From 000a5d6837a038f8703ee3493db932928437d20c Mon Sep 17 00:00:00 2001 From: Leif Date: Fri, 8 May 2026 13:10:37 -0700 Subject: [PATCH 1/4] chore: replace bespoke JWT exchange with create-github-app-token Switches token minting to actions/create-github-app-token@v3.1.1 (pinned by SHA), uses SEMGREP_CI_CLIENT_ID, scopes the token to this repo via `repositories:`, and drops the now-unused permissions block since the workflow no longer relies on secrets.GITHUB_TOKEN. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/bump_version.yml | 27 ++++++--------------------- 1 file changed, 6 insertions(+), 21 deletions(-) diff --git a/.github/workflows/bump_version.yml b/.github/workflows/bump_version.yml index b49f367..9ea6db5 100644 --- a/.github/workflows/bump_version.yml +++ b/.github/workflows/bump_version.yml @@ -5,32 +5,17 @@ jobs: bump-version: runs-on: ubuntu-latest - permissions: - id-token: write - contents: write - pull-requests: write - checks: write + permissions: {} env: NEW_SEMGREP_VERSION: ${{ github.event.inputs.version }} steps: - - id: jwt - env: - EXPIRATION: 600 - ISSUER: ${{ secrets.SEMGREP_CI_APP_ID }} - PRIVATE_KEY: ${{ secrets.SEMGREP_CI_APP_KEY }} - name: Get JWT for semgrep-ci GitHub App - uses: docker://public.ecr.aws/y9k7q4m1/devops/cicd:latest - - id: token name: Get token for semgrep-ci GitHub App - run: | - TOKEN="$(curl -X POST \ - -H "Authorization: Bearer ${{ steps.jwt.outputs.jwt }}" \ - -H "Accept: application/vnd.github.v3+json" \ - "https://api.github.com/app/installations/${{ secrets.SEMGREP_CI_APP_INSTALLATION_ID }}/access_tokens" | \ - jq -r .token)" - echo "::add-mask::$TOKEN" - echo "token=$TOKEN" >> $GITHUB_OUTPUT + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 + with: + app-id: ${{ secrets.SEMGREP_CI_CLIENT_ID }} + private-key: ${{ secrets.SEMGREP_CI_APP_KEY }} + repositories: pre-commit - uses: actions/checkout@v4 with: From 66ce8740f29ad615ee030483d06a959e13726480 Mon Sep 17 00:00:00 2001 From: Leif Date: Fri, 8 May 2026 13:27:16 -0700 Subject: [PATCH 2/4] feat: sign commits via peter-evans/create-pull-request Replaces local `git commit -am` (unsigned) with peter-evans/create-pull-request using `sign-commits: true`, which creates the commit through the GitHub Contents API so the App installation token signs it. Also collapses the manual `gh pr create` step (peter-evans handles PR creation) and switches the tag to `gh api .../git/refs`, pointing at the new commit SHA returned by peter-evans rather than the now-stale local HEAD. Pins actions/checkout to v6.0.2 by SHA and drops its write token in favor of `persist-credentials: false` since nothing pushes via local git anymore. Normalizes input access on `inputs.*`. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/bump_version.yml | 56 +++++++++++------------------- 1 file changed, 20 insertions(+), 36 deletions(-) diff --git a/.github/workflows/bump_version.yml b/.github/workflows/bump_version.yml index 9ea6db5..6f3e8b1 100644 --- a/.github/workflows/bump_version.yml +++ b/.github/workflows/bump_version.yml @@ -7,7 +7,7 @@ jobs: runs-on: ubuntu-latest permissions: {} env: - NEW_SEMGREP_VERSION: ${{ github.event.inputs.version }} + NEW_SEMGREP_VERSION: ${{ inputs.version }} steps: - id: token name: Get token for semgrep-ci GitHub App @@ -17,49 +17,33 @@ jobs: private-key: ${{ secrets.SEMGREP_CI_APP_KEY }} repositories: pre-commit - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - token: ${{ steps.token.outputs.token }} + persist-credentials: false - name: Bump version in this repo run: scripts/bump-version.sh "${NEW_SEMGREP_VERSION}" - - name: Commit and push - id: commit - env: - BRANCH: "gha/bump-version-${{ github.event.inputs.version }}-${{ github.run_id }}-${{ github.run_attempt }}" - SUBJECT: "Bump setup to ${{ github.event.inputs.version }}" - run: | - git config user.name ${{ github.actor }} - git config user.email ${{ github.actor }}@users.noreply.github.com - git checkout -b $BRANCH - git commit -am "$SUBJECT" - git tag "v${NEW_SEMGREP_VERSION}" HEAD - git remote -vv - git push --set-upstream origin $BRANCH - git push origin tag "v$NEW_SEMGREP_VERSION" - echo "branch=$BRANCH" >> $GITHUB_OUTPUT - echo "subject=$SUBJECT" >> $GITHUB_OUTPUT + - name: Open bump-version PR + id: cpr + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 + with: + token: ${{ steps.token.outputs.token }} + branch: "gha/bump-version-${{ inputs.version }}-${{ github.run_id }}-${{ github.run_attempt }}" + base: ${{ github.event.repository.default_branch }} + title: "chore: update pre-commit to semgrep ${{ inputs.version }}" + body: "Bump Semgrep Version to ${{ inputs.version }}" + commit-message: "Bump setup to ${{ inputs.version }}" + sign-commits: true - - name: Create PR - id: open-pr + - name: Tag release on bump branch env: - SOURCE: "${{ steps.commit.outputs.branch }}" - TARGET: "${{ github.event.repository.default_branch }}" - TITLE: "chore: update pre-commit to semgrep ${{ inputs.version }}" - GITHUB_TOKEN: ${{ steps.token.outputs.token }} - VERSION: "${{ inputs.version }}" + GH_TOKEN: ${{ steps.token.outputs.token }} + SHA: ${{ steps.cpr.outputs.pull-request-head-sha }} run: | - # check if the branch already has a pull request open - if gh pr list --head ${SOURCE} | grep -vq "no pull requests"; then - # pull request already open - echo "pull request from SOURCE ${SOURCE} to TARGET ${TARGET} is already open"; - echo "cancelling release" - exit 1 - fi - # open new pull request with the body of from the local template. - res=$(gh pr create --title "${TITLE}" --body "Bump Semgrep Version to ${VERSION}" \ - --base "${TARGET}" --head "${SOURCE}") + gh api -X POST "repos/${{ github.repository }}/git/refs" \ + -f ref="refs/tags/v${NEW_SEMGREP_VERSION}" \ + -f sha="${SHA}" name: bump-version on: From 806ec9645d3fa602d78c704185caf5ddd3e65bb6 Mon Sep 17 00:00:00 2001 From: Leif Date: Fri, 8 May 2026 13:51:21 -0700 Subject: [PATCH 3/4] fix: use client-id input for create-github-app-token app-id is deprecated in v3.1.1 with a "Use 'client-id' instead" deprecation message. The secret is already SEMGREP_CI_CLIENT_ID, so swap the input name to match. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/bump_version.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/bump_version.yml b/.github/workflows/bump_version.yml index 6f3e8b1..c1d3c1b 100644 --- a/.github/workflows/bump_version.yml +++ b/.github/workflows/bump_version.yml @@ -13,7 +13,7 @@ jobs: name: Get token for semgrep-ci GitHub App uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 with: - app-id: ${{ secrets.SEMGREP_CI_CLIENT_ID }} + client-id: ${{ secrets.SEMGREP_CI_CLIENT_ID }} private-key: ${{ secrets.SEMGREP_CI_APP_KEY }} repositories: pre-commit From 89d167108292b123d8de0f6d39cde29bb79d8a76 Mon Sep 17 00:00:00 2001 From: Leif Date: Fri, 8 May 2026 13:59:07 -0700 Subject: [PATCH 4/4] fix: skip tag step when no bump PR was opened When the dispatched version is already on develop, bump-version.sh is a no-op and peter-evans sets pull-request-operation=none with pull-request-head-sha pointing at develop's existing HEAD. The tag step then tried to create refs/tags/vX.Y.Z at that already-tagged commit and failed with 422 "Reference already exists". Gate the tag step on a PR actually being created/updated so no-op dispatches exit cleanly. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/bump_version.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/bump_version.yml b/.github/workflows/bump_version.yml index c1d3c1b..4641591 100644 --- a/.github/workflows/bump_version.yml +++ b/.github/workflows/bump_version.yml @@ -37,6 +37,7 @@ jobs: sign-commits: true - name: Tag release on bump branch + if: steps.cpr.outputs.pull-request-operation != 'none' env: GH_TOKEN: ${{ steps.token.outputs.token }} SHA: ${{ steps.cpr.outputs.pull-request-head-sha }}