Skip to content

chore(ci): migrate release workflow to GitHub keyless auth#2855

Merged
matiasinsaurralde merged 1 commit into
mainfrom
chore/release-keyless-migration
Mar 14, 2026
Merged

chore(ci): migrate release workflow to GitHub keyless auth#2855
matiasinsaurralde merged 1 commit into
mainfrom
chore/release-keyless-migration

Conversation

@matiasinsaurralde

Copy link
Copy Markdown
Contributor

Summary

Migrate release workflow to use GitHub keyless attestation.

Signed-off-by: Matías Insaurralde <matias@chainloop.dev>
@matiasinsaurralde matiasinsaurralde marked this pull request as ready for review March 14, 2026 16:12

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/release.yaml">

<violation number="1" location=".github/workflows/release.yaml:9">
P2: Avoid `read-all` here; it broadens the default `GITHUB_TOKEN` for every job beyond what this workflow needs. Keep the top-level token limited and let the individual jobs request any extra scopes they require.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

# https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#token-permissions
permissions:
contents: read
permissions: read-all

@cubic-dev-ai cubic-dev-ai Bot Mar 14, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Avoid read-all here; it broadens the default GITHUB_TOKEN for every job beyond what this workflow needs. Keep the top-level token limited and let the individual jobs request any extra scopes they require.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/release.yaml, line 9:

<comment>Avoid `read-all` here; it broadens the default `GITHUB_TOKEN` for every job beyond what this workflow needs. Keep the top-level token limited and let the individual jobs request any extra scopes they require.</comment>

<file context>
@@ -6,8 +6,7 @@ on:
 # https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#token-permissions
-permissions:
-  contents: read
+permissions: read-all
 
 jobs:
</file context>
Fix with Cubic

@matiasinsaurralde matiasinsaurralde requested a review from a team March 14, 2026 16:33
@matiasinsaurralde matiasinsaurralde merged commit b6b0f48 into main Mar 14, 2026
15 checks passed
@matiasinsaurralde matiasinsaurralde deleted the chore/release-keyless-migration branch March 14, 2026 22:06
@matiasinsaurralde matiasinsaurralde restored the chore/release-keyless-migration branch March 16, 2026 19:35
@matiasinsaurralde matiasinsaurralde deleted the chore/release-keyless-migration branch March 17, 2026 01:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants