Skip to content

fix: replace GitHub App token with GITHUB_TOKEN + PR workflow#7

Closed
maniSbindra wants to merge 1 commit into
mainfrom
fix/nightly-scan-github-token
Closed

fix: replace GitHub App token with GITHUB_TOKEN + PR workflow#7
maniSbindra wants to merge 1 commit into
mainfrom
fix/nightly-scan-github-token

Conversation

@maniSbindra

@maniSbindra maniSbindra commented Apr 16, 2026

Copy link
Copy Markdown
Member

Summary

Fixes the nightly scan workflow which fails immediately because APP_ID and APP_PRIVATE_KEY secrets are not configured and a GitHub App cannot be created on the org at this time.

Relates to #6

Changes

nightly-scan.yml

  • Removed the create-github-app-token step — uses default GITHUB_TOKEN instead
  • Replaced direct push to main with a PR-based approach (manual review and merge):
    • Creates/resets nightly-scan-results branch
    • Opens a PR (or reuses existing) targeting main
    • A team member manually reviews and merges
  • Added inline path validation — fails if unexpected files are staged (sources shared allowlist)
  • Added artifact existence check — fails early if scan outputs are missing
  • Added pull-requests: write permission
  • Added TODO comment referencing chore: migrate nightly scan to GitHub App token #6 for future App token migration

validate-nightly-pr.yml (new)

  • Defense-in-depth: validates that nightly scan PRs only modify the 3 expected files
  • Triggers on pull_request for the nightly-scan-results branch
  • Skips automatically for non-nightly PRs (job if condition)

.github/nightly-allowed-files.sh (new)

  • Shared allowlist of expected nightly scan output files
  • Sourced by both workflows to avoid duplication and drift

Known Limitation

PRs created by GITHUB_TOKEN do not trigger other workflows (GitHub security measure). This means:

  • The validation workflow won't auto-trigger on nightly PRs (mitigated by inline validation)
  • If required status checks are configured, close/reopen the PR to trigger them
  • See chore: migrate nightly scan to GitHub App token #6 for the long-term migration plan to a GitHub App token

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the nightly scan automation to stop depending on unavailable GitHub App secrets by switching to the built-in GITHUB_TOKEN and moving from direct pushes to a PR-based update flow, with additional safeguards on what files can be changed.

Changes:

  • Reworks nightly-scan.yml to commit scan outputs to a dedicated branch and open/update a PR to main, including inline artifact/path validation.
  • Adds validate-nightly-pr.yml to validate that nightly PRs only modify the expected scan output files.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
.github/workflows/nightly-scan.yml Removes GitHub App token usage; commits outputs to nightly-scan-results and creates a PR, adding validation and PR permissions.
.github/workflows/validate-nightly-pr.yml New PR-time allowlist check to ensure nightly scan PRs only touch the expected artifacts.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/nightly-scan.yml Outdated
Comment on lines +114 to +116
# Inline path validation: ensure only expected files are staged
ALLOWED_FILES="azure_linux_images.db docs/daily_recommendations.md docs/daily_recommendations.json"
for file in $(git diff --cached --name-only); do

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The allowlist of expected output files is duplicated here and in .github/workflows/validate-nightly-pr.yml. Keeping two separate lists increases the chance they drift and either block valid updates or allow unintended ones. Consider defining the allowlist once (e.g., an env var at workflow level, a shared script under .github/, or reuse the same list format in both workflows).

Copilot uses AI. Check for mistakes.
Comment on lines +23 to +27
ALLOWED_FILES=(
"azure_linux_images.db"
"docs/daily_recommendations.md"
"docs/daily_recommendations.json"
)

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The allowlist of allowed files is duplicated in the nightly workflow’s inline validation. Duplicated allowlists are easy to desync over time; consider sourcing the allowlist from a single place so both workflows enforce exactly the same set.

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/nightly-scan.yml Outdated
CHANGED_FILES=$(git diff --cached --name-only | tr '\n' ' ')
echo "Changed files: $CHANGED_FILES"
git commit -m "chore: update nightly scan results"
git push --force-with-lease --force origin "$BRANCH"

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

git push is passed both --force-with-lease and --force; the unconditional --force negates the safety of the lease and can overwrite remote updates unexpectedly. Drop --force (prefer --force-with-lease alone) or choose a single force mode intentionally.

Suggested change
git push --force-with-lease --force origin "$BRANCH"
git push --force-with-lease origin "$BRANCH"

Copilot uses AI. Check for mistakes.
Comment on lines +128 to 145
# Create PR if one doesn't already exist (scoped to this repo, not forks)
EXISTING_PR=$(gh pr list --head "${{ github.repository_owner }}:$BRANCH" --base main --state open --json number --jq '.[0].number // empty')
if [ -z "$EXISTING_PR" ]; then
gh pr create \
--base main \
--head "$BRANCH" \
--title "chore: update nightly scan results" \
--body "Automated nightly scan results update.

This PR was created by the nightly scan workflow and contains updated:
- \`azure_linux_images.db\` — scan database
- \`docs/daily_recommendations.md\` — markdown report
- \`docs/daily_recommendations.json\` — JSON report

> **Note:** PRs created by GITHUB_TOKEN do not trigger other workflows (GitHub limitation).
> If required status checks are configured, you may need to manually re-push or close/reopen
> the PR to trigger them. See https://github.com/microsoft/sbi/issues/6 for details."
fi

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description says this workflow enables auto-merge (e.g., via gh pr merge --auto --squash), but this workflow currently only creates the PR and never configures auto-merge (nor does it do anything when EXISTING_PR is found). Either add the auto-merge step (and handle the existing-PR case) or update the PR description to match the implemented behavior.

Copilot uses AI. Check for mistakes.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +9 to +23
permissions:
pull-requests: read

jobs:
validate-nightly-pr:
name: 🔒 Validate Nightly PR Files
if: github.head_ref == 'nightly-scan-results'
runs-on: ubuntu-24.04
timeout-minutes: 5
steps:
- name: ⤵️ Checkout allowlist
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
sparse-checkout: .github/nightly-allowed-files.sh
sparse-checkout-cone-mode: false

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actions/checkout in this workflow requires contents: read, but the workflow-level permissions block only grants pull-requests: read (and setting permissions overrides the default token permissions). As written, the checkout step will fail and the validation job won't run. Add contents: read (preferably at the job level, keeping a top-level permissions: {} like the other workflows in this repo).

Copilot uses AI. Check for mistakes.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +34 to +62
CHANGED_FILES=$(gh api \
"repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/files" \
--paginate --jq '.[].filename')

UNEXPECTED=()
for file in $CHANGED_FILES; do
allowed=false
for af in "${NIGHTLY_ALLOWED_FILES[@]}"; do
if [ "$file" = "$af" ]; then
allowed=true
break
fi
done
if [ "$allowed" = "false" ]; then
UNEXPECTED+=("$file")
fi
done

if [ ${#UNEXPECTED[@]} -gt 0 ]; then
echo "::error::Nightly scan PR contains unexpected files:"
printf ' - %s\n' "${UNEXPECTED[@]}"
echo ""
echo "Only the following files are allowed:"
printf ' - %s\n' "${NIGHTLY_ALLOWED_FILES[@]}"
exit 1
fi

echo "✅ All changed files are in the allowed set:"
printf ' - %s\n' $CHANGED_FILES

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The file-validation loop uses word-splitting (for file in $CHANGED_FILES) and the final printf also expands $CHANGED_FILES unquoted. If any filename contains whitespace (or other IFS characters), the validation and output will be incorrect. Prefer newline-safe parsing (e.g., read line-by-line) and quote expansions when printing.

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/nightly-scan.yml Outdated
Comment on lines +131 to +144
gh pr create \
--base main \
--head "$BRANCH" \
--title "chore: update nightly scan results" \
--body "Automated nightly scan results update.

This PR was created by the nightly scan workflow and contains updated:
- \`azure_linux_images.db\` — scan database
- \`docs/daily_recommendations.md\` — markdown report
- \`docs/daily_recommendations.json\` — JSON report

> **Note:** PRs created by GITHUB_TOKEN do not trigger other workflows (GitHub limitation).
> If required status checks are configured, you may need to manually re-push or close/reopen
> the PR to trigger them. See https://github.com/microsoft/sbi/issues/6 for details."

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR body text passed to gh pr create --body includes large leading indentation inside the quoted string (from YAML/script indentation). In GitHub Markdown, leading spaces render as a code block, so the PR description will likely be formatted incorrectly. Consider generating the body without leading spaces (e.g., heredoc or left-aligned lines).

Suggested change
gh pr create \
--base main \
--head "$BRANCH" \
--title "chore: update nightly scan results" \
--body "Automated nightly scan results update.
This PR was created by the nightly scan workflow and contains updated:
- \`azure_linux_images.db\` — scan database
- \`docs/daily_recommendations.md\` — markdown report
- \`docs/daily_recommendations.json\` — JSON report
> **Note:** PRs created by GITHUB_TOKEN do not trigger other workflows (GitHub limitation).
> If required status checks are configured, you may need to manually re-push or close/reopen
> the PR to trigger them. See https://github.com/microsoft/sbi/issues/6 for details."
PR_BODY=$(cat <<'EOF'
Automated nightly scan results update.
This PR was created by the nightly scan workflow and contains updated:
- `azure_linux_images.db` — scan database
- `docs/daily_recommendations.md` — markdown report
- `docs/daily_recommendations.json` — JSON report
> **Note:** PRs created by GITHUB_TOKEN do not trigger other workflows (GitHub limitation).
> If required status checks are configured, you may need to manually re-push or close/reopen
> the PR to trigger them. See https://github.com/microsoft/sbi/issues/6 for details.
EOF
)
gh pr create \
--base main \
--head "$BRANCH" \
--title "chore: update nightly scan results" \
--body "$PR_BODY"

Copilot uses AI. Check for mistakes.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +21 to +32
- name: ⤵️ Checkout allowlist
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
sparse-checkout: .github/nightly-allowed-files.sh
sparse-checkout-cone-mode: false

- name: 📋 Check modified files
env:
GH_TOKEN: ${{ github.token }}
run: |
source .github/nightly-allowed-files.sh

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow checks out .github/nightly-allowed-files.sh from the PR's head ref, then sources it. A malicious PR from nightly-scan-results could modify that allowlist file to include unexpected paths and bypass this validation. Fetch the allowlist from the protected base branch/commit (e.g., ref: ${{ github.event.pull_request.base.sha }} or ref: main) before sourcing it, or retrieve it via the GitHub API from the base ref.

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/nightly-scan.yml Outdated
# Inline path validation: ensure only expected files are staged
source .github/nightly-allowed-files.sh
for file in $(git diff --cached --name-only); do
if ! printf '%s\n' "${NIGHTLY_ALLOWED_FILES[@]}" | grep -qx "$file"; then

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the inline path validation, grep -qx "$file" treats the allowlist entries as regular expressions (e.g., . matches any character). That means a path like docs/daily_recommendationsXjson could incorrectly be considered allowed. Use fixed-string matching (e.g., grep -F) or a pure string comparison loop to ensure exact path matches.

Suggested change
if ! printf '%s\n' "${NIGHTLY_ALLOWED_FILES[@]}" | grep -qx "$file"; then
if ! printf '%s\n' "${NIGHTLY_ALLOWED_FILES[@]}" | grep -F -x -q -- "$file"; then

Copilot uses AI. Check for mistakes.
@maniSbindra
maniSbindra requested a review from Copilot April 16, 2026 16:19

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +92 to +107
BRANCH="nightly-scan-results"

# Validate expected scan artifacts exist
MISSING=()
for f in azure_linux_images.db docs/daily_recommendations.md docs/daily_recommendations.json; do
[ -f "$f" ] || MISSING+=("$f")
done
if [ ${#MISSING[@]} -gt 0 ]; then
echo "::error::Missing expected scan artifacts:"
printf ' - %s\n' "${MISSING[@]}"
exit 1
fi

# Create or reset the scan results branch from current HEAD
git checkout -B "$BRANCH"

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

git checkout -B "$BRANCH" resets the results branch from whatever ref the workflow ran on. For workflow_dispatch, a maintainer can run this workflow from a non-main branch, which would then force-push nightly-scan-results based on that branch and open a PR to main. To prevent accidental (or unintended) divergence, explicitly base the results branch off origin/main (or ${{ github.event.repository.default_branch }}) and/or add a guard so this job only runs when github.ref is refs/heads/main.

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/nightly-scan.yml Outdated
Comment on lines +116 to +121
for file in $(git diff --cached --name-only); do
if ! printf '%s\n' "${NIGHTLY_ALLOWED_FILES[@]}" | grep -qx "$file"; then
echo "::error::Unexpected file staged: $file"
exit 1
fi
done

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The inline path validation iterates over $(git diff --cached --name-only), which relies on shell word-splitting and can mis-handle unusual filenames (whitespace/newlines). Using a newline- or NUL-delimited loop (e.g., git diff --cached --name-only -z with read -d '') makes the validation robust.

Suggested change
for file in $(git diff --cached --name-only); do
if ! printf '%s\n' "${NIGHTLY_ALLOWED_FILES[@]}" | grep -qx "$file"; then
echo "::error::Unexpected file staged: $file"
exit 1
fi
done
while IFS= read -r -d '' file; do
if ! printf '%s\n' "${NIGHTLY_ALLOWED_FILES[@]}" | grep -qx "$file"; then
echo "::error::Unexpected file staged: $file"
exit 1
fi
done < <(git diff --cached --name-only -z)

Copilot uses AI. Check for mistakes.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +94 to +98
# Validate expected scan artifacts exist
MISSING=()
for f in azure_linux_images.db docs/daily_recommendations.md docs/daily_recommendations.json; do
[ -f "$f" ] || MISSING+=("$f")
done

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The expected file list is hard-coded in multiple places (this artifact existence loop, the later git add -f ..., and the sourced NIGHTLY_ALLOWED_FILES allowlist). This duplication can drift over time and the allowlist validation will always pass as long as git add stays hard-coded. Consider driving the existence check and git add from NIGHTLY_ALLOWED_FILES so there’s a single source of truth (and optionally validating the full working tree diff against it).

Copilot uses AI. Check for mistakes.
with:
ref: ${{ github.event.pull_request.base.sha }}
sparse-checkout: .github/nightly-allowed-files.sh
sparse-checkout-cone-mode: false

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This checkout is only used to read the allowlist file, but it leaves the default persisted GitHub token credentials in the local git config. Other PR workflows in this repo set persist-credentials: false for read-only checkouts; doing the same here would better align with least-privilege and avoid accidental authenticated git operations.

Suggested change
sparse-checkout-cone-mode: false
sparse-checkout-cone-mode: false
persist-credentials: false

Copilot uses AI. Check for mistakes.
fi

echo "✅ All changed files are in the allowed set:"
printf ' - %s\n' "${CHANGED_FILES}"

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CHANGED_FILES is a newline-delimited string. With the current quoting, printf ' - %s\n' "${CHANGED_FILES}" will print it as a single bullet with embedded newlines (no - prefix on subsequent lines). Consider iterating line-by-line (similar to the loop above) or converting it to an array before printing so the output formatting stays consistent.

Suggested change
printf ' - %s\n' "${CHANGED_FILES}"
while IFS= read -r file; do
[ -z "$file" ] && continue
printf ' - %s\n' "$file"
done <<< "$CHANGED_FILES"

Copilot uses AI. Check for mistakes.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +107 to +110

# Create or reset the scan results branch from main
git checkout -B "$BRANCH" origin/main

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

git checkout -B "$BRANCH" origin/main happens after the scan has generated/modified azure_linux_images.db and the docs outputs. Switching branches at this point will either fail due to a dirty working tree (local changes would be overwritten) or reset the working tree back to origin/main, causing the subsequent git add to stage the pre-scan versions and resulting in no PR updates.

Move the branch creation/reset to before running the scan, or stash/commit the generated artifacts before switching to origin/main and then re-apply them on the results branch (e.g., git stash push -u -> checkout/reset branch -> git stash pop).

Suggested change
# Create or reset the scan results branch from main
git checkout -B "$BRANCH" origin/main
# Preserve generated scan artifacts before resetting the branch
STASH_NAME="nightly-scan-artifacts-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}"
git stash push -u -m "$STASH_NAME" -- "${NIGHTLY_ALLOWED_FILES[@]}"
# Create or reset the scan results branch from main
git checkout -B "$BRANCH" origin/main
STASH_REF=$(git stash list --format='%gd %s' | awk -v name="$STASH_NAME" '$0 ~ name { print $1; exit }')
if [ -n "$STASH_REF" ]; then
git stash pop "$STASH_REF"
fi

Copilot uses AI. Check for mistakes.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/nightly-scan.yml Outdated

BRANCH="nightly-scan-results"

# Source the shared allowlist for all file operations

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this step the allowlist is sourced from the working tree after running untrusted scan tooling. If the scan step (or any dependency) modifies .github/nightly-allowed-files.sh before this source, it can expand NIGHTLY_ALLOWED_FILES and the later “preserve/restore + git add” logic would allow committing arbitrary files (the inline path validation would also be bypassed because it uses the same tainted list). Consider loading the allowlist from a trusted ref (e.g., origin/main / ${{ github.sha }}) right before use (e.g., git restore --source=origin/main -- .github/nightly-allowed-files.sh then source), or hard-coding the file list in the workflow step so it cannot be altered at runtime.

Suggested change
# Source the shared allowlist for all file operations
# Restore the shared allowlist from the trusted triggering commit
# before sourcing it so earlier tooling cannot taint the file list.
git restore --source='${{ github.sha }}' -- .github/nightly-allowed-files.sh

Copilot uses AI. Check for mistakes.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

token: ${{ steps.app-token.outputs.token }}
lfs: true
fetch-depth: 0

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

workflow_dispatch runs can be triggered from non-main refs, but this workflow later hard-resets the results branch from origin/main. If the dispatch is run on another branch, origin/main may not be fetched by actions/checkout (default fetches only the triggering ref), causing git checkout -B "$BRANCH" origin/main to fail or use a stale ref. Consider checking out main explicitly (or fetching origin main before the reset) so manual runs behave deterministically.

Suggested change
- name: 🔄 Fetch main ref explicitly
run: git fetch --no-tags origin main:refs/remotes/origin/main

Copilot uses AI. Check for mistakes.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

jobs:
validate-nightly-pr:
name: 🔒 Validate Nightly PR Files
if: github.head_ref == 'nightly-scan-results'

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The job-level if: github.head_ref == 'nightly-scan-results' will also run (and potentially fail) for any contributor PR whose branch is named nightly-scan-results, including from forks. To ensure this check only applies to the automated nightly branch, also gate on the head repo being this repo (non-fork) and/or the PR author/actor being github-actions[bot] (or another reliable signal).

Suggested change
if: github.head_ref == 'nightly-scan-results'
if: >-
github.head_ref == 'nightly-scan-results' &&
github.event.pull_request.head.repo.full_name == github.repository &&
github.actor == 'github-actions[bot]'

Copilot uses AI. Check for mistakes.
Comment on lines +181 to +200
# Create PR if one doesn't already exist (scoped to this repo, not forks)
EXISTING_PR=$(gh pr list --head "${{ github.repository_owner }}:$BRANCH" --base main --state open --json number --jq '.[0].number // empty')
if [ -z "$EXISTING_PR" ]; then
printf '%s\n' \
"Automated nightly scan results update." \
"" \
"This PR was created by the nightly scan workflow and contains updated:" \
'- `azure_linux_images.db` — scan database' \
'- `docs/daily_recommendations.md` — markdown report' \
'- `docs/daily_recommendations.json` — JSON report' \
"" \
"> **Note:** PRs created by GITHUB_TOKEN do not trigger other workflows (GitHub limitation)." \
"> If required status checks are configured, you may need to manually re-push or close/reopen" \
"> the PR to trigger them. See https://github.com/microsoft/sbi/issues/6 for details." \
> /tmp/nightly-pr-body.md
gh pr create \
--base main \
--head "$BRANCH" \
--title "chore: update nightly scan results" \
--body-file /tmp/nightly-pr-body.md

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow hardcodes main as the PR base branch (gh pr list ... --base main / gh pr create --base main) while earlier steps derive DEFAULT_BRANCH from github.event.repository.default_branch. If the default branch ever changes, the workflow will start targeting the wrong base. Consider using the same default-branch value for PR base selection (and for the validate-nightly-pr.yml trigger/condition strategy) to keep behavior consistent.

Copilot uses AI. Check for mistakes.
Comment on lines +181 to +200
# Create PR if one doesn't already exist (scoped to this repo, not forks)
EXISTING_PR=$(gh pr list --head "${{ github.repository_owner }}:$BRANCH" --base main --state open --json number --jq '.[0].number // empty')
if [ -z "$EXISTING_PR" ]; then
printf '%s\n' \
"Automated nightly scan results update." \
"" \
"This PR was created by the nightly scan workflow and contains updated:" \
'- `azure_linux_images.db` — scan database' \
'- `docs/daily_recommendations.md` — markdown report' \
'- `docs/daily_recommendations.json` — JSON report' \
"" \
"> **Note:** PRs created by GITHUB_TOKEN do not trigger other workflows (GitHub limitation)." \
"> If required status checks are configured, you may need to manually re-push or close/reopen" \
"> the PR to trigger them. See https://github.com/microsoft/sbi/issues/6 for details." \
> /tmp/nightly-pr-body.md
gh pr create \
--base main \
--head "$BRANCH" \
--title "chore: update nightly scan results" \
--body-file /tmp/nightly-pr-body.md

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR body text states that PRs created by GITHUB_TOKEN don’t trigger other workflows, but the workflow does not update an existing PR’s title/body when it reuses one. If the limitation/workaround text changes in the future, existing open nightly PRs may retain stale guidance. Consider updating the PR body when EXISTING_PR is found (e.g., gh pr edit) so the message stays accurate over time.

Suggested change
# Create PR if one doesn't already exist (scoped to this repo, not forks)
EXISTING_PR=$(gh pr list --head "${{ github.repository_owner }}:$BRANCH" --base main --state open --json number --jq '.[0].number // empty')
if [ -z "$EXISTING_PR" ]; then
printf '%s\n' \
"Automated nightly scan results update." \
"" \
"This PR was created by the nightly scan workflow and contains updated:" \
'- `azure_linux_images.db` — scan database' \
'- `docs/daily_recommendations.md` — markdown report' \
'- `docs/daily_recommendations.json` — JSON report' \
"" \
"> **Note:** PRs created by GITHUB_TOKEN do not trigger other workflows (GitHub limitation)." \
"> If required status checks are configured, you may need to manually re-push or close/reopen" \
"> the PR to trigger them. See https://github.com/microsoft/sbi/issues/6 for details." \
> /tmp/nightly-pr-body.md
gh pr create \
--base main \
--head "$BRANCH" \
--title "chore: update nightly scan results" \
--body-file /tmp/nightly-pr-body.md
PR_TITLE="chore: update nightly scan results"
printf '%s\n' \
"Automated nightly scan results update." \
"" \
"This PR was created by the nightly scan workflow and contains updated:" \
'- `azure_linux_images.db` — scan database' \
'- `docs/daily_recommendations.md` — markdown report' \
'- `docs/daily_recommendations.json` — JSON report' \
"" \
"> **Note:** PRs created by GITHUB_TOKEN do not trigger other workflows (GitHub limitation)." \
"> If required status checks are configured, you may need to manually re-push or close/reopen" \
"> the PR to trigger them. See https://github.com/microsoft/sbi/issues/6 for details." \
> /tmp/nightly-pr-body.md
# Create PR if one doesn't already exist (scoped to this repo, not forks)
EXISTING_PR=$(gh pr list --head "${{ github.repository_owner }}:$BRANCH" --base main --state open --json number --jq '.[0].number // empty')
if [ -z "$EXISTING_PR" ]; then
gh pr create \
--base main \
--head "$BRANCH" \
--title "$PR_TITLE" \
--body-file /tmp/nightly-pr-body.md
else
gh pr edit "$EXISTING_PR" \
--title "$PR_TITLE" \
--body-file /tmp/nightly-pr-body.md

Copilot uses AI. Check for mistakes.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Replace the failing create-github-app-token step with GITHUB_TOKEN
and switch from direct-push-to-main to a PR-based workflow:

- Remove create-github-app-token step (APP_ID/APP_PRIVATE_KEY unavailable)
- Create nightly-scan-results branch and open PR for manual review
- Add inline path validation with shared allowlist (.github/nightly-allowed-files.sh)
- Add validate-nightly-pr.yml as defense-in-depth file validation
- Restore allowlist from trusted commit SHA before sourcing
- Preserve scan artifacts across branch reset via tmpdir

Relates to #6

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@maniSbindra
maniSbindra force-pushed the fix/nightly-scan-github-token branch from 34cd74a to 32322be Compare April 17, 2026 10:12
@maniSbindra

Copy link
Copy Markdown
Member Author

Closing in favor of a new PR with clean squashed history.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants