Use environment secrets and variables for security

[5ouma]

⚠️ Issue

close #

✏️ Description

Restrict the token usage for each environment.

• I agree to follow the Code of Conduct.

[Copilot]

Pull request overview

This PR updates GitHub Actions workflows to use GitHub Environments (and environment-scoped variables) to better scope credentials per workflow/job, aligning with the goal of restricting token usage by environment.

Changes:

• Assign the tagpr release job to the Release environment and source the GitHub App ID from vars.APP_ID.
• Assign the CI test job to the CI environment.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/release.yml	Adds environment: Release to the tagging job and switches GitHub App ID to an environment/repo variable.
.github/workflows/ci.yml	Adds environment: CI to the test job to enable environment-scoped configuration.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[coderabbitai]

Walkthrough

Two GitHub Actions workflow files are modified to add environment declarations. The CI workflow gains a named environment for its test job, while the release workflow adds an environment to its tagpr job and switches the GitHub App ID source from secrets to variables.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/ci.yml, .github/workflows/release.yml	Added environment declarations (CI and Release) to respective workflow jobs. In release workflow, changed APP_ID credential source from secrets.APP_ID to vars.APP_ID.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly describes the main changes: adding environment secrets and variables to GitHub Actions workflows for enhanced security.
Description check	✅ Passed	The description relates to the changeset by explaining the purpose of restricting token usage for each environment, which aligns with the workflow modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci-ci-environment-secrets

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Around line 25-26: Document that the Release GitHub Actions environment must
have the variables APP_ID (repository variable) and PRIVATE_KEY (secret)
configured so the workflow can create tokens; update CONTRIBUTING.md (or a setup
guide) with explicit steps: add a repository/organization variable named APP_ID,
add a secret named PRIVATE_KEY, and confirm they are assigned to the Release
environment used by .github/workflows/release.yml, including any required
formatting/permissions for the private key.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e40a4d32-f9e7-41aa-830d-a2433200682b

📥 Commits

Reviewing files that changed from the base of the PR and between b55f8f1 and c5a0a65.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/release.yml

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 51.08%. Comparing base (b55f8f1) to head (c5a0a65).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #43   +/-   ##
=======================================
  Coverage   51.08%   51.08%           
=======================================
  Files           9        9           
  Lines         370      370           
=======================================
  Hits          189      189           
  Misses        167      167           
  Partials       14       14           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.