permissions (#8800)

2026-03-10 22:21:22 -07:00 · 2025-09-18 19:51:35 -07:00
parent 690867e433
commit 81dcef070f
2 changed files with 9 additions and 27 deletions
--- a/.github/workflows/release-patch-1-create-pr.yml
+++ b/.github/workflows/release-patch-1-create-pr.yml
@@ -56,19 +56,10 @@ jobs:
          git config user.name "gemini-cli-robot"
          git config user.email "gemini-cli-robot@google.com"

-      - name: 'Generate GitHub App Token'
-        id: 'generate_token'
-        uses: 'actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b'
-        with:
-          app-id: '${{ secrets.APP_ID }}'
-          private-key: '${{ secrets.PRIVATE_KEY }}'
-          permission-pull-requests: 'write'
-          permission-contents: 'write'
-
      - name: 'Create Patch'
        id: 'create_patch'
        env:
-          GH_TOKEN: '${{ steps.generate_token.outputs.token }}'
+          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
        continue-on-error: true
        run: |
          # Capture output directly to environment variable
@@ -84,7 +75,7 @@ jobs:
      - name: 'Comment on Original PR'
        if: '!inputs.dry_run && inputs.original_pr'
        env:
-          GH_TOKEN: '${{ steps.generate_token.outputs.token }}'
+          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
          ORIGINAL_PR: '${{ github.event.inputs.original_pr }}'
          EXIT_CODE: '${{ steps.create_patch.outputs.EXIT_CODE }}'
          COMMIT: '${{ github.event.inputs.commit }}'
--- a/.github/workflows/release-patch-from-comment.yml
+++ b/.github/workflows/release-patch-from-comment.yml
@@ -19,21 +19,11 @@ jobs:
        with:
          fetch-depth: 1

-      - name: 'Generate GitHub App Token'
-        id: 'generate_token'
-        uses: 'actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b'
-        with:
-          app-id: '${{ secrets.APP_ID }}'
-          private-key: '${{ secrets.PRIVATE_KEY }}'
-          permission-pull-requests: 'write'
-          permission-contents: 'write'
-          permission-actions: 'write'
-
      - name: 'Slash Command Dispatch'
        id: 'slash_command'
        uses: 'peter-evans/slash-command-dispatch@40877f718dce0101edfc7aea2b3800cc192f9ed5'
        with:
-          token: '${{ steps.generate_token.outputs.token }}'
+          token: '${{ secrets.GITHUB_TOKEN }}'
          commands: 'patch'
          permission: 'write'
          issue-type: 'pull-request'
@@ -44,7 +34,7 @@ jobs:
        id: 'pr_status'
        if: "startsWith(github.event.comment.body, '/patch')"
        env:
-          GH_TOKEN: '${{ steps.generate_token.outputs.token }}'
+          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
        run: |
          gh pr view "${{ github.event.issue.number }}" --json mergeCommit,state > pr_status.json
          echo "MERGE_COMMIT_SHA=$(jq -r .mergeCommit.oid pr_status.json)" >> "$GITHUB_OUTPUT"
@@ -57,6 +47,7 @@ jobs:
        env:
          COMMENT_BODY: '${{ github.event.comment.body }}'
        with:
+          github-token: '${{ secrets.GITHUB_TOKEN }}'
          script: |
            // Parse the comment body directly to extract channel
            const commentBody = process.env.COMMENT_BODY;
@@ -123,7 +114,7 @@ jobs:
        if: "startsWith(github.event.comment.body, '/patch') && steps.pr_status.outputs.STATE != 'MERGED'"
        uses: 'peter-evans/create-or-update-comment@67dcc547d311b736a8e6c5c236542148a47adc3d'
        with:
-          token: '${{ steps.generate_token.outputs.token }}'
+          token: '${{ secrets.GITHUB_TOKEN }}'
          issue-number: '${{ github.event.issue.number }}'
          body: |
            :x: The `/patch` command failed. This pull request must be merged before a patch can be created.
@@ -132,7 +123,7 @@ jobs:
        if: "always() && startsWith(github.event.comment.body, '/patch') && steps.dispatch_patch.outcome == 'success' && steps.dispatch_patch.outputs.dispatched_run_url"
        uses: 'peter-evans/create-or-update-comment@67dcc547d311b736a8e6c5c236542148a47adc3d'
        with:
-          token: '${{ steps.generate_token.outputs.token }}'
+          token: '${{ secrets.GITHUB_TOKEN }}'
          issue-number: '${{ github.event.issue.number }}'
          body: |
            ✅ **Patch workflow dispatched successfully!**
@@ -149,7 +140,7 @@ jobs:
        if: "always() && startsWith(github.event.comment.body, '/patch') && steps.dispatch_patch.outcome == 'success' && !steps.dispatch_patch.outputs.dispatched_run_url"
        uses: 'peter-evans/create-or-update-comment@67dcc547d311b736a8e6c5c236542148a47adc3d'
        with:
-          token: '${{ steps.generate_token.outputs.token }}'
+          token: '${{ secrets.GITHUB_TOKEN }}'
          issue-number: '${{ github.event.issue.number }}'
          body: |
            ✅ **Patch workflow dispatched successfully!**
@@ -166,7 +157,7 @@ jobs:
        if: "always() && startsWith(github.event.comment.body, '/patch') && (steps.dispatch_patch.outcome == 'failure' || steps.dispatch_patch.outcome == 'cancelled')"
        uses: 'peter-evans/create-or-update-comment@67dcc547d311b736a8e6c5c236542148a47adc3d'
        with:
-          token: '${{ steps.generate_token.outputs.token }}'
+          token: '${{ secrets.GITHUB_TOKEN }}'
          issue-number: '${{ github.event.issue.number }}'
          body: |
            ❌ **Patch workflow dispatch failed!**