Skip to content

ci: add release workflow, CODEOWNERS, and explicit job permissions#1258

Merged
mathuo merged 5 commits into
masterfrom
ci/release-workflow-and-permissions
May 11, 2026
Merged

ci: add release workflow, CODEOWNERS, and explicit job permissions#1258
mathuo merged 5 commits into
masterfrom
ci/release-workflow-and-permissions

Conversation

@mathuo
Copy link
Copy Markdown
Owner

@mathuo mathuo commented May 10, 2026
edited
Loading

Summary

  • New release.yml (workflow_dispatch) runs nx release version non-interactively, commits + tags, and pushes to master with --follow-tags. Auth is via a GitHub App token (actions/create-github-app-token), scoped to a release environment. Manual GitHub Release creation remains the publish gate (existing publish.yml is unchanged).
  • Add .github/CODEOWNERS for /.github/ and /nx.json so changes to release plumbing and workflow security require maintainer review.
  • Add explicit job-level permissions: blocks to codeql-analysis.yml (security-events: write) and deploy-docs.yml (contents: write) so they keep working once the repo default workflow permission is set to read-only.

Required follow-up (manual, in repo Settings)

  • Settings → Actions → General → Workflow permissions = "Read repository contents and packages permissions" (the change that makes the explicit blocks load-bearing).
  • Master ruleset → enable Require review from Code Owners so CODEOWNERS actually gates merges instead of just auto-requesting review.
  • For release.yml to push to a protected master, add the GitHub App to the ruleset bypass list. The RELEASE_APP_ID / RELEASE_APP_PRIVATE_KEY secrets must be set on the release environment.

Test plan

  • Trigger release.yml with dry-run: true from the Actions UI and confirm it computes the next version, makes the local commit, and skips the push step.
  • Confirm the JamesIves/github-pages-deploy-action step in deploy-docs.yml still completes after the read-only default is enabled (the contents: write block should make it work).
  • Confirm the next CodeQL scheduled run uploads SARIF results to the Security tab.
  • Edit a workflow file in a throwaway PR and confirm the maintainer is auto-requested as reviewer via CODEOWNERS.

🤖 Generated with Claude Code

mathuo and others added 5 commits May 10, 2026 21:57
@mathuo @claude
ci: add release workflow, CODEOWNERS, and explicit job permissions
e8431c3 
- New release.yml: workflow_dispatch trigger that runs `nx release version`,
  commits + tags, and pushes to master with --follow-tags. The tag push
  leaves manual GitHub Release creation as the publish gate.
- Add CODEOWNERS for /.github/ and /nx.json so release/security
  configuration changes require maintainer review (requires the matching
  "Require review from Code Owners" toggle in the master ruleset).
- Set explicit permissions blocks on codeql-analysis.yml
  (security-events: write) and deploy-docs.yml (contents: write) so they
  keep working once the repo default workflow permission is read-only.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mathuo @claude
ci: mint release token from GitHub App via release environment
6ca52fd 
Replace the GITHUB_TOKEN / RELEASE_TOKEN fallback in release.yml with a
short-lived token minted by actions/create-github-app-token from the
dockview-release-bot App.

The job now declares `environment: release`, so the App credentials
(RELEASE_APP_ID, RELEASE_APP_PRIVATE_KEY) are only injected for runs
targeting that environment — gated by its master-only deployment branch
policy. Job-level permissions drop to `contents: read` since pushes flow
through the App token, not GITHUB_TOKEN.

Action pinned to commit SHA (v3.1.1, 2026-04-11) to avoid tag-repointing
supply-chain risk.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mathuo @claude
ci: pin create-github-app-token to version tag instead of SHA
83cdae1 
Maintainer prefers version-tag pinning across the project's workflows.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mathuo @claude
ci: attribute release commits to the GitHub App bot
5d68c49 
Configure git user.name/email from the App's bot identity (resolved via
the GitHub API using the app-slug) instead of the generic
github-actions[bot]. This matches the push identity (the App token) so
the commit author and pusher line up and commits are GitHub-verified.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mathuo @claude
ci: harden release workflow input handling
ed5fce4 
- Pass workflow_dispatch specifier via env var instead of interpolating
  into the shell command — eliminates a shell-injection vector even
  though dispatch is restricted to users with write access.
- Move app-slug interpolation into env: in the "Get App user id" step
  to match the pattern used by "Configure git".

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 11, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@mathuo mathuo merged commit cac7575 into master May 11, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mathuo