Skip to content

Replace github.token by secrets.GITHUB_TOKEN #20228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 10, 2025
Merged

Replace github.token by secrets.GITHUB_TOKEN #20228

merged 1 commit into from
Jul 10, 2025
+6 −6

Conversation

Paulchen5
Copy link
Contributor

Use the secrets.GITHUB_TOKEN instead of github.token which is kinda pointed out here: https://docs.github.com/en/actions/how-tos/security-for-github-actions/security-guides/use-github_token-in-workflows

MikeMcQuaid
MikeMcQuaid requested changes Jul 10, 2025
View reviewed changes
Copy link
Member

@MikeMcQuaid MikeMcQuaid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain the security advantage here? I read the docs and don't see any.

Similarly, please remove all the stylistic changes here.

@Paulchen5 Paulchen5 force-pushed the use-github-secrets-in-workflow branch 2 times, most recently from b2fcb85 to deeb3c6 Compare July 10, 2025 07:43
@Paulchen5
Copy link
Contributor Author

I have reverted the style changes, sorry about that.

About the security advantage I am also kinda unsure tbh. For me the docs sound like that they encourage you to use the secrets.GITHUB_TOKEN. Besides that I guess it's more clear what the second syntax means and in most of your workflows you are already using the secrets.GITHUB_TOKEN style.

MikeMcQuaid
MikeMcQuaid reviewed Jul 10, 2025
View reviewed changes
Copy link
Member

@MikeMcQuaid MikeMcQuaid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dev-cmd/tap-new.rb uses github.token too so may as well update that as well if the goal is consistency

@Paulchen5
Copy link
Contributor Author

Paulchen5 commented Jul 10, 2025
edited
Loading

dev-cmd/tap-new.rb uses github.token too so may as well update that as well if the goal is consistency

Can you provide a link to the file? I don't find it my repository 😅 Or at least no file which should have github.token syntax in it.

@Paulchen5 Paulchen5 force-pushed the use-github-secrets-in-workflow branch from deeb3c6 to b7b3692 Compare July 10, 2025 08:01
@Bo98
Copy link
Member

Bo98 commented Jul 10, 2025
edited
Loading

About the security advantage I am also kinda unsure tbh.

They are identical: https://docs.github.com/en/actions/reference/contexts-reference#github-context ("This is functionally equivalent to the GITHUB_TOKEN secret")

The only difference is that github.token can be used basically everywhere but secrets.GITHUB_TOKEN cannot: https://docs.github.com/en/actions/reference/contexts-reference#context-availability. For example, you cannot use secrets.GITHUB_TOKEN here: https://github.com/Homebrew/actions/blob/4449fc2e212bdcb83f1b67b077916a27c8730e54/setup-homebrew/action.yml#L31.

Doesn't however really matter for these specific cases in this PR.

@MikeMcQuaid
Copy link
Member

Can you provide a link to the file?

No, please look harder. That's not the full path but a wide variety of tools can do this for you.

@Paulchen5
Copy link
Contributor Author

Can you provide a link to the file?

No, please look harder. That's not the full path but a wide variety of tools can do this for you.

I mean the file path is probably Library/Homebrew/dev-cmd/tap-new.rb 🤷 but there are the changes already applied?

If there is still another file I am open to learn how to find it 😅

With the current VS Code search params I find nothing:
image

Also find doesn't find something else:

$ find . -type f -name 'tap-new.rb' | grep 'dev-cmd'
> ./Library/Homebrew/dev-cmd/tap-new.rb

@Paulchen5 Paulchen5 requested a review from MikeMcQuaid July 10, 2025 08:25
@MikeMcQuaid
Copy link
Member

I mean the file path is probably Library/Homebrew/dev-cmd/tap-new.rb 🤷 but there are the changes already applied?

Yup! Seem to be now, thanks.

MikeMcQuaid
MikeMcQuaid approved these changes Jul 10, 2025
View reviewed changes
Copy link
Member

@MikeMcQuaid MikeMcQuaid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@MikeMcQuaid MikeMcQuaid added this pull request to the merge queue Jul 10, 2025
Merged via the queue into Homebrew:main with commit b53f3b5 Jul 10, 2025
36 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MikeMcQuaid MikeMcQuaid MikeMcQuaid approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Paulchen5 @Bo98 @MikeMcQuaid