Skip to content

chore(ci): migrate release workflow to GitHub keyless auth#2868

Merged
matiasinsaurralde merged 1 commit into
mainfrom
chore/release-keyless-migration
Mar 17, 2026
Merged

chore(ci): migrate release workflow to GitHub keyless auth#2868
matiasinsaurralde merged 1 commit into
mainfrom
chore/release-keyless-migration

Conversation

@matiasinsaurralde

Copy link
Copy Markdown
Contributor

Re-adding #2855 after federated auth token fix.

Signed-off-by: Matías Insaurralde <matias@chainloop.dev>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/release.yaml">

<violation number="1" location=".github/workflows/release.yaml:9">
P1: `read-all` is the wrong workflow default for this keyless migration: it widens `GITHUB_TOKEN` to every read scope, but still doesn't grant the workflow-level `id-token: write` that Chainloop documents for GitHub keyless auth.

(Based on your team's feedback about checking auth/config changes for compatibility with related clients and workflows.) [FEEDBACK_USED]</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

# https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#token-permissions
permissions:
contents: read
permissions: read-all

@cubic-dev-ai cubic-dev-ai Bot Mar 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: read-all is the wrong workflow default for this keyless migration: it widens GITHUB_TOKEN to every read scope, but still doesn't grant the workflow-level id-token: write that Chainloop documents for GitHub keyless auth.

(Based on your team's feedback about checking auth/config changes for compatibility with related clients and workflows.)

View Feedback

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/release.yaml, line 9:

<comment>`read-all` is the wrong workflow default for this keyless migration: it widens `GITHUB_TOKEN` to every read scope, but still doesn't grant the workflow-level `id-token: write` that Chainloop documents for GitHub keyless auth.

(Based on your team's feedback about checking auth/config changes for compatibility with related clients and workflows.) </comment>

<file context>
@@ -6,8 +6,7 @@ on:
 # https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#token-permissions
-permissions:
-  contents: read
+permissions: read-all
 
 jobs:
</file context>
Suggested change
permissions: read-all
permissions:
contents: read
id-token: write
Fix with Cubic

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're trying to standarize either permissions: read-all or permissions: {} for workflow level settings. Then every job overrides or sets job-specific permissions.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback! I've saved this as a new learning to improve future reviews.

@matiasinsaurralde matiasinsaurralde merged commit 11807d1 into main Mar 17, 2026
26 checks passed
@matiasinsaurralde matiasinsaurralde deleted the chore/release-keyless-migration branch March 17, 2026 01:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants