ci: extract prepare-release workflow to release-tools#2499
Conversation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Assisted-by: Claude Code
Reviewer's guide (collapsed on small PRs)Reviewer's GuideReplaces the inline prepare-release GitHub Actions workflow with a thin caller that delegates to the reusable workflow in guacsec/trustify-release-tools, passing through existing inputs and inheriting secrets. File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
There was a problem hiding this comment.
Hey - I've found 2 issues, and left some high level feedback:
- The reusable workflow is referenced with
@main; consider pinning it to a specific tag or commit to avoid unexpected behavior from upstream changes. - The previous
if: github.repository_owner == 'guacsec'guard has been removed; if this restriction is still desired, it should either be reintroduced here or enforced in the shared workflow. - Review whether
secrets: inheritis strictly necessary for this job and, if not, narrow the secrets exposure to only what the reusable workflow requires.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The reusable workflow is referenced with `@main`; consider pinning it to a specific tag or commit to avoid unexpected behavior from upstream changes.
- The previous `if: github.repository_owner == 'guacsec'` guard has been removed; if this restriction is still desired, it should either be reintroduced here or enforced in the shared workflow.
- Review whether `secrets: inherit` is strictly necessary for this job and, if not, narrow the secrets exposure to only what the reusable workflow requires.
## Individual Comments
### Comment 1
<location path=".github/workflows/prepare-release.yaml" line_range="31" />
<code_context>
-
- After merging, follow [RELEASE.md](https://github.com/guacsec/trustify/blob/main/RELEASE.md) for tagging." \
- --base "${BASE}"
+ secrets: inherit
+ uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@main
+ with:
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Using `secrets: inherit` for an external reusable workflow may broaden secret exposure unnecessarily.
This setup exposes every secret available to this workflow to `guacsec/trustify-release-tools`. If that workflow doesn’t require all of them, restrict exposure by explicitly listing only the needed secrets in the caller and/or the reusable workflow to align with least-privilege principles.
Suggested implementation:
```
uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@main
secrets:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Add other explicitly required secrets below, e.g.:
# RELEASE_BOT_PAT: ${{ secrets.RELEASE_BOT_PAT }}
with:
```
1. Confirm which secrets the reusable workflow in `guacsec/trustify-release-tools` actually needs (e.g. `GITHUB_TOKEN`, `RELEASE_BOT_PAT`, etc.) and remove any unused entries from the `secrets:` mapping above.
2. If the reusable workflow expects secrets under different names, adjust the keys (left side) to match those expected input names and map them to the appropriate `${{ secrets.* }}` values from this repository.
</issue_to_address>
### Comment 2
<location path=".github/workflows/prepare-release.yaml" line_range="32" />
<code_context>
- After merging, follow [RELEASE.md](https://github.com/guacsec/trustify/blob/main/RELEASE.md) for tagging." \
- --base "${BASE}"
+ secrets: inherit
+ uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@main
+ with:
+ bump: ${{ inputs.bump }}
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Referencing the reusable workflow at `@main` can introduce instability and security risk vs pinning to a specific ref.
Relying on `@main` allows upstream changes in `guacsec/trustify-release-tools` to silently change this workflow’s behavior. To keep releases reproducible and improve supply-chain security, please pin this to a specific tag or commit SHA (e.g., `@vX.Y.Z` or `@<sha>`) and update only when you intentionally adopt changes.
Suggested implementation:
```
# Pin to a specific ref (tag or commit SHA) for reproducibility and supply-chain security.
# Update this ref intentionally when adopting changes from guacsec/trustify-release-tools.
uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@vX.Y.Z
```
Replace `@vX.Y.Z` with the actual tag or commit SHA you want to pin to in `guacsec/trustify-release-tools`.
If your project has a release policy or existing pinned refs elsewhere, align this value with that policy (for example, use the latest stable release tag from that repository).
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
|
|
||
| After merging, follow [RELEASE.md](https://github.com/guacsec/trustify/blob/main/RELEASE.md) for tagging." \ | ||
| --base "${BASE}" | ||
| secrets: inherit |
There was a problem hiding this comment.
🚨 suggestion (security): Using secrets: inherit for an external reusable workflow may broaden secret exposure unnecessarily.
This setup exposes every secret available to this workflow to guacsec/trustify-release-tools. If that workflow doesn’t require all of them, restrict exposure by explicitly listing only the needed secrets in the caller and/or the reusable workflow to align with least-privilege principles.
Suggested implementation:
uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@main
secrets:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Add other explicitly required secrets below, e.g.:
# RELEASE_BOT_PAT: ${{ secrets.RELEASE_BOT_PAT }}
with:
- Confirm which secrets the reusable workflow in
guacsec/trustify-release-toolsactually needs (e.g.GITHUB_TOKEN,RELEASE_BOT_PAT, etc.) and remove any unused entries from thesecrets:mapping above. - If the reusable workflow expects secrets under different names, adjust the keys (left side) to match those expected input names and map them to the appropriate
${{ secrets.* }}values from this repository.
| After merging, follow [RELEASE.md](https://github.com/guacsec/trustify/blob/main/RELEASE.md) for tagging." \ | ||
| --base "${BASE}" | ||
| secrets: inherit | ||
| uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@main |
There was a problem hiding this comment.
🚨 suggestion (security): Referencing the reusable workflow at @main can introduce instability and security risk vs pinning to a specific ref.
Relying on @main allows upstream changes in guacsec/trustify-release-tools to silently change this workflow’s behavior. To keep releases reproducible and improve supply-chain security, please pin this to a specific tag or commit SHA (e.g., @vX.Y.Z or @<sha>) and update only when you intentionally adopt changes.
Suggested implementation:
# Pin to a specific ref (tag or commit SHA) for reproducibility and supply-chain security.
# Update this ref intentionally when adopting changes from guacsec/trustify-release-tools.
uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@vX.Y.Z
Replace @vX.Y.Z with the actual tag or commit SHA you want to pin to in guacsec/trustify-release-tools.
If your project has a release policy or existing pinned refs elsewhere, align this value with that policy (for example, use the latest stable release tag from that repository).
Summary
guacsec/trustify-release-toolsDepends on: guacsec/trustify-release-tools#57 being merged first.
Test plan
release/0.4.z🤖 Generated with Claude Code
Summary by Sourcery
CI: