Use GitHub App to create a new token (for PUSH and RELEASE)#1953
Merged
Use GitHub App to create a new token (for PUSH and RELEASE)#1953
Conversation
Replaces static secrets with a dynamically generated GitHub App token, enhancing security and granting precise permissions.
Grants write permissions for actions, contents, and workflows to the GitHub App token for CI operations.
Update TypeScript compilation target to ES2022 and refactor code with optional chaining for conciseness. Optimize CI dependency installation by ignoring scripts and passing workflow inputs via environment variables.
Centralizes GitHub App token generation for write operations across workflows, improving consistency and maintainability.
Replaces direct use of a legacy token with an App-generated token for enhanced security in release workflows.
Add blank lines to visually separate steps in GitHub Actions workflows.
Updates GitHub Actions workflows to use specific `contents: read` permissions for enhanced security and least privilege.
Enhance security and stability by preventing execution of lifecycle scripts during dependency installation in CI/CD.
Replaces custom token generation actions with `actions/create-github-app-token@v2` and explicitly defines required permissions.
|
arturcic
changed the title
Contributor
|
Thank you @arturcic for your contribution! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request focuses on improving GitHub Actions workflows and related automation scripts for the project. The main enhancements include switching to GitHub App tokens for better security, refining permissions scopes for workflows, and making dependency installation more robust. There are also minor code cleanups and improvements to script reliability.
Workflow Security and Token Management:
PUSH_GITHUB_TOKENandRELEASE_GITHUB_TOKEN) with dynamically generated GitHub App tokens using theactions/create-github-app-tokenaction in theci.yml,release.yml,prerelease.yml,gitversion-published.yml, andexamples-version.ymlworkflows. This change improves security and allows for more granular permissions management. [1] [2] [3] [4] [5] [6] [7]Workflow Permissions Hardening:
read-alltocontents: readacross all workflows, and set job-level permissions where necessary. This limits the default permissions for workflows, following GitHub security best practices. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]permissionsblocks to jobs in multi-job workflows where required. [1] [2] [3]Dependency Installation Improvements:
npm installcommands in CI and release workflows to use the--ignore-scriptsflag, preventing the execution of potentially unsafe lifecycle scripts during dependency installation. [1] [2] [3] [4]Robustness and Minor Code Improvements:
src/tools/common/dotnet-tool.tsfor more concise and reliable code when handling fetch responses and version arrays.Action and Script Refactoring:
publish-azureGitHub Action to use environment variables for passing inputs to the publishing script, aligning with best practices and improving maintainability.These changes collectively enhance the security, maintainability, and reliability of the project's CI/CD pipelines.