Replace AUTOMATION_PAT with Valkeyrie Bot GitHub App token#3851
Conversation
Use actions/create-github-app-token to generate a scoped installation token for valkey-release-automation instead of the broad AUTOMATION_PAT. Part of valkey-io/valkey-release-automation#53 Signed-off-by: Jules Lasarte <lasartej@amazon.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe pull request updates the build-release trigger workflow to use GitHub App token authentication instead of a static personal access token. A new step generates an installation token from bot app credentials, and the repository-dispatch step now references this dynamically generated token. ChangesCI Dispatch Authentication
🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/trigger-build-release.yml:
- Around line 43-50: The "Generate token" step uses
actions/create-github-app-token without scoping permissions; update the step
(the job step named "Generate token" that calls
actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 and
supplies app-id, private-key, owner, repositories) to include explicit
least-privilege permissions by adding a permission input such as
permission-contents: write (or other minimal permission required for the
subsequent repository_dispatch) under the with block so the created token is
constrained to only the needed permissions.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 55f69036-17a3-40a6-8fd0-c5d93abd14fc
📒 Files selected for processing (1)
.github/workflows/trigger-build-release.yml
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## unstable #3851 +/- ##
============================================
+ Coverage 76.61% 76.68% +0.06%
============================================
Files 162 162
Lines 80694 80694
============================================
+ Hits 61823 61877 +54
+ Misses 18871 18817 -54 🚀 New features to boost your workflow:
|
sarthakaggarwal97
left a comment
There was a problem hiding this comment.
This looks good! Thanks @jjuleslasarte!
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
Add conditional to skip token generation when not running on the valkey-io org, falling back to AUTOMATION_PAT. This allows developers to test the workflow on their own forks/repositories before PRing. Signed-off-by: Jules Lasarte <lasartej@amazon.com> \nSigned-off-by: jjuleslasarte <jules.lasarte@gmail.com> Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
55db301 to
3ee5ebb
Compare
roshkhatri
left a comment
There was a problem hiding this comment.
Thank you for the changes @jjuleslasarte :)
…#3851) Use actions/create-github-app-token to generate a scoped installation token for valkey-release-automation instead of the broad AUTOMATION_PAT. Part of valkey-io/valkey-release-automation#53 --------- Signed-off-by: Jules Lasarte <lasartej@amazon.com> Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com> Co-authored-by: Jules Lasarte <lasartej@amazon.com>
Use actions/create-github-app-token to generate a scoped installation token for valkey-release-automation instead of the broad AUTOMATION_PAT. Part of valkey-io/valkey-release-automation#53 --------- Signed-off-by: Jules Lasarte <lasartej@amazon.com> Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com> Co-authored-by: Jules Lasarte <lasartej@amazon.com>
…#3851) Use actions/create-github-app-token to generate a scoped installation token for valkey-release-automation instead of the broad AUTOMATION_PAT. Part of valkey-io/valkey-release-automation#53 --------- Signed-off-by: Jules Lasarte <lasartej@amazon.com> Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com> Co-authored-by: Jules Lasarte <lasartej@amazon.com>
Use actions/create-github-app-token to generate a scoped installation token for valkey-release-automation instead of the broad AUTOMATION_PAT. Part of valkey-io/valkey-release-automation#53 --------- Signed-off-by: Jules Lasarte <lasartej@amazon.com> Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com> Co-authored-by: Jules Lasarte <lasartej@amazon.com>
Use actions/create-github-app-token to generate a scoped installation token for valkey-release-automation instead of the broad AUTOMATION_PAT. Part of valkey-io/valkey-release-automation#53 --------- Signed-off-by: Jules Lasarte <lasartej@amazon.com> Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com> Co-authored-by: Jules Lasarte <lasartej@amazon.com>
Use actions/create-github-app-token to generate a scoped installation token for valkey-release-automation instead of the broad AUTOMATION_PAT. Part of valkey-io/valkey-release-automation#53 --------- Signed-off-by: Jules Lasarte <lasartej@amazon.com> Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com> Co-authored-by: Jules Lasarte <lasartej@amazon.com>
Use actions/create-github-app-token to generate a scoped installation token for valkey-release-automation instead of the broad AUTOMATION_PAT. Part of valkey-io/valkey-release-automation#53 --------- Signed-off-by: Jules Lasarte <lasartej@amazon.com> Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com> Co-authored-by: Jules Lasarte <lasartej@amazon.com>
# Backport sweep for 9.1 Automated cherry-picks from PRs marked "To be backported". ## Applied | Source PR | Title | Detail | |---|---|---| | #3743 | Fix buffered_reply assert in HFE commands with module keyspace notifications | cherry-picked in a prior sweep | | #3766 | Fix flaky block_keyspace_notification test for HGETDEL notify race | cherry-picked in a prior sweep | | #3800 | Fix heap-use-after-free in ACL LOAD when client free is deferred | cherry-picked in a prior sweep | | #3723 | Fix double-finish and RESP reply violation in cluster slot migration | cherry-picked in a prior sweep | | #3872 | Redacting customer information when hide_user_data_from_log is true in rdb.c, networking.c, debug.c and t_hash | cherry-picked in a prior sweep | | #3846 | Fix use-after-free in VM_RegisterClusterMessageReceiver | cherry-picked in a prior sweep | | #3806 | Add ALL_DBS flag to CLUSTER FLUSHSLOT for database-level ACL | cherry-picked in a prior sweep | | #3847 | Harden SENTINEL commands and config rewrite against control-character injection | | | #3801 | Validate every DB clause in COPY against ACL db= permissions | | | #3851 | Replace AUTOMATION_PAT with Valkeyrie Bot GitHub App token | | | #3848 | Fix cluster AUX-field control-character and delimiter injection | | | #3544 | Revert "IO-Threads redesign cleanup work (#3544)" | cherry-picked in a prior sweep | | #3888 | Report exact dbid for COPY in ACL LOG when db= access is denied | conflicts resolved by Claude Code | | #3942 | Fix shard_id format specifier in UPDATE message log | | | #3941 | Avoid random() % 0 undefined behaviour when cluster-node-timeout < 30 | | --- *Generated by valkey-ci-agent using Claude Code.* --------- Signed-off-by: Binbin <binloveplay1314@qq.com> Signed-off-by: Ran Shidlansik <ranshid@amazon.com> Signed-off-by: chx9 <lovelypiska@outlook.com> Signed-off-by: zackcam <zackcam@amazon.com> Signed-off-by: Eran Ifrah <eifrah@amazon.com> Signed-off-by: Jules Lasarte <lasartej@amazon.com> Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com> Signed-off-by: akash kumar <akumdev@amazon.com> Co-authored-by: Binbin <binloveplay1314@qq.com> Co-authored-by: Ran Shidlansik <ranshid@amazon.com> Co-authored-by: lovelypiska <lovelypiska@outlook.com> Co-authored-by: zackcam <zackcam@amazon.com> Co-authored-by: eifrah-aws <eifrah@amazon.com> Co-authored-by: jjuleslasarte <jules.lasarte@gmail.com> Co-authored-by: Jules Lasarte <lasartej@amazon.com> Co-authored-by: Akash Kumar <45854686+akashkgit@users.noreply.github.com>
Use actions/create-github-app-token to generate a scoped installation token for valkey-release-automation instead of the broad AUTOMATION_PAT. Part of valkey-io/valkey-release-automation#53 --------- Signed-off-by: Jules Lasarte <lasartej@amazon.com> Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com> Co-authored-by: Jules Lasarte <lasartej@amazon.com>
Use actions/create-github-app-token to generate a scoped installation token for valkey-release-automation instead of the broad AUTOMATION_PAT. Part of valkey-io/valkey-release-automation#53 --------- Signed-off-by: Jules Lasarte <lasartej@amazon.com> Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com> Co-authored-by: Jules Lasarte <lasartej@amazon.com>
Use actions/create-github-app-token to generate a scoped installation token for valkey-release-automation instead of the broad AUTOMATION_PAT. Part of valkey-io/valkey-release-automation#53 --------- Signed-off-by: Jules Lasarte <lasartej@amazon.com> Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com> Co-authored-by: Jules Lasarte <lasartej@amazon.com>
Use actions/create-github-app-token to generate a scoped installation token for valkey-release-automation instead of the broad AUTOMATION_PAT.
Part of valkey-io/valkey-release-automation#53