From cd9aa6b2246313715a21a56c83797e52448a8b59 Mon Sep 17 00:00:00 2001 From: Robert Allen Date: Tue, 30 Jun 2026 18:53:36 -0400 Subject: [PATCH 1/3] ci(auth): split to least-privilege app identities (auth refactor) - dependabot auto-merge caller -> automerge app - release.yml: mint the release app for the Create GitHub Release step only; keyless OIDC attestation unchanged Part of modeled-information-format/.github#37 --- .github/workflows/dependabot-automerge.yml | 2 +- .github/workflows/release.yml | 11 ++++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index 8c16d46..ed80480 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -21,4 +21,4 @@ jobs: with: update-types: patch secrets: - app-private-key: ${{ secrets.MIF_CI_CLIENT_APP_PRIVATE_KEY }} + app-private-key: ${{ secrets.AUTOMERGE_CLIENT_APP_PRIVATE_KEY }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5ee05ad..ce749c5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -364,9 +364,18 @@ jobs: cd dist sha256sum -- * > "${NAME}-${VERSION}-checksums.txt" cat "${NAME}-${VERSION}-checksums.txt" + - name: Mint release app token (publish identity) + id: release-token + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + client-id: ${{ vars.RELEASE_CLIENT_APP_ID }} + private-key: ${{ secrets.RELEASE_CLIENT_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: ${{ github.event.repository.name }} + - name: Create GitHub Release env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.release-token.outputs.token }} VERSION: ${{ needs.meta.outputs.version }} run: | set -euo pipefail From 577594b23fc40464f42a2a8bd4502c82eac5fb4c Mon Sep 17 00:00:00 2001 From: Robert Allen Date: Tue, 30 Jun 2026 19:31:36 -0400 Subject: [PATCH 2/3] =?UTF-8?q?fix(auth):=20release.yml=20=E2=80=94=20redu?= =?UTF-8?q?ce=20job=20contents=20permission=20to=20read?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Create GitHub Release step now uses the release App token; GITHUB_TOKEN no longer needs contents:write. Part of modeled-information-format/.github#37 --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ce749c5..fd5ad6e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -343,7 +343,7 @@ jobs: needs: [meta, verify, sign-catalog] runs-on: ubuntu-latest permissions: - contents: write + contents: read # release creation now uses the release App token steps: - name: Download all artifacts uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 From c7a95f1b94fbcddbf808c03830890684c69de1b8 Mon Sep 17 00:00:00 2001 From: Robert Allen Date: Tue, 30 Jun 2026 19:52:30 -0400 Subject: [PATCH 3/3] fix(auth): rename release-token step id to release_token (avoid hyphen in expression) Removes any ambiguity in ${{ steps.release_token.outputs.token }}. Part of modeled-information-format/.github#37 --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fd5ad6e..4c2ae94 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -365,7 +365,7 @@ jobs: sha256sum -- * > "${NAME}-${VERSION}-checksums.txt" cat "${NAME}-${VERSION}-checksums.txt" - name: Mint release app token (publish identity) - id: release-token + id: release_token uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: client-id: ${{ vars.RELEASE_CLIENT_APP_ID }} @@ -375,7 +375,7 @@ jobs: - name: Create GitHub Release env: - GH_TOKEN: ${{ steps.release-token.outputs.token }} + GH_TOKEN: ${{ steps.release_token.outputs.token }} VERSION: ${{ needs.meta.outputs.version }} run: | set -euo pipefail