Skip to content

fix: inherit secrets #1095

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
motoki317 merged 2 commits into from
Aug 14, 2025
Merged

fix: inherit secrets #1095

motoki317 merged 2 commits into from
Aug 14, 2025

Conversation

@motoki317
Copy link
Member

@motoki317 motoki317 commented Aug 14, 2025
edited
Loading

なぜやるか

https://github.com/traPtitech/NeoShowcase/actions/runs/16960526932/job/48072361393

やったこと

  • secretsを参照していたのを忘れていたのでsecrets: inheritをとりあえずして参照できるように
  • dispatch renovateをhelmリリース後のところへ移動 (refactor: NeoShowcase helm manifest#1051 がマージされる前提だが、renovateが更新するのはdockerのタグではなくhelmのバージョンになっていくため)

やらなかったこと

helm用の直pushが失敗している
#1095 (comment)

資料

@motoki317 motoki317 requested a review from pirosiki197 August 14, 2025 09:38
@github-actions
Copy link
Contributor

github-actions bot commented Aug 14, 2025

Preview (prod backend + PR dashboard) → https://1095.ns-preview.trapti.tech/

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 14, 2025
View reviewed changes
.github/workflows/release-helm.yaml
Comment on lines +79 to +91
runs-on: ubuntu-latest
needs: [ release ]
steps:
- uses: actions/github-script@v7
with:
github-token: ${{ secrets.DISPATCH_PAT }}
script: |
await github.rest.actions.createWorkflowDispatch({
owner: 'traPtitech',
repo: 'manifest',
workflow_id: 'renovate.yaml',
ref: 'main'
})

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 4 months ago

To fix the problem, you should add a permissions block to the workflow file, specifying only the permissions required for the jobs. The best way is to add the block at the top level of the workflow, so it applies to all jobs unless overridden. For this workflow, the release job needs to push commits and publish packages, so it requires contents: write and possibly packages: write. The dispatch-renovate job uses a personal access token (DISPATCH_PAT) to dispatch another workflow, but does not use GITHUB_TOKEN for any privileged operation, so it can be set to none or left as is. However, for clarity and security, it's best to set the minimal permissions at the workflow level, and override per job if needed.

You should add the following block near the top of the file, after the name and run-name fields:

permissions:
  contents: write
  packages: write

If you want to be even more restrictive, you can set permissions: {} at the workflow level and add the required permissions only to the release job. For simplicity and clarity, the above is sufficient.

Suggested changeset 1
.github/workflows/release-helm.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release-helm.yaml b/.github/workflows/release-helm.yaml
--- a/.github/workflows/release-helm.yaml
+++ b/.github/workflows/release-helm.yaml
@@ -1,5 +1,8 @@
 name: Release helm chart
 run-name: Release helm chart (${{ inputs.strategy }})
+permissions:
+  contents: write
+  packages: write
 
 on:
   workflow_dispatch:
EOF
@@ -1,5 +1,8 @@
name: Release helm chart
run-name: Release helm chart (${{ inputs.strategy }})
permissions:
contents: write
packages: write

on:
workflow_dispatch:
Copilot is powered by AI and may make mistakes. Always verify output.
@motoki317
Copy link
Member Author

motoki317 commented Aug 14, 2025
edited
Loading

https://github.com/traPtitech/NeoShowcase/actions/runs/16960526932/job/48072020853

helmのmain直pushが失敗しているのはどうしよう...

image

Deploy keyをbypassできる設定があるみたいなので、適当な ssh-keygen -t ed25519 を生成してしまって、これをsecretに登録してactionsから使う & pubkeyをdeploy keyに登録しておくとかが良いかもしれない

Actionsのマシンの ~/.ssh/id_ed25519 とかに読み込んで、git remote set-url origin [email protected]:traPtitech/NeoShowcase.git したらいけるかな

@motoki317
Copy link
Member Author

motoki317 commented Aug 14, 2025

あとは一旦手元から ./publish.sh できないこともないです

@motoki317
Copy link
Member Author

motoki317 commented Aug 14, 2025

一番安全とされる方法はGitHub Appだけども、インストールとかが超めんどくさいのでお好みで

@pirosiki197
Copy link
Contributor

pirosiki197 commented Aug 14, 2025

Deploy keyをbypassできる設定があるみたいなので、適当な ssh-keygen -t ed25519 を生成してしまって、これをsecretに登録してactionsから使う & pubkeyをdeploy keyに登録しておくとかが良いかもしれない

一旦これで対応しようと思います

@motoki317
Copy link
Member Author

motoki317 commented Aug 14, 2025
edited
Loading

Deploy keyをbypassできる設定があるみたいなので、適当な ssh-keygen -t ed25519 を生成してしまって、これをsecretに登録してactionsから使う & pubkeyをdeploy keyに登録しておくとかが良いかもしれない

一旦これで対応しようと思います

こんな感じでいけました~ deploy keyをwrite accessありでリポジトリに登録
motoki317/actions-test@71c1ce2

before: https://github.com/motoki317/actions-test/actions/runs/16961877345/job/48076409522
after: https://github.com/motoki317/actions-test/actions/runs/16961964011/job/48076684007

@motoki317 motoki317 merged commit 773971e into main Aug 14, 2025
6 checks passed
@motoki317 motoki317 deleted the fix/secrets branch August 14, 2025 10:29
@pirosiki197 pirosiki197 mentioned this pull request Aug 14, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pirosiki197 pirosiki197 pirosiki197 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@motoki317 @pirosiki197