Skip to content

workflows/vendor-gems: stop PR auto-pushes.#22077

Merged
MikeMcQuaid merged 1 commit intomainfrom
homebrew-ci-vendor-gems-commit-security-issue
Apr 24, 2026
Merged

workflows/vendor-gems: stop PR auto-pushes.#22077
MikeMcQuaid merged 1 commit intomainfrom
homebrew-ci-vendor-gems-commit-security-issue

Conversation

@MikeMcQuaid
Copy link
Copy Markdown
Member

@MikeMcQuaid MikeMcQuaid commented Apr 24, 2026

  • keep pull_request runs read-only so vendored gem updates do not rely on commit credentials in an untrusted context
  • keep the out-of-sync failure so maintainers can rerun with workflow_dispatch when a signed bot commit is needed
  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them? Performance claims (e.g. "this is faster") must include Hyperfine benchmarks.
  • Have you written new tests (excluding integration tests) for your changes? Here's an example.
  • Have you successfully run brew lgtm (style, typechecking and tests) with your changes locally?
  • AI was used to generate or assist with generating this PR. Please specify below how you used AI to help you, and what steps you have taken to manually verify the changes. Non-maintainers may only have one AI-assisted/generated PR open at a time.

Used OpenAI Codex with manual review.

@MikeMcQuaid
workflows/vendor-gems: stop PR auto-pushes.
d970c7d 
- keep `pull_request` runs read-only so vendored gem updates do not
  rely on commit credentials in an untrusted context
- keep the out-of-sync failure so maintainers can rerun with
  `workflow_dispatch` when a signed bot commit is needed
Copilot AI review requested due to automatic review settings April 24, 2026 11:28
Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the vendor-gems GitHub Actions workflow so that pull_request executions remain read-only and never attempt to commit/push changes back to the PR branch. Pushing updates is limited to explicit workflow_dispatch runs, using an app token, keeping untrusted PR contexts free of commit credentials.

Changes:

  • Reduce workflow token permissions from contents: write to contents: read.
  • Remove the Dependabot-specific auto-checkout/commit/push behavior on pull_request; those steps now run only on workflow_dispatch.
  • Require the GitHub App token for the push step (no fallback to secrets.GITHUB_TOKEN).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@MikeMcQuaid MikeMcQuaid added this pull request to the merge queue Apr 24, 2026
Merged via the queue into main with commit dfe7831 Apr 24, 2026
41 checks passed
@MikeMcQuaid MikeMcQuaid deleted the homebrew-ci-vendor-gems-commit-security-issue branch April 24, 2026 14:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bevanjkay bevanjkay bevanjkay approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MikeMcQuaid @bevanjkay