Skip to content

Remove user specific tokens from release workflow #2290

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: development
Choose a base branch
from
Open

Remove user specific tokens from release workflow #2290

wants to merge 1 commit into from

Conversation

@AndreasBoehm
Copy link
Member

  • removed user specific tokens
  • add permissions.contents: write

@AndreasBoehm
Remove user specific tokens from release workflow
f2a7249 
- removed user specific tokens
- add `permissions.contents: write`
@github-actions
Copy link

Build Artifacts

Firmware built from this pull request's code:

Notice

  • These artifacts are ZIP files containing the factory update binary as well as the OTA update binary.
    Extract the binaries from the ZIP files first. Do not use the ZIP files themselves to perform an update.
  • These links point to artifacts of the latest successful build run.
  • The linked artifacts were built from 00e4e90.

@coderabbitai
Copy link

coderabbitai bot commented Oct 13, 2025

Walkthrough

The GitHub Actions workflow for releases was updated to add a permissions block granting contents: write and to remove step-scoped GITHUB_TOKEN usage in favor of RELEASE_TOKEN for changelog and release creation authentication.

Changes

Cohort / File(s) Summary of Changes
CI Workflow: Release auth & permissions
.github/workflows/build.yml		 Added job-level permissions (contents: write). Removed GITHUB_TOKEN from "Build Changelog" and "Create Release" steps; release now relies on RELEASE_TOKEN for authentication.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Dev as Developer
  participant GH as GitHub Actions
  participant Job as release job
  participant Steps as Steps
  participant GitHub as GitHub API

  Dev->>GH: Push/tag triggers workflow
  GH->>Job: Start release job
  Note over Job: permissions:<br/>contents: write
  Job->>Steps: Execute "Build Changelog"
  Note over Steps: No GITHUB_TOKEN env
  Steps->>GitHub: Read repo data (implicit job permissions)
  Steps-->>Job: Changelog built

  Job->>Steps: Execute "Create Release"
  Note over Steps: Uses RELEASE_TOKEN<br/>(not GITHUB_TOKEN)
  Steps->>GitHub: Create release (contents: write)
  GitHub-->>Steps: Release created
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I thump my paws—release day cheer!
Tokens hop right, no stray gear.
Permissions set, the path is clear,
Changelog brewed, a silky veneer.
With RELEASE_TOKEN, we volunteer—
Carrots for commits, a tidy premiere! 🥕✨

Pre-merge checks and finishing touches

✅ Passed checks (1 passed)
Check name Status Explanation
Description Check ✅ Passed The pull request description succinctly notes the removal of user specific tokens and the addition of permissions.contents: write, directly corresponding to the changes made in the release workflow file.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch andreasboehm/improvement/release-workflow-token

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Oct 13, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0dc7b6c and f2a7249.

📒 Files selected for processing (1)
  • .github/workflows/build.yml (1 hunks)

.github/workflows/build.yml
Comment on lines +198 to +199
permissions:
contents: write
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Restore required token scopes for this job.

By declaring only contents: write here, every other scope defaults to none. The release job still needs actions: read (for actions/download-artifact) and at least pull-requests: read to let mikepenz/release-changelog-builder-action fetch PR metadata. As-is, the workflow will fail once it reaches those steps. Please expand the block, e.g.:

     permissions:
+      actions: read
+      pull-requests: read
       contents: write

Add any other scopes those steps rely on.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: write
permissions:
actions: read
pull-requests: read
contents: write
🤖 Prompt for AI Agents 
.github/workflows/build.yml around lines 198-199: the job permissions block
currently only sets contents: write which removes all other scopes and will
break later steps; update the permissions to include the scopes required by
downstream steps (at minimum add actions: read and pull-requests: read so
actions/download-artifact and mikepenz/release-changelog-builder-action can
access artifacts and PR metadata), and add any additional scopes those or other
steps require (e.g., checks: read or issues: read) so the workflow has all
necessary token permissions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AndreasBoehm