ci(release): use short-lived GitHub App token instead of long-lived PAT#13604
Open
ilhan007 wants to merge 1 commit into
Open
ci(release): use short-lived GitHub App token instead of long-lived PAT#13604ilhan007 wants to merge 1 commit into
ilhan007 wants to merge 1 commit into
Conversation
Replace every `secrets.UI5_WEBCOMP_BOT_GH_TOKEN` usage in the release workflow with a per-run installation token generated by `actions/create-github-app-token@v2`. App tokens are valid for ~1 hour and disappear when the run ends, drastically reducing the blast radius compared to a long-lived PAT. Aligns release.yaml with OSPO Guideline #4 ("Replace long-lived secrets with OIDC"). The same PAT is still consumed by deploy-preview.yaml, reset-preview-deploy.yaml, reset-gh-pages.yaml and issue-monthly-report.yaml; those workflows are intentionally out of scope and will be migrated in follow-up PRs. Requires (one-time, before merge): - Register a GitHub App with Contents/Issues/Pull-requests: write - Install it on SAP/ui5-webcomponents - Add it to the branch-protection bypass list for release branches - Add repo secrets RELEASE_BOT_APP_ID and RELEASE_BOT_APP_PRIVATE_KEY The npm publish flow already uses OIDC (id-token: write, no NPM_TOKEN); no changes there. UI5_WEBCOMP_BOT_NAME / _EMAIL are kept as-is — they are git identity strings, not credentials.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Aligns release.yaml with OSPO Guideline #4.
Replace every
secrets.UI5_WEBCOMP_BOT_GH_TOKENusage in the release workflow with a per-run installation token generated byactions/create-github-app-token@v2. App tokens are valid for ~1 hour and disappear when the run ends, drastically reducing the blast radius compared to a long-lived PAT.Requires (one-time, before merge):