chore(ci): migrate release workflow to GitHub keyless auth#2868
Conversation
Signed-off-by: Matías Insaurralde <matias@chainloop.dev>
There was a problem hiding this comment.
1 issue found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/release.yaml">
<violation number="1" location=".github/workflows/release.yaml:9">
P1: `read-all` is the wrong workflow default for this keyless migration: it widens `GITHUB_TOKEN` to every read scope, but still doesn't grant the workflow-level `id-token: write` that Chainloop documents for GitHub keyless auth.
(Based on your team's feedback about checking auth/config changes for compatibility with related clients and workflows.) [FEEDBACK_USED]</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| # https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#token-permissions | ||
| permissions: | ||
| contents: read | ||
| permissions: read-all |
There was a problem hiding this comment.
P1: read-all is the wrong workflow default for this keyless migration: it widens GITHUB_TOKEN to every read scope, but still doesn't grant the workflow-level id-token: write that Chainloop documents for GitHub keyless auth.
(Based on your team's feedback about checking auth/config changes for compatibility with related clients and workflows.)
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/release.yaml, line 9:
<comment>`read-all` is the wrong workflow default for this keyless migration: it widens `GITHUB_TOKEN` to every read scope, but still doesn't grant the workflow-level `id-token: write` that Chainloop documents for GitHub keyless auth.
(Based on your team's feedback about checking auth/config changes for compatibility with related clients and workflows.) </comment>
<file context>
@@ -6,8 +6,7 @@ on:
# https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#token-permissions
-permissions:
- contents: read
+permissions: read-all
jobs:
</file context>
| permissions: read-all | |
| permissions: | |
| contents: read | |
| id-token: write |
There was a problem hiding this comment.
We're trying to standarize either permissions: read-all or permissions: {} for workflow level settings. Then every job overrides or sets job-specific permissions.
There was a problem hiding this comment.
Thanks for the feedback! I've saved this as a new learning to improve future reviews.
Re-adding #2855 after federated auth token fix.