Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,23 @@ jobs:
with:
egress-policy: audit

# Mint a GitHub App installation token for the Flanksource App so
# semantic-release can push the release tag and create the GitHub Release.
# The default GITHUB_TOKEN is blocked from these writes by org policy.
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ secrets.FLANKSOURCE_APP_ID }}
private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }}
Comment on lines +22 to +27

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the pinned action supports permission-scoped inputs.
curl -fsSL https://raw.githubusercontent.com/actions/create-github-app-token/v3.2.0/action.yml \
  | grep -A3 -n 'permission-contents'

Repository: flanksource/commons

Length of output: 609


🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,220p' .github/workflows/release.yml

Repository: flanksource/commons

Length of output: 6318


Narrow the GitHub App token to contents: write. This release job only needs repository contents access for tag and release writes, but the App token currently inherits every permission on the installation. Pass permission-contents: write here to keep the token scoped to the release path.

Proposed change
       - name: Generate GitHub App token
         id: app-token
         uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         with:
           app-id: ${{ secrets.FLANKSOURCE_APP_ID }}
           private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }}
+          permission-contents: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ secrets.FLANKSOURCE_APP_ID }}
private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }}
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ secrets.FLANKSOURCE_APP_ID }}
private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }}
permission-contents: write
🧰 Tools
🪛 zizmor (1.26.1)

[error] 24-24: dangerous use of GitHub App tokens (github-app): app token inherits blanket installation permissions

(github-app)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 22 - 27, The GitHub App token
created in the release workflow is too broadly scoped for this job. Update the
Generate GitHub App token step to request only repository contents access by
adding the appropriate contents write permission on the
actions/create-github-app-token use, so the token is limited to the release
path. Refer to the app-token step in the release workflow and keep the rest of
the release job unchanged.

Source: Linters/SAST tools


- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
token: ${{ steps.app-token.outputs.token }}
Comment on lines 29 to +31

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the pinned checkout action's persist-credentials default.
curl -fsSL https://raw.githubusercontent.com/actions/checkout/v4.1.6/action.yml \
  | grep -A6 -n 'persist-credentials'

Repository: flanksource/commons

Length of output: 508


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the relevant workflow section with line numbers.
sed -n '1,120p' .github/workflows/release.yml | cat -n

# Look for how the semantic-release action is configured.
rg -n "semantic-release-action|GITHUB_TOKEN|app-token|persist-credentials|checkout@" .github/workflows/release.yml

Repository: flanksource/commons

Length of output: 6133


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the checkout action's documented behavior and the release workflow's surrounding steps.
python3 - <<'PY'
from pathlib import Path
p = Path('.github/workflows/release.yml')
text = p.read_text()
for i, line in enumerate(text.splitlines(), 1):
    if 1 <= i <= 120:
        print(f"{i:4d}: {line}")
PY

Repository: flanksource/commons

Length of output: 5284


🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,120p' .github/workflows/release.yml | cat -n
rg -n "semantic-release-action|GITHUB_TOKEN|app-token|persist-credentials|checkout@" .github/workflows/release.yml

Repository: flanksource/commons

Length of output: 6133


🌐 Web query:

codfish/semantic-release-action GITHUB_TOKEN checkout persist-credentials false git push authentication

💡 Result:

When using plugins like @semantic-release/git in GitHub Actions, setting persist-credentials: false in the actions/checkout step is a necessary configuration to allow semantic-release to use a custom authentication token [1][2][3]. By default, actions/checkout automatically populates the local git configuration with the repository's default GITHUB_TOKEN [4][1]. If you need to perform git operations that the default token cannot handle—such as pushing to a protected branch—you must provide a custom token (e.g., a Personal Access Token or a GitHub App token) [5][6][7]. If persist-credentials is left at its default value (true), the actions/checkout step will persist the default GITHUB_TOKEN in the local git config, which takes precedence and causes your custom authentication to be ignored [4][2][7]. Setting it to false prevents this, ensuring that git uses the credentials you explicitly provide in your environment variables or configuration for semantic-release [6][7]. For secure implementations on protected branches, official documentation and community best practices recommend using a GitHub App token rather than a Personal Access Token (PAT) [8][7]. GitHub App tokens provide fine-grained permissions and short-lived credentials, which are more secure than long-lived PATs [7]. Summary of the required configuration: - In your GitHub Actions workflow, set persist-credentials: false in the actions/checkout step [1][2]. - Use a custom token (via GitHub App or PAT) with appropriate permissions for pushing [6][7]. - Pass this token to semantic-release via the GITHUB_TOKEN environment variable [4][6].

Citations:


Set persist-credentials: false on checkout. actions/checkout writes the App token into .git/config by default; semantic-release already gets the same token via GITHUB_TOKEN, so there’s no need to persist it here. .github/workflows/release.yml:29-35

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 29-31: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 29 - 31, Set actions/checkout in
the release workflow to avoid persisting the App token in the local git config.
Update the checkout step in the release job to include persist-credentials:
false alongside the existing token input, since semantic-release already uses
GITHUB_TOKEN and should not rely on credentials written by checkout. Use the
actions/checkout step in release.yml as the place to make this change.

Source: Linters/SAST tools

- uses: codfish/semantic-release-action@b621d34fabe0940f031e89b6ebfea28322892a10 # v3.5.0
id: semantic
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
Comment on lines +22 to +35

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Disable the unused default GITHUB_TOKEN permissions.

Now that release writes use the App token, add an explicit job/workflow permissions block so the implicit token is not available with repository defaults.

Proposed change
   semantic-release:
     runs-on: ubuntu-latest
+    permissions: {}
     outputs:
       release-version: ${{ steps.semantic.outputs.release-version }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ secrets.FLANKSOURCE_APP_ID }}
private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }}
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
token: ${{ steps.app-token.outputs.token }}
- uses: codfish/semantic-release-action@b621d34fabe0940f031e89b6ebfea28322892a10 # v3.5.0
id: semantic
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
semantic-release:
runs-on: ubuntu-latest
permissions: {}
outputs:
release-version: ${{ steps.semantic.outputs.release-version }}
steps:
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ secrets.FLANKSOURCE_APP_ID }}
private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }}
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
token: ${{ steps.app-token.outputs.token }}
- uses: codfish/semantic-release-action@b621d34fabe0940f031e89b6ebfea28322892a10 # v3.5.0
id: semantic
env:
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 29-31: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[warning] 8-35: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)


[error] 24-24: dangerous use of GitHub App tokens (github-app): app token inherits blanket installation permissions

(github-app)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 22 - 35, Add an explicit
permissions block for the release job/workflow so the default repository-scoped
GITHUB_TOKEN is disabled now that the release steps use the GitHub App token.
Update the workflow around the actions/create-github-app-token,
actions/checkout, and codfish/semantic-release-action steps to grant only the
minimum permissions needed for release, ensuring no implicit extra permissions
remain available.

Source: Linters/SAST tools


bump-clients:
runs-on: ubuntu-latest
Expand Down
Loading