Switch to using an App token instead of a PAT#1442
Conversation
Switch to using an App token instead of a PAT
jeffwidman
force-pushed
the
switch-from-PAT-to-action-token
branch
from
de2bc39 to
e79cd2c
Compare
There was a problem hiding this comment.
Pull Request Overview
Switch workflows from using a personal access token (PAT) to a GitHub App token for Dependabot automation.
- Add a step to generate a GitHub App token via
actions/create-github-app-token - Update checkout and
gh pr mergeinvocations to use the generated token - Remove reliance on the
DEPENDABOT_AUTOBUILDsecret
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/dependabot-build.yml | Added token generation step and updated checkout token usage |
| .github/workflows/dependabot-auto-merge.yml | Added token generation step and updated merge token usage |
Comments suppressed due to low confidence (4)
.github/workflows/dependabot-build.yml:37
- Input keys for
actions/create-github-app-tokenshould match the action spec: useapp_idinstead ofapp-id.
app-id: ${{ secrets.DEPENDABOT_ACTION_TOKEN_AUTOMATION_CLIENT_ID }}
.github/workflows/dependabot-build.yml:38
- Input keys for
actions/create-github-app-tokenshould match the action spec: useprivate_keyinstead ofprivate-key.
private-key: ${{ secrets.DEPENDABOT_ACTION_TOKEN_AUTOMATION_PRIVATE_KEY }}
.github/workflows/dependabot-auto-merge.yml:15
- Input keys for
actions/create-github-app-tokenshould match the action spec: useapp_idinstead ofapp-id.
app-id: ${{ secrets.DEPENDABOT_ACTION_TOKEN_AUTOMATION_CLIENT_ID }}
.github/workflows/dependabot-auto-merge.yml:16
- Input keys for
actions/create-github-app-tokenshould match the action spec: useprivate_keyinstead ofprivate-key.
private-key: ${{ secrets.DEPENDABOT_ACTION_TOKEN_AUTOMATION_PRIVATE_KEY }}
| # Check out using a PAT so any pushed changes will trigger checkruns | ||
| - name: Generate token | ||
| id: generate_token | ||
| uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1.11.6 |
There was a problem hiding this comment.
Consider adding a permissions block to the create-github-app-token step to restrict the token to only the minimum required scopes.
| uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1.11.6 | |
| uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1.11.6 | |
| permissions: | |
| contents: write |
| steps: | ||
| - name: Generate token | ||
| id: generate_token | ||
| uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1.11.6 |
There was a problem hiding this comment.
Consider adding a permissions block to the create-github-app-token step to restrict the token to only the minimum required scopes.
| uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1.11.6 | |
| uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1.11.6 | |
| permissions: | |
| pull-requests: write | |
| contents: read |
There was a problem hiding this comment.
@jeffwidman these suggestions for limiting permissions might be worth checking out
There was a problem hiding this comment.
Yes, and there's even more we need to do on that front, but first let's get it working, and then I plan to restrict scopes and setup token federation from vault. I'm writing up an internal ticket to track these.
Switch to using an App token instead of a PAT