Skip to content

Fix daily report #122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
joselsegura merged 1 commit into from
Apr 30, 2026
Merged

Fix daily report #122

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 18 additions & 21 deletions .github/workflows/open-prs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,46 +14,43 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@v6
with:
persist-credentials: true
fetch-depth: 1

- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@v6
with:
python-version: '3.11'

- name: Install dependencies
run: |
pip install pyyaml

- name: Configure Git
run: |
git config user.name "InsightsDroid"
git config user.email "InsightsDroid[bot]@users.noreply.github.com"
- id: app_token
uses: actions/create-github-app-token@v3
with:
client-id: ${{ secrets.OBSINT_PROCESSING_APP_CLIENT_ID }}
private-key: ${{ secrets.OBSINT_PROCESSING_APP_PRIVATE_KEY }}
owner: RedHatInsights

Comment on lines +33 to 37
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

For actions/create-github-app-token@v3, when owner is set but repositories is omitted, is token access scoped to all repositories in that installation?

💡 Result:

Yes, when the owner input is set but repositories is omitted in actions/create-github-app-token@v3, the token access is scoped to all repositories accessible to that GitHub App installation on the specified owner (user or organization account).

Citations:

Scope the GitHub App token to the minimum repositories and permissions.

At line 36, setting owner without repositories grants the token access to all repositories in the installation, which is broader than needed for this job.

🔒 Proposed hardening 
       - id: app_token
         uses: actions/create-github-app-token@v3
         with:
           client-id: ${{ secrets.OBSINT_PROCESSING_APP_CLIENT_ID }}
           private-key: ${{ secrets.OBSINT_PROCESSING_APP_PRIVATE_KEY }}
           owner: RedHatInsights
+          repositories: |
+            processing-tools
+            # add only repos queried by open_mr_pr/github/list_repos_prs.py
+          permission-contents: write
+          permission-pull-requests: write
+          permission-metadata: read
+          permission-checks: read
+          permission-statuses: read
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
with:
client-id: ${{ secrets.OBSINT_PROCESSING_APP_CLIENT_ID }}
private-key: ${{ secrets.OBSINT_PROCESSING_APP_PRIVATE_KEY }}
owner: RedHatInsights
with:
client-id: ${{ secrets.OBSINT_PROCESSING_APP_CLIENT_ID }}
private-key: ${{ secrets.OBSINT_PROCESSING_APP_PRIVATE_KEY }}
owner: RedHatInsights
repositories: |
processing-tools
# add only repos queried by open_mr_pr/github/list_repos_prs.py
permission-contents: write
permission-pull-requests: write
permission-metadata: read
permission-checks: read
permission-statuses: read
🧰 Tools
🪛 actionlint (1.7.12)

[error] 34-34: input "client-id" is not defined in action "actions/create-github-app-token@v3". available inputs are "app-id", "github-api-url", "owner", "permission-actions", "permission-administration", "permission-checks", "permission-codespaces", "permission-contents", "permission-custom-properties-for-organizations", "permission-dependabot-secrets", "permission-deployments", "permission-email-addresses", "permission-enterprise-custom-properties-for-organizations", "permission-environments", "permission-followers", "permission-git-ssh-keys", "permission-gpg-keys", "permission-interaction-limits", "permission-issues", "permission-members", "permission-metadata", "permission-organization-administration", "permission-organization-announcement-banners", "permission-organization-copilot-seat-management", "permission-organization-custom-org-roles", "permission-organization-custom-properties", "permission-organization-custom-roles", "permission-organization-events", "permission-organization-hooks", "permission-organization-packages", "permission-organization-personal-access-token-requests", "permission-organization-personal-access-tokens", "permission-organization-plan", "permission-organization-projects", "permission-organization-secrets", "permission-organization-self-hosted-runners", "permission-organization-user-blocking", "permission-packages", "permission-pages", "permission-profile", "permission-pull-requests", "permission-repository-custom-properties", "permission-repository-hooks", "permission-repository-projects", "permission-secret-scanning-alerts", "permission-secrets", "permission-security-events", "permission-single-file", "permission-starring", "permission-statuses", "permission-team-discussions", "permission-vulnerability-alerts", "permission-workflows", "private-key", "repositories", "skip-token-revoke"

(action)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/open-prs.yaml around lines 33 - 37, The workflow step that
configures the GitHub App auth uses owner without scoping repositories (the
fields client-id and private-key), which grants the token access to all
installation repos; update that step to include an explicit repositories list
(e.g., repositories: [ "org/repo-name" ] or the specific repo variables) and
tighten permissions to only what the job needs, leaving client-id, private-key
and owner as-is but adding repositories and minimal permissions to limit scope.

- name: Generate PR reports
env:
GITHUB_TOKEN: ${{ secrets.INSIGHTSDROID_TOKEN }}
GITHUB_TOKEN: ${{ steps.app_token.outputs.token }}
run: |
echo "🔍 Fetching open PRs..."
cd open_mr_pr/github
python3 list_repos_prs.py
# Copy konflux report to README for easy viewing
cp open-prs-konflux.md README.md

- name: Commit and push results
run: |
# Add generated files
git add open_mr_pr/github/open-prs-konflux.md open_mr_pr/github/open-prs-others.md open_mr_pr/github/open-prs.csv open_mr_pr/github/README.md || true

# Check if there are changes to commit
if git diff --cached --quiet; then
echo "📊 No changes to commit"
else
echo "📊 Committing updated PR reports..."
git commit -m "chore: update open PRs report [bot]"
git pull --rebase origin main || git pull --rebase origin master || true
git push
fi
- name: Create Pull Request
uses: peter-evans/create-pull-request@v8
with:
token: ${{ steps.app_token.outputs.token }}
title: "chore: update open PRs report [bot]"
body: "This PR is automatically created by the obsint-processing-app bot."
branch: obsint-processing-app/open-prs-report
labels: "bot"
commit-message: "chore: update open PRs report [bot]"
Loading