From 4cc018a84ca155c3c5be8cf7bc6e8b2296eda098 Mon Sep 17 00:00:00 2001 From: erezrokah Date: Thu, 26 Mar 2026 15:45:24 +0000 Subject: [PATCH 1/5] chore(ci): Replace GH_CQ_BOT PAT with GitHub App tokens Replace the non-expiring personal access token (GH_CQ_BOT) with short-lived tokens from the cloudquery-ci GitHub App using actions/create-github-app-token@v3. --- .github/workflows/gen-client.yml | 15 +++++++++++---- .github/workflows/release-pr.yml | 12 ++++++++++-- 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/.github/workflows/gen-client.yml b/.github/workflows/gen-client.yml index dc81fd8..3b413ef 100644 --- a/.github/workflows/gen-client.yml +++ b/.github/workflows/gen-client.yml @@ -10,14 +10,22 @@ jobs: timeout-minutes: 30 runs-on: ubuntu-latest steps: + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3 + with: + app-id: ${{ secrets.CQ_APP_ID }} + private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }} + permission-contents: write + permission-pull-requests: write - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: - token: ${{ secrets.GH_CQ_BOT }} + token: ${{ steps.app-token.outputs.token }} - name: Get Specs File run: | - curl -H "Authorization: token ${{ secrets.GH_CQ_BOT }}" https://raw.githubusercontent.com/cloudquery/cloud/main/cloud/internal/servergen/spec.json -o spec.json + curl -H "Authorization: token ${{ steps.app-token.outputs.token }}" https://raw.githubusercontent.com/cloudquery/cloud/main/cloud/internal/servergen/spec.json -o spec.json - name: Format Specs File run: | @@ -38,11 +46,10 @@ jobs: uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8 with: # required so the PR triggers workflow runs - token: ${{ secrets.GH_CQ_BOT }} + token: ${{ steps.app-token.outputs.token }} branch: fix/gen-cloudquery-api base: main title: 'fix: Generate CloudQuery Go API Client from `spec.json`' commit-message: 'fix: Generate CloudQuery Go API Client from `spec.json`' body: This PR was created by a scheduled workflow to generate the CloudQuery Go API Client from `spec.json` - author: cq-bot labels: automerge diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index fa76947..439cf17 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -12,10 +12,18 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3 + with: + app-id: ${{ secrets.CQ_APP_ID }} + private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }} + permission-contents: write + permission-pull-requests: write - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4 id: release with: - token: ${{ secrets.GH_CQ_BOT }} + token: ${{ steps.app-token.outputs.token }} - name: Parse semver string if: steps.release.outputs.release_created id: semver_parser @@ -34,7 +42,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 if: steps.release.outputs.release_created && steps.semver_parser.outputs.prerelease == '' with: - github-token: ${{ secrets.GH_CQ_BOT }} + github-token: ${{ steps.app-token.outputs.token }} script: | github.rest.actions.createWorkflowDispatch({ owner: 'cloudquery', From 07c721fb5f177b9c19e709802c0d23ff99467ed7 Mon Sep 17 00:00:00 2001 From: erezrokah Date: Fri, 27 Mar 2026 11:55:51 +0000 Subject: [PATCH 2/5] fix(ci): Add cross-repo permissions for GitHub App tokens gen-client.yml needs access to cloudquery/cloud to download spec.json. release-pr.yml needs access to cloudquery/.github and actions:write permission for createWorkflowDispatch. --- .github/workflows/gen-client.yml | 1 + .github/workflows/release-pr.yml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/.github/workflows/gen-client.yml b/.github/workflows/gen-client.yml index 3b413ef..749ab19 100644 --- a/.github/workflows/gen-client.yml +++ b/.github/workflows/gen-client.yml @@ -16,6 +16,7 @@ jobs: with: app-id: ${{ secrets.CQ_APP_ID }} private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }} + repositories: cloudquery-api-go,cloud permission-contents: write permission-pull-requests: write - name: Checkout diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index 439cf17..5dd7bb3 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -18,8 +18,10 @@ jobs: with: app-id: ${{ secrets.CQ_APP_ID }} private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }} + repositories: cloudquery-api-go,.github permission-contents: write permission-pull-requests: write + permission-actions: write - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4 id: release with: From a942815bce783c94c73dad2f16d807efca37843e Mon Sep 17 00:00:00 2001 From: erezrokah Date: Fri, 27 Mar 2026 12:06:28 +0000 Subject: [PATCH 3/5] fix(ci): Use multiline format for repositories input --- .github/workflows/gen-client.yml | 4 +++- .github/workflows/release-pr.yml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gen-client.yml b/.github/workflows/gen-client.yml index 749ab19..a83adcf 100644 --- a/.github/workflows/gen-client.yml +++ b/.github/workflows/gen-client.yml @@ -16,7 +16,9 @@ jobs: with: app-id: ${{ secrets.CQ_APP_ID }} private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }} - repositories: cloudquery-api-go,cloud + repositories: | + cloudquery-api-go + cloud permission-contents: write permission-pull-requests: write - name: Checkout diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index 5dd7bb3..cf513bd 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -18,7 +18,9 @@ jobs: with: app-id: ${{ secrets.CQ_APP_ID }} private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }} - repositories: cloudquery-api-go,.github + repositories: | + cloudquery-api-go + .github permission-contents: write permission-pull-requests: write permission-actions: write From 73f8481996feb14ab48b82d3559385978c028e58 Mon Sep 17 00:00:00 2001 From: erezrokah Date: Fri, 27 Mar 2026 12:08:44 +0000 Subject: [PATCH 4/5] fix(ci): Split gen-client.yml into two tokens for least privilege --- .github/workflows/gen-client.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/gen-client.yml b/.github/workflows/gen-client.yml index a83adcf..e6d482b 100644 --- a/.github/workflows/gen-client.yml +++ b/.github/workflows/gen-client.yml @@ -16,11 +16,17 @@ jobs: with: app-id: ${{ secrets.CQ_APP_ID }} private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }} - repositories: | - cloudquery-api-go - cloud permission-contents: write permission-pull-requests: write + - name: Generate GitHub App token for cloud repo + id: app-token-cloud + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3 + with: + app-id: ${{ secrets.CQ_APP_ID }} + private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }} + repositories: | + cloud + permission-contents: read - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: @@ -28,7 +34,7 @@ jobs: - name: Get Specs File run: | - curl -H "Authorization: token ${{ steps.app-token.outputs.token }}" https://raw.githubusercontent.com/cloudquery/cloud/main/cloud/internal/servergen/spec.json -o spec.json + curl -H "Authorization: token ${{ steps.app-token-cloud.outputs.token }}" https://raw.githubusercontent.com/cloudquery/cloud/main/cloud/internal/servergen/spec.json -o spec.json - name: Format Specs File run: | From eb52aafa761695b808c4cc216de7fd27ac56879f Mon Sep 17 00:00:00 2001 From: erezrokah Date: Fri, 27 Mar 2026 12:15:30 +0000 Subject: [PATCH 5/5] fix(ci): Split release-pr.yml into two tokens for least privilege --- .github/workflows/release-pr.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index cf513bd..9350acf 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -18,11 +18,16 @@ jobs: with: app-id: ${{ secrets.CQ_APP_ID }} private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }} - repositories: | - cloudquery-api-go - .github permission-contents: write permission-pull-requests: write + - name: Generate GitHub App token for .github repo + id: app-token-github + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3 + with: + app-id: ${{ secrets.CQ_APP_ID }} + private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }} + repositories: | + .github permission-actions: write - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4 id: release @@ -46,7 +51,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 if: steps.release.outputs.release_created && steps.semver_parser.outputs.prerelease == '' with: - github-token: ${{ steps.app-token.outputs.token }} + github-token: ${{ steps.app-token-github.outputs.token }} script: | github.rest.actions.createWorkflowDispatch({ owner: 'cloudquery',