Skip to content

Test GitHub app permissions #882

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
martincostello wants to merge 1 commit into from
Closed

Test GitHub app permissions #882

martincostello wants to merge 1 commit into from

Conversation

@martincostello
Copy link
Member

@martincostello martincostello commented Nov 21, 2025

Testing secrets and permissions for #868.

@martincostello
Test GitHub app permissions
0142887 
Testing secrets and permissions for #868.
Copilot AI review requested due to automatic review settings November 21, 2025 17:06
Copilot AI reviewed Nov 21, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a test job to verify GitHub App permissions and secrets configuration for issue #868. The test job uses a GitHub App token to authenticate and display its permissions using the GitHub CLI.

Key Changes

  • Added test-permissions job to the GHCR workflow to validate GitHub App token generation
  • Configured job with contents: read and id-token: write permissions
  • Implemented token retrieval using grafana/shared-workflows/actions/create-github-app-token action and permission validation using GitHub CLI

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/ghcr-image-build-and-publish.yml
Comment on lines +121 to +122
run: |
echo "${{ steps.get-token.outputs.token }}" | gh auth login --with-token
Copy link

Copilot AI Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The GitHub App token is being exposed in the workflow logs through the echo command. This creates a security vulnerability as tokens should never be printed to logs where they can be viewed by anyone with access to the workflow runs.

Consider using an environment variable instead:

- name: Show token permissions
  env:
    GH_TOKEN: ${{ steps.get-token.outputs.token }}
  run: |
    gh auth status

The gh CLI automatically uses the GH_TOKEN environment variable for authentication without needing to explicitly log in.

Suggested change
run: |
echo "${{ steps.get-token.outputs.token }}" | gh auth login --with-token
env:
GH_TOKEN: ${{ steps.get-token.outputs.token }}
run: |

Copilot uses AI. Check for mistakes.
@martincostello martincostello deleted the gh-868-test-app-permissions branch November 21, 2025 17:08
@martincostello
Copy link
Member Author

martincostello commented Nov 21, 2025

Need to test in the right workflow name...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@martincostello