fix: replace GitHub App token with GITHUB_TOKEN + PR workflow#7
fix: replace GitHub App token with GITHUB_TOKEN + PR workflow#7maniSbindra wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the nightly scan automation to stop depending on unavailable GitHub App secrets by switching to the built-in GITHUB_TOKEN and moving from direct pushes to a PR-based update flow, with additional safeguards on what files can be changed.
Changes:
- Reworks
nightly-scan.ymlto commit scan outputs to a dedicated branch and open/update a PR tomain, including inline artifact/path validation. - Adds
validate-nightly-pr.ymlto validate that nightly PRs only modify the expected scan output files.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| .github/workflows/nightly-scan.yml | Removes GitHub App token usage; commits outputs to nightly-scan-results and creates a PR, adding validation and PR permissions. |
| .github/workflows/validate-nightly-pr.yml | New PR-time allowlist check to ensure nightly scan PRs only touch the expected artifacts. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Inline path validation: ensure only expected files are staged | ||
| ALLOWED_FILES="azure_linux_images.db docs/daily_recommendations.md docs/daily_recommendations.json" | ||
| for file in $(git diff --cached --name-only); do |
There was a problem hiding this comment.
The allowlist of expected output files is duplicated here and in .github/workflows/validate-nightly-pr.yml. Keeping two separate lists increases the chance they drift and either block valid updates or allow unintended ones. Consider defining the allowlist once (e.g., an env var at workflow level, a shared script under .github/, or reuse the same list format in both workflows).
| ALLOWED_FILES=( | ||
| "azure_linux_images.db" | ||
| "docs/daily_recommendations.md" | ||
| "docs/daily_recommendations.json" | ||
| ) |
There was a problem hiding this comment.
The allowlist of allowed files is duplicated in the nightly workflow’s inline validation. Duplicated allowlists are easy to desync over time; consider sourcing the allowlist from a single place so both workflows enforce exactly the same set.
| CHANGED_FILES=$(git diff --cached --name-only | tr '\n' ' ') | ||
| echo "Changed files: $CHANGED_FILES" | ||
| git commit -m "chore: update nightly scan results" | ||
| git push --force-with-lease --force origin "$BRANCH" |
There was a problem hiding this comment.
git push is passed both --force-with-lease and --force; the unconditional --force negates the safety of the lease and can overwrite remote updates unexpectedly. Drop --force (prefer --force-with-lease alone) or choose a single force mode intentionally.
| git push --force-with-lease --force origin "$BRANCH" | |
| git push --force-with-lease origin "$BRANCH" |
| # Create PR if one doesn't already exist (scoped to this repo, not forks) | ||
| EXISTING_PR=$(gh pr list --head "${{ github.repository_owner }}:$BRANCH" --base main --state open --json number --jq '.[0].number // empty') | ||
| if [ -z "$EXISTING_PR" ]; then | ||
| gh pr create \ | ||
| --base main \ | ||
| --head "$BRANCH" \ | ||
| --title "chore: update nightly scan results" \ | ||
| --body "Automated nightly scan results update. | ||
|
|
||
| This PR was created by the nightly scan workflow and contains updated: | ||
| - \`azure_linux_images.db\` — scan database | ||
| - \`docs/daily_recommendations.md\` — markdown report | ||
| - \`docs/daily_recommendations.json\` — JSON report | ||
|
|
||
| > **Note:** PRs created by GITHUB_TOKEN do not trigger other workflows (GitHub limitation). | ||
| > If required status checks are configured, you may need to manually re-push or close/reopen | ||
| > the PR to trigger them. See https://github.com/microsoft/sbi/issues/6 for details." | ||
| fi |
There was a problem hiding this comment.
The PR description says this workflow enables auto-merge (e.g., via gh pr merge --auto --squash), but this workflow currently only creates the PR and never configures auto-merge (nor does it do anything when EXISTING_PR is found). Either add the auto-merge step (and handle the existing-PR case) or update the PR description to match the implemented behavior.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| permissions: | ||
| pull-requests: read | ||
|
|
||
| jobs: | ||
| validate-nightly-pr: | ||
| name: 🔒 Validate Nightly PR Files | ||
| if: github.head_ref == 'nightly-scan-results' | ||
| runs-on: ubuntu-24.04 | ||
| timeout-minutes: 5 | ||
| steps: | ||
| - name: ⤵️ Checkout allowlist | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| sparse-checkout: .github/nightly-allowed-files.sh | ||
| sparse-checkout-cone-mode: false |
There was a problem hiding this comment.
actions/checkout in this workflow requires contents: read, but the workflow-level permissions block only grants pull-requests: read (and setting permissions overrides the default token permissions). As written, the checkout step will fail and the validation job won't run. Add contents: read (preferably at the job level, keeping a top-level permissions: {} like the other workflows in this repo).
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| CHANGED_FILES=$(gh api \ | ||
| "repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/files" \ | ||
| --paginate --jq '.[].filename') | ||
|
|
||
| UNEXPECTED=() | ||
| for file in $CHANGED_FILES; do | ||
| allowed=false | ||
| for af in "${NIGHTLY_ALLOWED_FILES[@]}"; do | ||
| if [ "$file" = "$af" ]; then | ||
| allowed=true | ||
| break | ||
| fi | ||
| done | ||
| if [ "$allowed" = "false" ]; then | ||
| UNEXPECTED+=("$file") | ||
| fi | ||
| done | ||
|
|
||
| if [ ${#UNEXPECTED[@]} -gt 0 ]; then | ||
| echo "::error::Nightly scan PR contains unexpected files:" | ||
| printf ' - %s\n' "${UNEXPECTED[@]}" | ||
| echo "" | ||
| echo "Only the following files are allowed:" | ||
| printf ' - %s\n' "${NIGHTLY_ALLOWED_FILES[@]}" | ||
| exit 1 | ||
| fi | ||
|
|
||
| echo "✅ All changed files are in the allowed set:" | ||
| printf ' - %s\n' $CHANGED_FILES |
There was a problem hiding this comment.
The file-validation loop uses word-splitting (for file in $CHANGED_FILES) and the final printf also expands $CHANGED_FILES unquoted. If any filename contains whitespace (or other IFS characters), the validation and output will be incorrect. Prefer newline-safe parsing (e.g., read line-by-line) and quote expansions when printing.
| gh pr create \ | ||
| --base main \ | ||
| --head "$BRANCH" \ | ||
| --title "chore: update nightly scan results" \ | ||
| --body "Automated nightly scan results update. | ||
|
|
||
| This PR was created by the nightly scan workflow and contains updated: | ||
| - \`azure_linux_images.db\` — scan database | ||
| - \`docs/daily_recommendations.md\` — markdown report | ||
| - \`docs/daily_recommendations.json\` — JSON report | ||
|
|
||
| > **Note:** PRs created by GITHUB_TOKEN do not trigger other workflows (GitHub limitation). | ||
| > If required status checks are configured, you may need to manually re-push or close/reopen | ||
| > the PR to trigger them. See https://github.com/microsoft/sbi/issues/6 for details." |
There was a problem hiding this comment.
The PR body text passed to gh pr create --body includes large leading indentation inside the quoted string (from YAML/script indentation). In GitHub Markdown, leading spaces render as a code block, so the PR description will likely be formatted incorrectly. Consider generating the body without leading spaces (e.g., heredoc or left-aligned lines).
| gh pr create \ | |
| --base main \ | |
| --head "$BRANCH" \ | |
| --title "chore: update nightly scan results" \ | |
| --body "Automated nightly scan results update. | |
| This PR was created by the nightly scan workflow and contains updated: | |
| - \`azure_linux_images.db\` — scan database | |
| - \`docs/daily_recommendations.md\` — markdown report | |
| - \`docs/daily_recommendations.json\` — JSON report | |
| > **Note:** PRs created by GITHUB_TOKEN do not trigger other workflows (GitHub limitation). | |
| > If required status checks are configured, you may need to manually re-push or close/reopen | |
| > the PR to trigger them. See https://github.com/microsoft/sbi/issues/6 for details." | |
| PR_BODY=$(cat <<'EOF' | |
| Automated nightly scan results update. | |
| This PR was created by the nightly scan workflow and contains updated: | |
| - `azure_linux_images.db` — scan database | |
| - `docs/daily_recommendations.md` — markdown report | |
| - `docs/daily_recommendations.json` — JSON report | |
| > **Note:** PRs created by GITHUB_TOKEN do not trigger other workflows (GitHub limitation). | |
| > If required status checks are configured, you may need to manually re-push or close/reopen | |
| > the PR to trigger them. See https://github.com/microsoft/sbi/issues/6 for details. | |
| EOF | |
| ) | |
| gh pr create \ | |
| --base main \ | |
| --head "$BRANCH" \ | |
| --title "chore: update nightly scan results" \ | |
| --body "$PR_BODY" |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: ⤵️ Checkout allowlist | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| sparse-checkout: .github/nightly-allowed-files.sh | ||
| sparse-checkout-cone-mode: false | ||
|
|
||
| - name: 📋 Check modified files | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| run: | | ||
| source .github/nightly-allowed-files.sh | ||
|
|
There was a problem hiding this comment.
The workflow checks out .github/nightly-allowed-files.sh from the PR's head ref, then sources it. A malicious PR from nightly-scan-results could modify that allowlist file to include unexpected paths and bypass this validation. Fetch the allowlist from the protected base branch/commit (e.g., ref: ${{ github.event.pull_request.base.sha }} or ref: main) before sourcing it, or retrieve it via the GitHub API from the base ref.
| # Inline path validation: ensure only expected files are staged | ||
| source .github/nightly-allowed-files.sh | ||
| for file in $(git diff --cached --name-only); do | ||
| if ! printf '%s\n' "${NIGHTLY_ALLOWED_FILES[@]}" | grep -qx "$file"; then |
There was a problem hiding this comment.
In the inline path validation, grep -qx "$file" treats the allowlist entries as regular expressions (e.g., . matches any character). That means a path like docs/daily_recommendationsXjson could incorrectly be considered allowed. Use fixed-string matching (e.g., grep -F) or a pure string comparison loop to ensure exact path matches.
| if ! printf '%s\n' "${NIGHTLY_ALLOWED_FILES[@]}" | grep -qx "$file"; then | |
| if ! printf '%s\n' "${NIGHTLY_ALLOWED_FILES[@]}" | grep -F -x -q -- "$file"; then |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| BRANCH="nightly-scan-results" | ||
|
|
||
| # Validate expected scan artifacts exist | ||
| MISSING=() | ||
| for f in azure_linux_images.db docs/daily_recommendations.md docs/daily_recommendations.json; do | ||
| [ -f "$f" ] || MISSING+=("$f") | ||
| done | ||
| if [ ${#MISSING[@]} -gt 0 ]; then | ||
| echo "::error::Missing expected scan artifacts:" | ||
| printf ' - %s\n' "${MISSING[@]}" | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Create or reset the scan results branch from current HEAD | ||
| git checkout -B "$BRANCH" | ||
|
|
There was a problem hiding this comment.
git checkout -B "$BRANCH" resets the results branch from whatever ref the workflow ran on. For workflow_dispatch, a maintainer can run this workflow from a non-main branch, which would then force-push nightly-scan-results based on that branch and open a PR to main. To prevent accidental (or unintended) divergence, explicitly base the results branch off origin/main (or ${{ github.event.repository.default_branch }}) and/or add a guard so this job only runs when github.ref is refs/heads/main.
| for file in $(git diff --cached --name-only); do | ||
| if ! printf '%s\n' "${NIGHTLY_ALLOWED_FILES[@]}" | grep -qx "$file"; then | ||
| echo "::error::Unexpected file staged: $file" | ||
| exit 1 | ||
| fi | ||
| done |
There was a problem hiding this comment.
The inline path validation iterates over $(git diff --cached --name-only), which relies on shell word-splitting and can mis-handle unusual filenames (whitespace/newlines). Using a newline- or NUL-delimited loop (e.g., git diff --cached --name-only -z with read -d '') makes the validation robust.
| for file in $(git diff --cached --name-only); do | |
| if ! printf '%s\n' "${NIGHTLY_ALLOWED_FILES[@]}" | grep -qx "$file"; then | |
| echo "::error::Unexpected file staged: $file" | |
| exit 1 | |
| fi | |
| done | |
| while IFS= read -r -d '' file; do | |
| if ! printf '%s\n' "${NIGHTLY_ALLOWED_FILES[@]}" | grep -qx "$file"; then | |
| echo "::error::Unexpected file staged: $file" | |
| exit 1 | |
| fi | |
| done < <(git diff --cached --name-only -z) |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Validate expected scan artifacts exist | ||
| MISSING=() | ||
| for f in azure_linux_images.db docs/daily_recommendations.md docs/daily_recommendations.json; do | ||
| [ -f "$f" ] || MISSING+=("$f") | ||
| done |
There was a problem hiding this comment.
The expected file list is hard-coded in multiple places (this artifact existence loop, the later git add -f ..., and the sourced NIGHTLY_ALLOWED_FILES allowlist). This duplication can drift over time and the allowlist validation will always pass as long as git add stays hard-coded. Consider driving the existence check and git add from NIGHTLY_ALLOWED_FILES so there’s a single source of truth (and optionally validating the full working tree diff against it).
| with: | ||
| ref: ${{ github.event.pull_request.base.sha }} | ||
| sparse-checkout: .github/nightly-allowed-files.sh | ||
| sparse-checkout-cone-mode: false |
There was a problem hiding this comment.
This checkout is only used to read the allowlist file, but it leaves the default persisted GitHub token credentials in the local git config. Other PR workflows in this repo set persist-credentials: false for read-only checkouts; doing the same here would better align with least-privilege and avoid accidental authenticated git operations.
| sparse-checkout-cone-mode: false | |
| sparse-checkout-cone-mode: false | |
| persist-credentials: false |
| fi | ||
|
|
||
| echo "✅ All changed files are in the allowed set:" | ||
| printf ' - %s\n' "${CHANGED_FILES}" |
There was a problem hiding this comment.
CHANGED_FILES is a newline-delimited string. With the current quoting, printf ' - %s\n' "${CHANGED_FILES}" will print it as a single bullet with embedded newlines (no - prefix on subsequent lines). Consider iterating line-by-line (similar to the loop above) or converting it to an array before printing so the output formatting stays consistent.
| printf ' - %s\n' "${CHANGED_FILES}" | |
| while IFS= read -r file; do | |
| [ -z "$file" ] && continue | |
| printf ' - %s\n' "$file" | |
| done <<< "$CHANGED_FILES" |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| # Create or reset the scan results branch from main | ||
| git checkout -B "$BRANCH" origin/main | ||
|
|
There was a problem hiding this comment.
git checkout -B "$BRANCH" origin/main happens after the scan has generated/modified azure_linux_images.db and the docs outputs. Switching branches at this point will either fail due to a dirty working tree (local changes would be overwritten) or reset the working tree back to origin/main, causing the subsequent git add to stage the pre-scan versions and resulting in no PR updates.
Move the branch creation/reset to before running the scan, or stash/commit the generated artifacts before switching to origin/main and then re-apply them on the results branch (e.g., git stash push -u -> checkout/reset branch -> git stash pop).
| # Create or reset the scan results branch from main | |
| git checkout -B "$BRANCH" origin/main | |
| # Preserve generated scan artifacts before resetting the branch | |
| STASH_NAME="nightly-scan-artifacts-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}" | |
| git stash push -u -m "$STASH_NAME" -- "${NIGHTLY_ALLOWED_FILES[@]}" | |
| # Create or reset the scan results branch from main | |
| git checkout -B "$BRANCH" origin/main | |
| STASH_REF=$(git stash list --format='%gd %s' | awk -v name="$STASH_NAME" '$0 ~ name { print $1; exit }') | |
| if [ -n "$STASH_REF" ]; then | |
| git stash pop "$STASH_REF" | |
| fi |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| BRANCH="nightly-scan-results" | ||
|
|
||
| # Source the shared allowlist for all file operations |
There was a problem hiding this comment.
In this step the allowlist is sourced from the working tree after running untrusted scan tooling. If the scan step (or any dependency) modifies .github/nightly-allowed-files.sh before this source, it can expand NIGHTLY_ALLOWED_FILES and the later “preserve/restore + git add” logic would allow committing arbitrary files (the inline path validation would also be bypassed because it uses the same tainted list). Consider loading the allowlist from a trusted ref (e.g., origin/main / ${{ github.sha }}) right before use (e.g., git restore --source=origin/main -- .github/nightly-allowed-files.sh then source), or hard-coding the file list in the workflow step so it cannot be altered at runtime.
| # Source the shared allowlist for all file operations | |
| # Restore the shared allowlist from the trusted triggering commit | |
| # before sourcing it so earlier tooling cannot taint the file list. | |
| git restore --source='${{ github.sha }}' -- .github/nightly-allowed-files.sh |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| token: ${{ steps.app-token.outputs.token }} | ||
| lfs: true | ||
| fetch-depth: 0 | ||
|
|
There was a problem hiding this comment.
workflow_dispatch runs can be triggered from non-main refs, but this workflow later hard-resets the results branch from origin/main. If the dispatch is run on another branch, origin/main may not be fetched by actions/checkout (default fetches only the triggering ref), causing git checkout -B "$BRANCH" origin/main to fail or use a stale ref. Consider checking out main explicitly (or fetching origin main before the reset) so manual runs behave deterministically.
| - name: 🔄 Fetch main ref explicitly | |
| run: git fetch --no-tags origin main:refs/remotes/origin/main |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| jobs: | ||
| validate-nightly-pr: | ||
| name: 🔒 Validate Nightly PR Files | ||
| if: github.head_ref == 'nightly-scan-results' |
There was a problem hiding this comment.
The job-level if: github.head_ref == 'nightly-scan-results' will also run (and potentially fail) for any contributor PR whose branch is named nightly-scan-results, including from forks. To ensure this check only applies to the automated nightly branch, also gate on the head repo being this repo (non-fork) and/or the PR author/actor being github-actions[bot] (or another reliable signal).
| if: github.head_ref == 'nightly-scan-results' | |
| if: >- | |
| github.head_ref == 'nightly-scan-results' && | |
| github.event.pull_request.head.repo.full_name == github.repository && | |
| github.actor == 'github-actions[bot]' |
| # Create PR if one doesn't already exist (scoped to this repo, not forks) | ||
| EXISTING_PR=$(gh pr list --head "${{ github.repository_owner }}:$BRANCH" --base main --state open --json number --jq '.[0].number // empty') | ||
| if [ -z "$EXISTING_PR" ]; then | ||
| printf '%s\n' \ | ||
| "Automated nightly scan results update." \ | ||
| "" \ | ||
| "This PR was created by the nightly scan workflow and contains updated:" \ | ||
| '- `azure_linux_images.db` — scan database' \ | ||
| '- `docs/daily_recommendations.md` — markdown report' \ | ||
| '- `docs/daily_recommendations.json` — JSON report' \ | ||
| "" \ | ||
| "> **Note:** PRs created by GITHUB_TOKEN do not trigger other workflows (GitHub limitation)." \ | ||
| "> If required status checks are configured, you may need to manually re-push or close/reopen" \ | ||
| "> the PR to trigger them. See https://github.com/microsoft/sbi/issues/6 for details." \ | ||
| > /tmp/nightly-pr-body.md | ||
| gh pr create \ | ||
| --base main \ | ||
| --head "$BRANCH" \ | ||
| --title "chore: update nightly scan results" \ | ||
| --body-file /tmp/nightly-pr-body.md |
There was a problem hiding this comment.
This workflow hardcodes main as the PR base branch (gh pr list ... --base main / gh pr create --base main) while earlier steps derive DEFAULT_BRANCH from github.event.repository.default_branch. If the default branch ever changes, the workflow will start targeting the wrong base. Consider using the same default-branch value for PR base selection (and for the validate-nightly-pr.yml trigger/condition strategy) to keep behavior consistent.
| # Create PR if one doesn't already exist (scoped to this repo, not forks) | ||
| EXISTING_PR=$(gh pr list --head "${{ github.repository_owner }}:$BRANCH" --base main --state open --json number --jq '.[0].number // empty') | ||
| if [ -z "$EXISTING_PR" ]; then | ||
| printf '%s\n' \ | ||
| "Automated nightly scan results update." \ | ||
| "" \ | ||
| "This PR was created by the nightly scan workflow and contains updated:" \ | ||
| '- `azure_linux_images.db` — scan database' \ | ||
| '- `docs/daily_recommendations.md` — markdown report' \ | ||
| '- `docs/daily_recommendations.json` — JSON report' \ | ||
| "" \ | ||
| "> **Note:** PRs created by GITHUB_TOKEN do not trigger other workflows (GitHub limitation)." \ | ||
| "> If required status checks are configured, you may need to manually re-push or close/reopen" \ | ||
| "> the PR to trigger them. See https://github.com/microsoft/sbi/issues/6 for details." \ | ||
| > /tmp/nightly-pr-body.md | ||
| gh pr create \ | ||
| --base main \ | ||
| --head "$BRANCH" \ | ||
| --title "chore: update nightly scan results" \ | ||
| --body-file /tmp/nightly-pr-body.md |
There was a problem hiding this comment.
The PR body text states that PRs created by GITHUB_TOKEN don’t trigger other workflows, but the workflow does not update an existing PR’s title/body when it reuses one. If the limitation/workaround text changes in the future, existing open nightly PRs may retain stale guidance. Consider updating the PR body when EXISTING_PR is found (e.g., gh pr edit) so the message stays accurate over time.
| # Create PR if one doesn't already exist (scoped to this repo, not forks) | |
| EXISTING_PR=$(gh pr list --head "${{ github.repository_owner }}:$BRANCH" --base main --state open --json number --jq '.[0].number // empty') | |
| if [ -z "$EXISTING_PR" ]; then | |
| printf '%s\n' \ | |
| "Automated nightly scan results update." \ | |
| "" \ | |
| "This PR was created by the nightly scan workflow and contains updated:" \ | |
| '- `azure_linux_images.db` — scan database' \ | |
| '- `docs/daily_recommendations.md` — markdown report' \ | |
| '- `docs/daily_recommendations.json` — JSON report' \ | |
| "" \ | |
| "> **Note:** PRs created by GITHUB_TOKEN do not trigger other workflows (GitHub limitation)." \ | |
| "> If required status checks are configured, you may need to manually re-push or close/reopen" \ | |
| "> the PR to trigger them. See https://github.com/microsoft/sbi/issues/6 for details." \ | |
| > /tmp/nightly-pr-body.md | |
| gh pr create \ | |
| --base main \ | |
| --head "$BRANCH" \ | |
| --title "chore: update nightly scan results" \ | |
| --body-file /tmp/nightly-pr-body.md | |
| PR_TITLE="chore: update nightly scan results" | |
| printf '%s\n' \ | |
| "Automated nightly scan results update." \ | |
| "" \ | |
| "This PR was created by the nightly scan workflow and contains updated:" \ | |
| '- `azure_linux_images.db` — scan database' \ | |
| '- `docs/daily_recommendations.md` — markdown report' \ | |
| '- `docs/daily_recommendations.json` — JSON report' \ | |
| "" \ | |
| "> **Note:** PRs created by GITHUB_TOKEN do not trigger other workflows (GitHub limitation)." \ | |
| "> If required status checks are configured, you may need to manually re-push or close/reopen" \ | |
| "> the PR to trigger them. See https://github.com/microsoft/sbi/issues/6 for details." \ | |
| > /tmp/nightly-pr-body.md | |
| # Create PR if one doesn't already exist (scoped to this repo, not forks) | |
| EXISTING_PR=$(gh pr list --head "${{ github.repository_owner }}:$BRANCH" --base main --state open --json number --jq '.[0].number // empty') | |
| if [ -z "$EXISTING_PR" ]; then | |
| gh pr create \ | |
| --base main \ | |
| --head "$BRANCH" \ | |
| --title "$PR_TITLE" \ | |
| --body-file /tmp/nightly-pr-body.md | |
| else | |
| gh pr edit "$EXISTING_PR" \ | |
| --title "$PR_TITLE" \ | |
| --body-file /tmp/nightly-pr-body.md |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Replace the failing create-github-app-token step with GITHUB_TOKEN and switch from direct-push-to-main to a PR-based workflow: - Remove create-github-app-token step (APP_ID/APP_PRIVATE_KEY unavailable) - Create nightly-scan-results branch and open PR for manual review - Add inline path validation with shared allowlist (.github/nightly-allowed-files.sh) - Add validate-nightly-pr.yml as defense-in-depth file validation - Restore allowlist from trusted commit SHA before sourcing - Preserve scan artifacts across branch reset via tmpdir Relates to #6 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
34cd74a to
32322be
Compare
|
Closing in favor of a new PR with clean squashed history. |
Summary
Fixes the nightly scan workflow which fails immediately because
APP_IDandAPP_PRIVATE_KEYsecrets are not configured and a GitHub App cannot be created on the org at this time.Relates to #6
Changes
nightly-scan.ymlcreate-github-app-tokenstep — uses defaultGITHUB_TOKENinsteadmainwith a PR-based approach (manual review and merge):nightly-scan-resultsbranchmainpull-requests: writepermissionvalidate-nightly-pr.yml(new)pull_requestfor thenightly-scan-resultsbranchifcondition).github/nightly-allowed-files.sh(new)Known Limitation
PRs created by
GITHUB_TOKENdo not trigger other workflows (GitHub security measure). This means: