Skip to content

Fix daily report#122

Merged
joselsegura merged 1 commit into
masterfrom
fix-daily-report
Apr 30, 2026
Merged

Fix daily report#122
joselsegura merged 1 commit into
masterfrom
fix-daily-report

Conversation

@joselsegura
Copy link
Copy Markdown
Contributor

@joselsegura joselsegura commented Apr 30, 2026
edited by atlassian Bot
Loading

Description

The "Daily Open PRs report" was failing due to security restrictions imposed in the latest weeks.

The job will use obsint-processing-app bot credentials in order to create a PR in the repository, which will be automerged due to the security rules and other workflows acting on each PR

Fixes #CCXDEV-16345

Type of change

Please delete options that are not relevant.

  • Configuration update

Testing steps

Tested with success running the job manually

@joselsegura joselsegura requested review from a team and InsightsDroid as code owners April 30, 2026 11:53
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Apr 30, 2026
edited
Loading

Summary by CodeRabbit

  • Chores
    • Updated GitHub workflow automation to use GitHub App token authentication and automated PR creation instead of manual git operations.
    • Upgraded GitHub Actions dependencies to newer versions.

Walkthrough

A GitHub Actions workflow file was updated to authenticate using a GitHub App token instead of a default approach, replaced manual git commit/push operations with an automated PR creation action, and bumped dependencies to newer major versions.

Changes

Cohort / File(s) Summary
Workflow Authentication & PR Automation
.github/workflows/open-prs.yaml		 Updated to use GitHub App token authentication via create-github-app-token, replaced manual git commit/push with create-pull-request action specifying branch, title, body, label, and commit message. Upgraded actions/checkout and actions/setup-python to newer major versions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title 'Fix daily report' directly addresses the main change: fixing a failing Daily Open PRs report workflow by updating authentication and PR creation mechanisms.
Description check ✅ Passed The description is fully related to the changeset, explaining the security issue that prompted the workflow changes and the solution implemented using bot credentials.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix-daily-report

Review rate limit: 9/10 reviews remaining, refill in 6 minutes.

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
.github/workflows/open-prs.yaml (1)

17-20: Set persist-credentials to false to reduce token exposure.

At Line 19, persist-credentials: true persists the checkout token to the runner's temporary storage, making it available to subsequent steps in the same job. Since the workflow explicitly uses a GitHub App token for later operations, there is no need to keep the checkout token in memory; set this to false to reduce the attack surface.

♻️ Proposed change 
       - name: Checkout repository
         uses: actions/checkout@v6
         with:
-          persist-credentials: true
+          persist-credentials: false
           fetch-depth: 1
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/open-prs.yaml around lines 17 - 20, Change the
actions/checkout@v6 step to set persist-credentials: false to avoid leaving the
checkout token available to later steps; locate the checkout step that currently
has persist-credentials: true and replace it with persist-credentials: false so
subsequent steps use the explicit GitHub App token instead of the persisted
runner token.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/open-prs.yaml:
- Around line 33-37: The workflow step that configures the GitHub App auth uses
owner without scoping repositories (the fields client-id and private-key), which
grants the token access to all installation repos; update that step to include
an explicit repositories list (e.g., repositories: [ "org/repo-name" ] or the
specific repo variables) and tighten permissions to only what the job needs,
leaving client-id, private-key and owner as-is but adding repositories and
minimal permissions to limit scope.

---

Nitpick comments:
In @.github/workflows/open-prs.yaml:
- Around line 17-20: Change the actions/checkout@v6 step to set
persist-credentials: false to avoid leaving the checkout token available to
later steps; locate the checkout step that currently has persist-credentials:
true and replace it with persist-credentials: false so subsequent steps use the
explicit GitHub App token instead of the persisted runner token.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 4b5f75c1-2dd4-4ef1-8ce3-1ea69bfd8598

📥 Commits

Reviewing files that changed from the base of the PR and between 244dcd0 and 4b5984f.

📒 Files selected for processing (1)
  • .github/workflows/open-prs.yaml

Comment thread .github/workflows/open-prs.yaml
Comment on lines +33 to 37
with:
client-id: ${{ secrets.OBSINT_PROCESSING_APP_CLIENT_ID }}
private-key: ${{ secrets.OBSINT_PROCESSING_APP_PRIVATE_KEY }}
owner: RedHatInsights

Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

For actions/create-github-app-token@v3, when owner is set but repositories is omitted, is token access scoped to all repositories in that installation?

💡 Result:

Yes, when the owner input is set but repositories is omitted in actions/create-github-app-token@v3, the token access is scoped to all repositories accessible to that GitHub App installation on the specified owner (user or organization account).

Citations:

Scope the GitHub App token to the minimum repositories and permissions.

At line 36, setting owner without repositories grants the token access to all repositories in the installation, which is broader than needed for this job.

🔒 Proposed hardening 
       - id: app_token
         uses: actions/create-github-app-token@v3
         with:
           client-id: ${{ secrets.OBSINT_PROCESSING_APP_CLIENT_ID }}
           private-key: ${{ secrets.OBSINT_PROCESSING_APP_PRIVATE_KEY }}
           owner: RedHatInsights
+          repositories: |
+            processing-tools
+            # add only repos queried by open_mr_pr/github/list_repos_prs.py
+          permission-contents: write
+          permission-pull-requests: write
+          permission-metadata: read
+          permission-checks: read
+          permission-statuses: read
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
with:
client-id: ${{ secrets.OBSINT_PROCESSING_APP_CLIENT_ID }}
private-key: ${{ secrets.OBSINT_PROCESSING_APP_PRIVATE_KEY }}
owner: RedHatInsights
with:
client-id: ${{ secrets.OBSINT_PROCESSING_APP_CLIENT_ID }}
private-key: ${{ secrets.OBSINT_PROCESSING_APP_PRIVATE_KEY }}
owner: RedHatInsights
repositories: |
processing-tools
# add only repos queried by open_mr_pr/github/list_repos_prs.py
permission-contents: write
permission-pull-requests: write
permission-metadata: read
permission-checks: read
permission-statuses: read
🧰 Tools
🪛 actionlint (1.7.12)

[error] 34-34: input "client-id" is not defined in action "actions/create-github-app-token@v3". available inputs are "app-id", "github-api-url", "owner", "permission-actions", "permission-administration", "permission-checks", "permission-codespaces", "permission-contents", "permission-custom-properties-for-organizations", "permission-dependabot-secrets", "permission-deployments", "permission-email-addresses", "permission-enterprise-custom-properties-for-organizations", "permission-environments", "permission-followers", "permission-git-ssh-keys", "permission-gpg-keys", "permission-interaction-limits", "permission-issues", "permission-members", "permission-metadata", "permission-organization-administration", "permission-organization-announcement-banners", "permission-organization-copilot-seat-management", "permission-organization-custom-org-roles", "permission-organization-custom-properties", "permission-organization-custom-roles", "permission-organization-events", "permission-organization-hooks", "permission-organization-packages", "permission-organization-personal-access-token-requests", "permission-organization-personal-access-tokens", "permission-organization-plan", "permission-organization-projects", "permission-organization-secrets", "permission-organization-self-hosted-runners", "permission-organization-user-blocking", "permission-packages", "permission-pages", "permission-profile", "permission-pull-requests", "permission-repository-custom-properties", "permission-repository-hooks", "permission-repository-projects", "permission-secret-scanning-alerts", "permission-secrets", "permission-security-events", "permission-single-file", "permission-starring", "permission-statuses", "permission-team-discussions", "permission-vulnerability-alerts", "permission-workflows", "private-key", "repositories", "skip-token-revoke"

(action)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/open-prs.yaml around lines 33 - 37, The workflow step that
configures the GitHub App auth uses owner without scoping repositories (the
fields client-id and private-key), which grants the token access to all
installation repos; update that step to include an explicit repositories list
(e.g., repositories: [ "org/repo-name" ] or the specific repo variables) and
tighten permissions to only what the job needs, leaving client-id, private-key
and owner as-is but adding repositories and minimal permissions to limit scope.

@joselsegura joselsegura merged commit a5b5ebc into master Apr 30, 2026
6 checks passed
@joselsegura joselsegura deleted the fix-daily-report branch April 30, 2026 12:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@ikerreyes ikerreyes ikerreyes approved these changes

@lenasolarova lenasolarova lenasolarova approved these changes

@InsightsDroid InsightsDroid Awaiting requested review from InsightsDroid InsightsDroid is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@joselsegura @ikerreyes @lenasolarova