Skip to content

ci: limit changelog-preview secret access#1350

Merged
giortzisg merged 1 commit into
masterfrom
build/limit-changelog-scope
Jul 2, 2026
Merged

ci: limit changelog-preview secret access#1350
giortzisg merged 1 commit into
masterfrom
build/limit-changelog-scope

Conversation

@giortzisg

Copy link
Copy Markdown
Contributor

Description

This just limits the scope of secrets passed to the changelog-preview action to only the required GITHUB_TOKEN.

Issues

Changelog Entry Instructions

To add a custom changelog entry, uncomment the section above. Supports:

  • Single entry: just write text
  • Multiple entries: use bullet points
  • Nested bullets: indent 4+ spaces

For more details: custom changelog entries

Reminders

@giortzisg giortzisg self-assigned this Jul 2, 2026
@giortzisg giortzisg changed the title ref: limit changelog-preview secret access ci: limit changelog-preview secret access Jul 2, 2026
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

Semver Impact of This PR

🟢 Patch (bug fixes)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).


New Features ✨

  • PushScope shorthand now returns the new scope reference by DoctorJohn in #1335

Bug Fixes 🐛

  • Isolate event processor across clones by giortzisg in #1337

Internal Changes 🔧

  • Limit changelog-preview secret access by giortzisg in #1350
  • Move limited buffer under utils by giortzisg in #1338

🤖 This preview updates automatically when you update the PR.

Comment on lines +19 to +20
secrets:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Explicitly passing GITHUB_TOKEN may cause the called workflow to lack the necessary pull-requests: write permission, as permissions are not propagated from the caller.
Severity: MEDIUM

Suggested Fix

Either revert to using secrets: inherit or ensure the called workflow (getsentry/craft/.github/workflows/changelog-preview.yml) defines its own permissions block with pull-requests: write and declares GITHUB_TOKEN in its on.workflow_call.secrets section.

Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: .github/workflows/changelog-preview.yml#L19-L20

Potential issue: The change from `secrets: inherit` to explicitly passing `GITHUB_TOKEN`
to a reusable workflow is likely to cause a permission error. The calling workflow has
`permissions: pull-requests: write`, but these permissions do not propagate to the
called workflow. The called workflow will use its own default permissions, which are
unlikely to include write access to pull requests. As a result, the `changelog-preview`
action will probably fail when it attempts to post a comment on a pull request due to
insufficient permissions.

Did we get this right? 👍 / 👎 to inform future reviews.

@giortzisg giortzisg merged commit ba52e52 into master Jul 2, 2026
22 checks passed
@giortzisg giortzisg deleted the build/limit-changelog-scope branch July 2, 2026 10:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants