temporal icon indicating copy to clipboard operation
temporal copied to clipboard
verified publisher icon temporalio

VLN-444: Use first-party action for GitHub app tokens

Open picatz opened this issue 2 months ago • 3 comments

Summary

  • .github/workflows/create-tag.yml: Set both checkout steps to disable credential persistence while continuing to use the generated app token.
  • .github/workflows/flaky-tests-report.yml: Checkout now uses the generated app token and turns off persistent credentials.
  • .github/workflows/trigger-publish.yml: Added explicit Temporal organization owner and repository scope so the app token can dispatch to docker-builds.
  • .github/workflows/trigger-version-info-service.yml: Formatted the repository scope as a newline-delimited list to match the updated token requirements.

Previous summary:

Summary

  • .github/workflows/trigger-publish.yml: Swapped tibdex/github-app-token for actions/create-github-app-token@v2 and translated inputs to new kebab-case fields to keep workflow functional and remove deprecated action usage.

picatz avatar Nov 04 '25 16:11 picatz

Semgrep found 1 missing-explicit-permissions finding:

No explicit GITHUB_TOKEN permissions found at the workflow or job level. Add a permissions: block at the workflow root (applies to all jobs) or per job with least privilege (e.g., contents: read and only specific writes like pull-requests: write if needed).

semgrep-managed-scans[bot] avatar Nov 04 '25 16:11 semgrep-managed-scans[bot]

☝️ Should be resolved with https://github.com/temporalio/temporal/pull/8565

picatz avatar Nov 04 '25 17:11 picatz

Semgrep found 3 missing-explicit-permissions findings:

No explicit GITHUB_TOKEN permissions found at the workflow or job level. Add a permissions: block at the workflow root (applies to all jobs) or per job with least privilege (e.g., contents: read and only specific writes like pull-requests: write if needed).

semgrep-managed-scans[bot] avatar Nov 06 '25 15:11 semgrep-managed-scans[bot]