Skip to content

ci(auth): least-privilege app identities (auth refactor)#16

Merged
zircote merged 3 commits into
mainfrom
feat/least-privilege-app-auth
Jul 1, 2026
Merged

ci(auth): least-privilege app identities (auth refactor)#16
zircote merged 3 commits into
mainfrom
feat/least-privilege-app-auth

Conversation

@zircote

@zircote zircote commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Splits this repo's workflow auth onto the least-privilege apps (epic modeled-information-format/.github#37).

  • dependabot-automerge.yml caller -> automerge app.
  • release.yml mints the release app for the Create GitHub Release step only; keyless OIDC attestation untouched.

(Catalog auth is handled in the .github hub PR #39; wiring the scorecard caller to the ci app folds into the gate-suite standardization under #37.)

Draft until the apps + their variables/secrets are provisioned.

Closes #15
Part of modeled-information-format/.github#37

- dependabot auto-merge caller -> automerge app
- release.yml: mint the release app for the Create GitHub Release step only;
  keyless OIDC attestation unchanged

Part of modeled-information-format/.github#37

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Refactors GitHub Actions authentication in this repo’s CI to use least-privilege GitHub App identities, aligning the release publishing and Dependabot automerge flows with the app-splitting plan referenced in issue #15 / modeled-information-format/.github#37.

Changes:

  • Updates release.yml to mint a dedicated release GitHub App token and use it specifically for creating the GitHub Release.
  • Updates dependabot-automerge.yml to pass the AUTOMERGE_CLIENT_APP_PRIVATE_KEY secret to the org reusable automerge workflow.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/release.yml Adds a “mint GitHub App token” step and switches the release creation step to use that token.
.github/workflows/dependabot-automerge.yml Switches the reusable workflow caller secret from the CI app key to the automerge app key.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

zircote added 2 commits June 30, 2026 19:31
The Create GitHub Release step now uses the release App token; GITHUB_TOKEN no
longer needs contents:write.

Part of modeled-information-format/.github#37
…n in expression)

Removes any ambiguity in ${{ steps.release_token.outputs.token }}.

Part of modeled-information-format/.github#37

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

@zircote zircote marked this pull request as ready for review July 1, 2026 01:02
@zircote zircote merged commit 322ff40 into main Jul 1, 2026
24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Auth refactor: scorecard -> CLIENT, dependabot -> AUTOMERGE, catalog -> CATALOG, release.yml -> RELEASE

2 participants