feat(update-copilot-skills): optional App token so update PRs trigger CI#240
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the reusable update-copilot-skills workflow to optionally create PRs using a GitHub App token so that downstream on: pull_request / on: push CI workflows in the caller repository are triggered (avoiding permanently blocked PRs due to required checks never running).
Changes:
- Added an opt-in
use-app-tokeninput plusAPP_PRIVATE_KEYworkflow secret for minting a GitHub App installation token. - Added a token-generation step via
actions/create-github-app-token. - Routed the minted token (with fallback to
github.token) intoactions/checkoutandpeter-evans/create-pull-request(token+branch-token).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Set persist-credentials: false on checkout so the (now possibly App) token isn't left in the local git config for later steps. PR creation uses peter-evans/create-pull-request with its own token/branch-token, and the skills-update step uses gh via env — nothing downstream needs persisted git credentials. Matches sync-cluster-policies.yaml. Addresses Copilot review on #240.
![botantler[bot]](https://avatars.githubusercontent.com/in/1025824?s=60&v=4){kind=small}
Add permission-contents: write + permission-pull-requests: write to the create-github-app-token step so the minted token is scoped to exactly what the job needs, instead of inheriting the App installation's blanket permissions (zizmor github-app finding). Resolves the new code-scanning alert this PR would otherwise introduce.
Contributor
|
🎉 This PR is included in version 3.3.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This was referenced May 26, 2026
botantler Bot
pushed a commit
that referenced
this pull request
May 27, 2026
* ci: scope reusable-workflow App tokens to least privilege Add explicit permission-* inputs to the six create-github-app-token steps that minted unscoped tokens (inheriting blanket GitHub App installation permissions), clearing the six standing zizmor/github-app code-scanning alerts (#170-#175). Each token is scoped to exactly what its consuming steps need, mirroring each job's already-declared permissions block: - enable-auto-merge (auto-merge): contents, pull-requests - create-release (release): contents, issues, pull-requests (semantic-release) - sync-cluster-policies (sync-policies): contents, pull-requests - validate-go-project (tidy, golangci-lint): contents, pull-requests - validate-go-project (lint): contents, issues, pull-requests Additive and backward-compatible: the token scope only narrows; no caller interface changes. update-copilot-skills.yaml was already scoped in #240. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * ci: narrow git-push-only App tokens to contents-only The App tokens in the tidy, golangci-lint, and mega-linter jobs are used only as the git credential for checkout + git-auto-commit-action (pushing linter auto-fixes). They are never used for PR/issue API calls — MegaLinter's PR/issue reporting uses the default GITHUB_TOKEN, governed by the unchanged job-level permissions block. So the App tokens need contents:write only; drop the unused permission-pull-requests/permission-issues inputs to keep them least-privileged (addresses the Copilot review on PR #245). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Skills-sync PRs opened by this reusable workflow never trigger the caller's CI, so their required checks never report and the PR stays permanently
BLOCKED. Root cause: the workflow creates the PR with the defaultGITHUB_TOKEN, and GitHub suppresseson: pull_request/pushevents for PRs made withGITHUB_TOKEN(recursion guard). The caller's CI (which posts the required check) therefore never runs.Observed on plugins #9 (2026-05-26): created by
github-actions[bot]viaGITHUB_TOKEN; CodeQL/Analyze ran (code-scanning default setup) butCI - Required Checkswas missing → BLOCKED. The manual unblock was close+reopen with a user token; this makes it durable.Fix (backward-compatible, opt-in)
Add an optional App-token path, mirroring the existing
sync-cluster-policies.yamlconvention in this repo:use-app-token(boolean, defaultfalse).APP_PRIVATE_KEY.use-app-token: true, mint a token viaactions/create-github-app-token(app-id: vars.APP_ID,private-key: secrets.APP_PRIVATE_KEY) and pass it tocheckoutandpeter-evans/create-pull-request(token+branch-token). PRs created with an App token DO trigger the caller's CI.${{ steps.app-token.outputs.token || github.token }}fallback preserves current behaviour whenuse-app-tokenisfalse.No caller breaks: all 4 callers (ksail, plugins, platform, this repo's CI dry-run) keep working unchanged; the App-token path is strictly opt-in.
Kept
app-id: vars.APP_IDto match the org's existingsync-cluster-policies.yaml(create-github-app-tokennow prefersclient-id, but that's a separate org-wide migration).Follow-up (after this merges + a release is cut)
Bump the plugins caller (
devantler-tech/plugins/.github/workflows/update-copilot-skills.yaml, currently pinned@v3.2.0) to the new version and setuse-app-token: true+secrets: APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}. Then skills-sync PRs trigger CI on their own and plugins'🔀 Enable Auto-Mergefinishes them.Validation
actionlintpasses locally; YAML parses clean.