ci(release): give changelog-check step a GH token#445
Conversation
`gh release list` returns exit 4 (not authenticated) because the gate job's changelog-check step shells out to `gh` without a token in its environment. The per-job permission scoping in 16765c5 left this gh-dependent step without one. contents:read already covers listing releases, so just expose the token. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
@claude review |
There was a problem hiding this comment.
Pull request overview
This PR fixes an authentication failure in the release-kbagent GitHub Actions workflow by providing a GitHub token to the changelog-check step so that gh release list can run successfully under the workflow’s least-privilege permission model.
Changes:
- Add
GH_TOKEN: ${{ github.token }}to thechangelog-checkstep in thegatejob. - Document (inline) that
gh release listrequires auth and thatcontents: readis sufficient.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
padak
left a comment
padak
left a comment
There was a problem hiding this comment.
Review of #445 — ci(release): give changelog-check step a GH token
Generated by
kbagent-pr-reviewersubagent. Verdict and findings below
are advisory; the human author retains every veto. CI-coverable issues
(lint, format, tests) are confirmed viamake check, not duplicated here.
Summary
This PR adds a two-line env block to the changelog-check step in
.github/workflows/release-kbagent.yml, supplying GH_TOKEN: ${{ github.token }}
so that scripts/generate_changelog.py --check can call gh release list
without failing with exit code 4 (unauthenticated). The regression was introduced
by 16765c5, which scoped GITHUB_TOKEN permissions per job, removing the implicit
token injection that existed before. The fix is minimal, correct, and carries no
risk: github.token is the recommended built-in ephemeral token, contents: read
(already the workflow-level default that the gate job inherits) is sufficient for
gh release list, and no other step in gate uses gh without an explicit token.
Verdict: APPROVE. There are zero blocking findings. One informational NIT is noted.
Verdict
- Verdict: APPROVE
- Blocking findings: 0
- Non-blocking findings: 0
- Nits: 1
Blocking findings
(none)
Non-blocking findings
(none)
Nits
[NIT-1].github/workflows/release-kbagent.yml:122(inrelease.yml, not this PR) —release.ymlstill uses${{ secrets.GITHUB_TOKEN }}for itsgh release uploadstep while this PR correctly uses the modern${{ github.token }}form (nosecrets:context needed). The two are functionally identical, but a follow-up consistency pass across all four workflow files would make the pattern uniform and easier to audit.
Verification log
gh pr view 445 --json title,body,files,additions,deletions,baseRefName,headRefName,labels,state→ 1 file, +2/-0,ci(release):prefix matches a CI-workflow fix (notfeat/fix/choremismatch) ✓gh pr diff 445→ 13 lines; only.github/workflows/release-kbagent.ymlis touched ✓git rev-parse --abbrev-ref HEAD→martinvasko-fix-release-changelog-gh-auth(matches PR branch) ✓- Layer violation grep (typer in services, httpx in commands, formatter in clients) → empty (no Python source changed) ✓
- Plugin synchronization map scan → not applicable; no CLI commands added/removed/renamed ✓
- Security / token discipline:
GH_TOKEN: ${{ github.token }}is the built-in ephemeral GitHub Actions token; no hardcoded secret; no real credential pattern in diff ✓ gatejob has no per-jobpermissions:block → inherits workflow-levelpermissions: contents: read; this scope is sufficient forgh release list(read-only release metadata) ✓- No other
ghinvocation found in thegatejob without an explicit token ✓ - Convention checks (magic numbers, bare except, raw error_code strings, print() in src, unmasked token in logs) → all empty (workflow YAML only) ✓
make check→ 4124 passed, 8 skipped ✓ (exit 0; "All checks passed!")
Open questions for the author
(none)
|
@padak you said approve but no approve given 🤷 |
padak
left a comment
padak
left a comment
There was a problem hiding this comment.
Approving — CI-only change that gives the changelog-check step a valid GH token. No blocking or non-blocking findings (full review posted above). The single nit (NIT-1: release.yml still using secrets.GITHUB_TOKEN instead of github.token) is out of scope for this PR and can be a follow-up.
Summary
The release pipeline's
gatejob failed with:Exit code 4 from
ghmeans "not authenticated." Thechangelog-checkstep runsscripts/generate_changelog.py --check, which shells out togh release list.ghonly authenticates when a token is in its environment (GH_TOKEN/GITHUB_TOKEN), and this step never set one — sosubprocess.run(..., check=True)re-raised the auth failure.The per-job permission scoping in
16765c5is what exposed this: the step depends onghbut was left without a token.Fix
GH_TOKEN: ${{ github.token }}to thechangelog-checkstep.contents: readscope already covers listing releases, so no permission change is needed.Test Plan
ghreturns exit 4 specifically on missing auth; supplyinggithub.token(a trusted built-in) resolves it.contents: readis sufficient scope forgh release list.workflow_dispatchexercises thegatejob end-to-end.Impact analysis
.github/workflows/release-kbagent.ymlonly — single step gains anenvblock.Related
16765c5 ci(release): scope GITHUB_TOKEN permissions per job.