cozystack/.github/workflows
Myasnikov Daniil 76c4eabdff
fix(ci): use a read-only app token for the Copilot step
Review feedback on PR #2460: the Generate changelog using AI step ran
Copilot with --allow-all-tools and GH_TOKEN set to the write-capable
installation token issued to the job (contents: write,
pull-requests: write on all cozystack/* repos). The scope rules in
docs/agents/changelog.md and the step prompt tell the agent not to
use those permissions, but nothing at the token layer prevented it.

Mint a second, read-only installation token from the same app
(same COZYSTACK_CI_APP_ID / COZYSTACK_CI_PRIVATE_KEY, scoped to
contents/pull-requests/metadata read) and pass that one to the AI
step instead. The write-capable token is still used by the checkout,
commit/push, and PR-creation steps that actually need it.

This is defense in depth: even if a future prompt change or agent
misbehavior ignored the scope rules, the token itself has no write
capability on any repository in the cozystack org. No new secret,
no new GitHub App install, no admin-side change — the RO token is
minted in the same workflow from the same app credentials.

Signed-off-by: Myasnikov Daniil <myasnikovdaniil2001@gmail.com>
2026-04-23 12:26:14 +05:00
..
auto-release.yaml ci: use cozystack org noreply email for bot commits 2026-04-13 16:29:07 +02:00
backport.yaml [ci] Update korthout/backport-action@v3.2.1 2025-12-09 14:34:37 +01:00
pre-commit.yml [docs] Update cozyvalues-gen 2026-03-25 15:59:22 +05:00
pull-requests-release.yaml ci: use cozystack org noreply email for bot commits 2026-04-13 16:29:07 +02:00
pull-requests.yaml ci(pull-requests): replace GH_PAT with cozystack-ci GitHub App token 2026-04-13 09:28:52 +02:00
retest.yaml feat(ci): add /retest command to rerun tests from Prepare environment 2026-01-02 21:23:27 +01:00
tags.yaml fix(ci): use a read-only app token for the Copilot step 2026-04-23 12:26:14 +05:00
update-releasenotes.yaml [workflow] Add GitHub Action to update release notes from changelogs 2025-12-24 15:02:04 +01:00