Skip to content

fix: inherit secrets #1095

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
motoki317 merged 2 commits into from
Aug 14, 2025
Merged

fix: inherit secrets #1095

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
372f81a
fix: inherit secrets
motoki317 Aug 14, 2025
67ed472
fix: Move dispatch renovate action to helm release
motoki317 Aug 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .github/workflows/release-helm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,3 +74,18 @@
run: |
cd charts
./publish.sh ${{ inputs.chart }} oci://ghcr.io/${{ env.REGISTRY_USER }}/charts
dispatch-renovate:
runs-on: ubuntu-latest
needs: [ release ]
steps:
- uses: actions/github-script@v7
with:
github-token: ${{ secrets.DISPATCH_PAT }}
script: |
await github.rest.actions.createWorkflowDispatch({
owner: 'traPtitech',
repo: 'manifest',
workflow_id: 'renovate.yaml',
ref: 'main'
})
Comment on lines +79 to +91

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 4 months ago

To fix the problem, you should add a permissions block to the workflow file, specifying only the permissions required for the jobs. The best way is to add the block at the top level of the workflow, so it applies to all jobs unless overridden. For this workflow, the release job needs to push commits and publish packages, so it requires contents: write and possibly packages: write. The dispatch-renovate job uses a personal access token (DISPATCH_PAT) to dispatch another workflow, but does not use GITHUB_TOKEN for any privileged operation, so it can be set to none or left as is. However, for clarity and security, it's best to set the minimal permissions at the workflow level, and override per job if needed.

You should add the following block near the top of the file, after the name and run-name fields:

permissions:
  contents: write
  packages: write

If you want to be even more restrictive, you can set permissions: {} at the workflow level and add the required permissions only to the release job. For simplicity and clarity, the above is sufficient.

Suggested changeset 1
.github/workflows/release-helm.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release-helm.yaml b/.github/workflows/release-helm.yaml
--- a/.github/workflows/release-helm.yaml
+++ b/.github/workflows/release-helm.yaml
@@ -1,5 +1,8 @@
 name: Release helm chart
 run-name: Release helm chart (${{ inputs.strategy }})
+permissions:
+  contents: write
+  packages: write
 
 on:
   workflow_dispatch:
EOF
@@ -1,5 +1,8 @@
name: Release helm chart
run-name: Release helm chart (${{ inputs.strategy }})
permissions:
contents: write
packages: write

on:
workflow_dispatch:
Copilot is powered by AI and may make mistakes. Always verify output.
16 changes: 0 additions & 16 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,19 +97,3 @@ jobs:
# tag_name will default in the current branch name for workflow_dispatch via workflow_call, so we're passing tag value via inputs manually.
tag_name: ${{ inputs.ref_name || github.ref_name }}
generate_release_notes: true

dispatch-renovate:
name: Dispatch Renovate
runs-on: ubuntu-latest
needs: [ image, release ]
steps:
- uses: actions/github-script@v7
with:
github-token: ${{ secrets.DISPATCH_PAT }}
script: |
await github.rest.actions.createWorkflowDispatch({
owner: 'traPtitech',
repo: 'manifest',
workflow_id: 'renovate.yaml',
ref: 'main'
})
2 changes: 2 additions & 0 deletions .github/workflows/tag.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,10 +77,12 @@ jobs:
uses: ./.github/workflows/release.yaml
with:
ref_name: ${{ needs.tag.outputs.new-tag }}
secrets: inherit

# Bump and release helm chart on app release
helm-tag:
needs: [ tag ]
uses: ./.github/workflows/release-helm.yaml
with:
strategy: ${{ inputs.strategy }}
secrets: inherit