Skip to content

refactor: workflow to use github app#698

Merged
ThomasRalee merged 1 commit into
masterfrom
refactor/workflow-to-use-github-app
Jul 9, 2026
Merged

refactor: workflow to use github app#698
ThomasRalee merged 1 commit into
masterfrom
refactor/workflow-to-use-github-app

Conversation

@ThomasRalee

@ThomasRalee ThomasRalee commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Summary by CodeRabbit

  • New Features

    • Publishing automation now uses shared GitHub App–based authentication for package updates and releases.
    • “Latest” publishing is now coordinated from master by preparing a release pull request, with the final publish happening on the merged release commit.
  • Bug Fixes

    • Release gating was tightened to clearly separate “prepare release” vs “publish,” ensuring steps run only in the intended phase.
    • Package update jobs were updated to use app tokens, with one previously enabled product bump disabled to prevent unintended runs.

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 62a1230a-8d68-4a86-adc4-e9d126abd877

📥 Commits

Reviewing files that changed from the base of the PR and between 9cf2d09 and deed1ec.

📒 Files selected for processing (2)
  • .github/workflows/package-bump.yaml
  • .github/workflows/publish.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/package-bump.yaml

📝 Walkthrough

Walkthrough

The package-bump workflow now creates GitHub App installation tokens for each enabled job and passes them to package-bump, replacing repository-specific token secrets. The mito job is commented out.

The publish workflow now computes a mode from workflow dispatch inputs or master-branch release-PR state, uses a GitHub App token for checkout and release creation, expands permissions, and gates versioning, publishing, release PR creation, npm publish, Slack broadcast, and the downstream package-bump trigger by that mode.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: workflows were refactored to use a GitHub App for authentication.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch refactor/workflow-to-use-github-app

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🧹 Nitpick comments (1)
.github/workflows/package-bump.yaml (1)

16-244: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚖️ Poor tradeoff

Consider consolidating the repeated app-token + package-bump boilerplate.

The same 6-line "Create GitHub App token" step is duplicated identically across all 10 jobs. A small composite action (taking repository_url/repository_branch/owner as inputs and internally creating the token + calling package-bump) would remove this repetition and centralize the token-scoping fix above to one place.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/package-bump.yaml around lines 16 - 244, The workflow
repeats the same Create GitHub App token and package-bump setup across many
jobs, so consolidate that boilerplate into a reusable composite action or shared
workflow helper. Add a single action that handles the app-token creation and
package-bump invocation, with inputs for repository_url, repository_branch, and
owner, then update the jobs to call it instead of duplicating the same steps.
Use the existing package-bump-layer, package-bump-layer-tc, and package-bump-*
job names to locate the repeated blocks.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/package-bump.yaml:
- Around line 21-27: The GitHub App token created by each
`actions/create-github-app-token@v1` step is currently scoped to the whole
`InjectiveLabs` installation because `owner` is set without `repositories`, so
update every `Create GitHub App token` step to add a `repositories` input
matching the exact repo used by that job’s downstream `package-bump` call. Keep
the existing `app-id`, `private-key`, and `owner` settings, and ensure each
token is limited to its target repository only in all occurrences of this
pattern.

In @.github/workflows/publish.yaml:
- Around line 37-41: The workflow-level permissions currently give every job
write access, so scope them only to the publish job. Move the existing contents,
id-token, and pull-requests write permissions from the top-level workflow block
into jobs.publish.permissions in the publish workflow, keeping the publish job
behavior unchanged while preventing other jobs from inheriting unnecessary write
scope.
- Around line 244-260: The release PR commit message in create-pull-request
should not include the skip-ci token because it can propagate into the merge
commit and block the publish workflow. Update the Create or update release PR
step in publish.yaml to remove “[skip ci]” from the commit-message field while
keeping the existing branch-based exclusion logic in the job conditions. Ensure
the change is limited to the release PR generation flow handled by
peter-evans/create-pull-request.
- Around line 72-78: The Create GitHub App token step is using an unconstrained
installation token, so scope it down to only the permissions needed by the
publish workflow. Update the actions/create-github-app-token@v1 configuration in
the app-token step to request just contents: write and pull-requests: write,
keeping the rest of the publish job flow unchanged. This change should be
applied in the workflow section that creates the GitHub App token.

---

Nitpick comments:
In @.github/workflows/package-bump.yaml:
- Around line 16-244: The workflow repeats the same Create GitHub App token and
package-bump setup across many jobs, so consolidate that boilerplate into a
reusable composite action or shared workflow helper. Add a single action that
handles the app-token creation and package-bump invocation, with inputs for
repository_url, repository_branch, and owner, then update the jobs to call it
instead of duplicating the same steps. Use the existing package-bump-layer,
package-bump-layer-tc, and package-bump-* job names to locate the repeated
blocks.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e8a59899-45d2-4ffb-a176-b999c91dab3e

📥 Commits

Reviewing files that changed from the base of the PR and between bf2f323 and 48427fb.

📒 Files selected for processing (2)
  • .github/workflows/package-bump.yaml
  • .github/workflows/publish.yaml

Comment thread .github/workflows/package-bump.yaml
Comment thread .github/workflows/publish.yaml Outdated
Comment thread .github/workflows/publish.yaml
Comment thread .github/workflows/publish.yaml
@ThomasRalee ThomasRalee force-pushed the refactor/workflow-to-use-github-app branch from 48427fb to 9cf2d09 Compare July 9, 2026 18:03

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
.github/workflows/package-bump.yaml (1)

125-144: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Confirm the disabled mito job is tracked.

The package-bump-mito job is now a commented-out block rather than removed, leaving stale config in the workflow. If this is a temporary disable, consider tracking re-enablement so it isn't forgotten; if permanent, prefer deleting it. Want me to open an issue to track re-enabling the mito bump?

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/package-bump.yaml around lines 125 - 144, The disabled
package-bump-mito job is left as commented-out stale workflow config in
package-bump.yaml. Either remove the entire package-bump-mito block if it is
permanently disabled, or add an explicit tracking note/task for re-enabling it
later so it is not forgotten. Keep the workflow clean by ensuring the
package-bump-mito job definition is either active or intentionally documented
elsewhere.
.github/workflows/publish.yaml (1)

238-241: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

Prefer passing version_args via env rather than expanding it inline.

${{ steps.determine-publish-type.outputs.version_args }} is interpolated directly into the shell body. Today the value is drawn from a controlled set (hardcoded flags plus minor/patch), so it isn't exploitable, but expanding step outputs inline is the pattern static analysis flags and can become a code-injection vector if the source of version_args ever changes. Routing it through an env var and referencing "$VERSION_ARGS" removes that risk and quiets the linter.

♻️ Suggested hardening
       - name: Version packages
         if: steps.determine-publish-type.outputs.mode != 'publish_release'
+        env:
+          VERSION_ARGS: ${{ steps.determine-publish-type.outputs.version_args }}
         run: |
-          pnpm exec lerna version ${{ steps.determine-publish-type.outputs.version_args }}
+          pnpm exec lerna version $VERSION_ARGS
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yaml around lines 238 - 241, The Version packages
step in publish.yaml interpolates
steps.determine-publish-type.outputs.version_args directly into the shell
command, which should be hardened. Move that output into an env variable on the
same step and reference the variable inside the run script for the lerna version
invocation, so the behavior stays the same while avoiding inline shell expansion
and satisfying the linter.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/package-bump.yaml:
- Around line 21-28: The GitHub App token is currently scoped only by
repository, but its permissions are still too broad. Update each
actions/create-github-app-token@v1 step in package-bump.yaml to explicitly
request the minimum needed permissions by adding permission-contents: write and
permission-pull-requests: write alongside the existing
app-id/private-key/owner/repositories inputs. Keep the repo restriction, and
apply the same permission tightening to the other create-github-app-token
invocations in this workflow.

---

Nitpick comments:
In @.github/workflows/package-bump.yaml:
- Around line 125-144: The disabled package-bump-mito job is left as
commented-out stale workflow config in package-bump.yaml. Either remove the
entire package-bump-mito block if it is permanently disabled, or add an explicit
tracking note/task for re-enabling it later so it is not forgotten. Keep the
workflow clean by ensuring the package-bump-mito job definition is either active
or intentionally documented elsewhere.

In @.github/workflows/publish.yaml:
- Around line 238-241: The Version packages step in publish.yaml interpolates
steps.determine-publish-type.outputs.version_args directly into the shell
command, which should be hardened. Move that output into an env variable on the
same step and reference the variable inside the run script for the lerna version
invocation, so the behavior stays the same while avoiding inline shell expansion
and satisfying the linter.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 074ea270-6b9f-4d05-bea2-6bb578d9facc

📥 Commits

Reviewing files that changed from the base of the PR and between 48427fb and 9cf2d09.

📒 Files selected for processing (2)
  • .github/workflows/package-bump.yaml
  • .github/workflows/publish.yaml

Comment thread .github/workflows/package-bump.yaml
@ThomasRalee ThomasRalee force-pushed the refactor/workflow-to-use-github-app branch from 9cf2d09 to deed1ec Compare July 9, 2026 18:46
@ThomasRalee ThomasRalee merged commit 6ff22d9 into master Jul 9, 2026
3 checks passed
@ThomasRalee ThomasRalee deleted the refactor/workflow-to-use-github-app branch July 9, 2026 19:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants