITHUB_TOKEN fallback still
# pushes, it just won't re-trigger CI.
if: env.HAS_APP == 'true'
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
client-id: ${{ secrets.GOMOD2NIX_APP_ID }}
private-key: ${{ secrets.GOMOD2NIX_APP_PRIVATE_KEY }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Scope the App token's permissions.

zizmor flags this: the installation token generated here inherits the full permission set granted to the GOMOD2NIX_APP installation, not just what's needed to push gomod2nix.toml. Add a permissions: input to restrict the blast radius if this token is ever leaked or misused elsewhere in the job.

🔒 Proposed fix to scope token permissions
       - name: Generate a token
         id: generate-token
         if: env.HAS_APP == 'true'
         uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         with:
           client-id: ${{ secrets.GOMOD2NIX_APP_ID }}
           private-key: ${{ secrets.GOMOD2NIX_APP_PRIVATE_KEY }}
+          permissions: >-
+            {"contents": "write"}
🧰 Tools
🪛 zizmor (1.26.1)

[error] 28-28: dangerous use of GitHub App tokens (github-app): app token inherits blanket installation permissions

(github-app)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/update-gomod2nix.yml around lines 21 - 31, The token
generated by create-github-app-token is currently using the full GOMOD2NIX_APP
installation permissions, so scope it down to only what this workflow needs.
Update the Generate a token step in update-gomod2nix.yml to pass a permissions
input on actions/create-github-app-token and restrict it to the minimal write
access required for pushing gomod2nix.toml, keeping the existing HAS_APP gating
and token generation flow intact.

Source: Linters/SAST tools

@Joibel
Joibel merged commit 9a7cc92 into argoproj:main Jul 3, 2026
20 of 21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants