Skip to content

chore(ci): migrate all workflows from PAT to GITHUB_TOKEN/App Token [SEC-58]#26

Open
lvrach wants to merge 4 commits intomasterfrom
chore/SEC-58-migrate-pat-to-github-app-token
Open

chore(ci): migrate all workflows from PAT to GITHUB_TOKEN/App Token [SEC-58]#26
lvrach wants to merge 4 commits intomasterfrom
chore/SEC-58-migrate-pat-to-github-app-token

Conversation

@lvrach
Copy link
Member

@lvrach lvrach commented Jan 29, 2026
edited
Loading

Summary

  • Migrates all PAT usages to GITHUB_TOKEN or GitHub App Token
  • Adds explicit permissions at job level with comments explaining why
  • Follows January 2026 best practices for GitHub Actions security
  • Uses simplified API-based pattern for verified commits

Files Changed

  • .github/workflows/draft-new-release.yml
  • .github/workflows/notion-pr-sync.yml
  • .github/workflows/publish-new-release.yml

Migration Details

File Token Type Permissions Changes
notion-pr-sync.yml GITHUB_TOKEN pull-requests: read Replaced PAT with GITHUB_TOKEN for simple PR data sync
draft-new-release.yml GitHub App Token contents: write, pull-requests: write Simplified pattern: removed git config/push, uses API-based branch creation
publish-new-release.yml GitHub App Token contents: write Added token generation step, creates releases via API

Migration Pattern Evolution

The key insight from the pattern evolution is:

  1. The signed-commit action (ryancyq/github-signed-commit) creates commits via GitHub's GraphQL API, producing verified commits with the App's identity
  2. This eliminates the need for many git commands: git config, git add, git commit, git push
  3. The key requirement is that branches must be created via GitHub API (gh api .../git/refs) before the signed-commit action can push to them

Changes in draft-new-release.yml

REMOVED (no longer needed):

  • git config user.name/email steps - signed commit uses App identity
  • git push --set-upstream origin - branch created via API

REPLACED WITH:

  • Create branch via GitHub API: gh api repos/${{ github.repository }}/git/refs --method POST
  • Use --skip.commit --skip.tag with standard-version (file modifications only)
  • Use ryancyq/github-signed-commit@v1.2.0 for verified commits

Why These Changes?

notion-pr-sync.yml: Uses GITHUB_TOKEN because it only reads PR metadata for Notion sync. No workflow triggering needed.

draft-new-release.yml: Uses GitHub App Token + simplified pattern because:

  • Git push with ANY token does NOT create verified commits
  • Must use GitHub API via ryancyq/github-signed-commit@v1.2.0 for verified commits
  • Branch creation via API eliminates need for git remote set-url with token-in-URL
  • Created PRs must trigger downstream CI workflows

publish-new-release.yml: Uses GitHub App Token because:

  • GITHUB_TOKEN cannot trigger other workflows (security feature)
  • Requires write access to create releases and tags

Security Improvements

  • Explicit permissions at job level (not workflow level)
  • Minimal GITHUB_TOKEN permissions (contents: read)
  • App Token generated early, before checkout
  • App Token passed to checkout via token: parameter
  • All permissions have explanatory comments
  • Verified commits via GitHub API (not git push)

Test plan

  • Verify notion-pr-sync workflow runs successfully with GITHUB_TOKEN
  • Verify draft-new-release workflow creates PRs that trigger CI
  • Verify draft-new-release creates verified commits (green checkmark)
  • Verify publish-new-release workflow creates releases successfully

🤖 Generated with Claude Code

lvrach added 2 commits January 29, 2026 16:57
@lvrach
chore(ci): migrate notion-pr-sync.yml to GITHUB_TOKEN [SEC-58]
44a3a7a 
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

🔒 Scanned for secrets using gitleaks 8.30.0
@lvrach
chore(ci): migrate draft-new-release and publish-new-release to GitHu…
b1b1b74 
…b App token [SEC-58]

🔒 Scanned for secrets using gitleaks 8.30.0
@lvrach lvrach changed the title chore(ci): migrate notion-pr-sync.yml to GITHUB_TOKEN [SEC-58] chore(ci): migrate all workflows from PAT to GITHUB_TOKEN/App Token [SEC-58] Jan 29, 2026
lvrach added 2 commits January 29, 2026 20:50
@lvrach
chore(ci): use signed commits via GitHub API in draft-new-release [SE…
791e879 
…C-58]

Replace git add/commit/push with ryancyq/github-signed-commit action
to create verified commits. Git push with tokens (PAT, GITHUB_TOKEN,
or App Token) does not create verified commits - must use GitHub API.

Changes:
- Remove git add README.md (signed-commit reads files from disk)
- Add --skip.commit --skip.tag to standard-version (skip git commit/tag)
- Replace git push --follow-tags with github-signed-commit action
- Files committed: CHANGELOG.md, package.json, package-lock.json, README.md

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

🔒 Scanned for secrets using gitleaks 8.30.0
@lvrach
chore(ci): simplify draft-new-release.yml to use API-based pattern [S…
f582966 
…EC-58]

🔒 Scanned for secrets using gitleaks 8.30.0
@lvrach lvrach requested review from SKannaniOS and vgupta98 January 30, 2026 14:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SKannaniOS SKannaniOS Awaiting requested review from SKannaniOS

@vgupta98 vgupta98 Awaiting requested review from vgupta98

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lvrach