From ce9f9081970f33798fe348b01c14c35d58f7b226 Mon Sep 17 00:00:00 2001 From: "Joseph T. French" Date: Mon, 2 Feb 2026 15:06:22 -0600 Subject: [PATCH 1/2] Update GitHub Actions workflows to use GITHUB_TOKEN for improved security and functionality ## Summary This commit modifies the GitHub Actions workflows to replace the use of the ACTIONS_TOKEN with GITHUB_TOKEN, enhancing security and ensuring that CI runs correctly on pull request triggers. ## Key Changes - Updated `create-pr.yml` to clarify the requirement of ACTIONS_TOKEN for PR-triggered workflows. - Changed `tag-release.yml` to utilize GITHUB_TOKEN instead of ACTIONS_TOKEN for better compliance with GitHub's security practices. ## Testing Notes - Verify that workflows trigger correctly on pull requests and that all actions execute as expected with the new token configuration. ## Infrastructure Considerations This change aligns with GitHub's best practices for authentication in workflows, improving overall security posture. --- .github/workflows/create-pr.yml | 2 ++ .github/workflows/tag-release.yml | 6 ++---- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/create-pr.yml b/.github/workflows/create-pr.yml index f17130b..28f4f12 100644 --- a/.github/workflows/create-pr.yml +++ b/.github/workflows/create-pr.yml @@ -35,6 +35,8 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 env: + # ACTIONS_TOKEN required for PR to trigger on:pull_request workflows + # With GITHUB_TOKEN, PR is created but CI won't run GH_TOKEN: ${{ secrets.ACTIONS_TOKEN }} steps: - name: Checkout diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml index d8255e2..4fd8aab 100644 --- a/.github/workflows/tag-release.yml +++ b/.github/workflows/tag-release.yml @@ -18,8 +18,6 @@ on: description: 'The GitHub release URL' value: ${{ jobs.tag.outputs.release_url }} secrets: - ACTIONS_TOKEN: - required: true ANTHROPIC_API_KEY: required: true @@ -38,7 +36,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ inputs.branch_ref }} - token: ${{ secrets.ACTIONS_TOKEN }} + token: ${{ github.token }} fetch-depth: 0 - name: Get Version from pyproject.toml @@ -258,7 +256,7 @@ jobs: draft: false prerelease: false env: - GITHUB_TOKEN: ${{ secrets.ACTIONS_TOKEN }} + GITHUB_TOKEN: ${{ github.token }} - name: Create release summary if: steps.check-tag.outputs.tag_exists == 'false' From 6c0d0884d9cf139a17654acf11edd046263c2349 Mon Sep 17 00:00:00 2001 From: "Joseph T. French" Date: Mon, 2 Feb 2026 16:34:20 -0600 Subject: [PATCH 2/2] Enhance GitHub Actions workflows with token validation and branch existence check ## Summary This commit improves the GitHub Actions workflows by adding checks for the ACTIONS_TOKEN configuration and verifying the existence of branches before proceeding with operations. ## Key Changes - Updated `create-pr.yml` to provide warnings if ACTIONS_TOKEN is not set, explaining the limitations of using github.token. - Enhanced `create-release.yml` with a step to check if the branch already exists, preventing conflicts during release creation. ## Testing Notes - Ensure that workflows provide appropriate warnings when ACTIONS_TOKEN is not configured. - Validate that the branch existence check correctly identifies existing branches and prevents duplicate creation. ## Infrastructure Considerations These changes improve the reliability and user experience of the workflows by ensuring proper token usage and preventing errors related to branch conflicts. --- .github/workflows/create-pr.yml | 24 +++++++++++++++++++----- .github/workflows/create-release.yml | 15 ++++++++++++++- 2 files changed, 33 insertions(+), 6 deletions(-) diff --git a/.github/workflows/create-pr.yml b/.github/workflows/create-pr.yml index 28f4f12..8ef5d8a 100644 --- a/.github/workflows/create-pr.yml +++ b/.github/workflows/create-pr.yml @@ -35,15 +35,29 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 env: - # ACTIONS_TOKEN required for PR to trigger on:pull_request workflows - # With GITHUB_TOKEN, PR is created but CI won't run - GH_TOKEN: ${{ secrets.ACTIONS_TOKEN }} + # ACTIONS_TOKEN (PAT) preferred - PRs created with github.token won't trigger CI workflows + GH_TOKEN: ${{ secrets.ACTIONS_TOKEN || github.token }} steps: + - name: Check token configuration + run: | + if [ -z "${{ secrets.ACTIONS_TOKEN }}" ]; then + echo "::warning::ACTIONS_TOKEN not set - using github.token as fallback" + echo "" + echo "⚠️ PRs created with github.token have limitations:" + echo " - Won't trigger on:pull_request workflows (CI won't run automatically)" + echo " - May be blocked by branch protection rules" + echo "" + echo "To enable full functionality, set ACTIONS_TOKEN secret:" + echo " gh secret set ACTIONS_TOKEN" + else + echo "✅ Using ACTIONS_TOKEN for full PR functionality" + fi + - name: Checkout uses: actions/checkout@v4 with: - ref: ${{ github.ref }} - token: ${{ secrets.ACTIONS_TOKEN }} + # ACTIONS_TOKEN preferred for pushing to protected branches + token: ${{ secrets.ACTIONS_TOKEN || github.token }} fetch-depth: 0 - name: Determine source branch diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml index 735c0fc..0547b90 100644 --- a/.github/workflows/create-release.yml +++ b/.github/workflows/create-release.yml @@ -26,7 +26,6 @@ jobs: with: ref: main fetch-depth: 0 - token: ${{ secrets.ACTIONS_TOKEN }} - name: Setup Python uses: actions/setup-python@v5 @@ -70,6 +69,20 @@ jobs: echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT + echo "New version: $NEW_VERSION" + echo "Branch name: $BRANCH_NAME" + + - name: Check if branch already exists + run: | + BRANCH_NAME="${{ steps.new-version.outputs.branch_name }}" + + # Check if branch exists locally or remotely + if git show-ref --verify --quiet refs/heads/$BRANCH_NAME || git show-ref --verify --quiet refs/remotes/origin/$BRANCH_NAME; then + echo "❌ Branch $BRANCH_NAME already exists" + exit 1 + else + echo "✅ Branch $BRANCH_NAME does not exist, proceeding..." + fi - name: Configure Git run: |