-
Notifications
You must be signed in to change notification settings - Fork 17
ci(release): authenticate semantic-release via Flanksource GitHub App #323
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -16,11 +16,23 @@ jobs: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| egress-policy: audit | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| # Mint a GitHub App installation token for the Flanksource App so | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| # semantic-release can push the release tag and create the GitHub Release. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| # The default GITHUB_TOKEN is blocked from these writes by org policy. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| - name: Generate GitHub App token | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| id: app-token | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| app-id: ${{ secrets.FLANKSOURCE_APP_ID }} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| token: ${{ steps.app-token.outputs.token }} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Comment on lines
29
to
+31
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
# Verify the pinned checkout action's persist-credentials default.
curl -fsSL https://raw.githubusercontent.com/actions/checkout/v4.1.6/action.yml \
| grep -A6 -n 'persist-credentials'Repository: flanksource/commons Length of output: 508 🏁 Script executed: #!/bin/bash
set -euo pipefail
# Show the relevant workflow section with line numbers.
sed -n '1,120p' .github/workflows/release.yml | cat -n
# Look for how the semantic-release action is configured.
rg -n "semantic-release-action|GITHUB_TOKEN|app-token|persist-credentials|checkout@" .github/workflows/release.ymlRepository: flanksource/commons Length of output: 6133 🏁 Script executed: #!/bin/bash
set -euo pipefail
# Inspect the checkout action's documented behavior and the release workflow's surrounding steps.
python3 - <<'PY'
from pathlib import Path
p = Path('.github/workflows/release.yml')
text = p.read_text()
for i, line in enumerate(text.splitlines(), 1):
if 1 <= i <= 120:
print(f"{i:4d}: {line}")
PYRepository: flanksource/commons Length of output: 5284 🏁 Script executed: #!/bin/bash
set -euo pipefail
sed -n '1,120p' .github/workflows/release.yml | cat -n
rg -n "semantic-release-action|GITHUB_TOKEN|app-token|persist-credentials|checkout@" .github/workflows/release.ymlRepository: flanksource/commons Length of output: 6133 🌐 Web query:
💡 Result: When using plugins like Citations:
Set 🧰 Tools🪛 zizmor (1.26.1)[warning] 29-31: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| - uses: codfish/semantic-release-action@b621d34fabe0940f031e89b6ebfea28322892a10 # v3.5.0 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| id: semantic | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| env: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Comment on lines
+22
to
+35
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win Disable the unused default Now that release writes use the App token, add an explicit job/workflow Proposed change semantic-release:
runs-on: ubuntu-latest
+ permissions: {}
outputs:
release-version: ${{ steps.semantic.outputs.release-version }}📝 Committable suggestion
Suggested change
🧰 Tools🪛 zizmor (1.26.1)[warning] 29-31: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [warning] 8-35: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block (excessive-permissions) [error] 24-24: dangerous use of GitHub App tokens (github-app): app token inherits blanket installation permissions (github-app) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| bump-clients: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| runs-on: ubuntu-latest | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
Repository: flanksource/commons
Length of output: 609
🏁 Script executed:
Repository: flanksource/commons
Length of output: 6318
Narrow the GitHub App token to
contents: write. This release job only needs repository contents access for tag and release writes, but the App token currently inherits every permission on the installation. Passpermission-contents: writehere to keep the token scoped to the release path.Proposed change
- name: Generate GitHub App token id: app-token uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: app-id: ${{ secrets.FLANKSOURCE_APP_ID }} private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }} + permission-contents: write📝 Committable suggestion
🧰 Tools
🪛 zizmor (1.26.1)
[error] 24-24: dangerous use of GitHub App tokens (github-app): app token inherits blanket installation permissions
(github-app)
🤖 Prompt for AI Agents
Source: Linters/SAST tools