ci: push changelog via deploy key, drop BOT_TOKEN dependency#79
Conversation
PATs (fine- or coarse-grained) issued to bypass-team members were
the only way for the workflow to push past the PRS-ONLY ruleset,
and that came back to bite us when BOT_TOKEN expired. The ruleset
already allows any deploy key with bypass_mode:always, so swap to
that path:
- actions/checkout uses ssh-key: CHANGELOG_DEPLOY_KEY, which
auths the clone over SSH and configures origin for SSH push
- the script reads PR metadata via secrets.GITHUB_TOKEN (the
token has full read for pull_request_target and workflow_dispatch)
- lock GITHUB_TOKEN to contents:read + pull-requests:read since
we no longer need write
- drop the https x-access-token push in favour of ssh-driven
git push origin HEAD:master
duzos
added
bug
github-actions
Bot
added
the
S: Untriaged
There was a problem hiding this comment.
Pull request overview
Updates the post-merge Update Changelog GitHub Actions workflow to push changelog commits using a repo deploy key (bypassing the PRS ONLY ruleset) and removes the dependency on a long-lived PAT for authentication.
Changes:
- Switch
actions/checkoutto SSH auth viasecrets.CHANGELOG_DEPLOY_KEY, sogit pushuses the deploy key. - Replace PAT usage with the run-scoped
secrets.GITHUB_TOKENfor GitHub API reads needed by the changelog updater. - Add explicit job
permissions(contents: read,pull-requests: read) since writes are no longer done via the workflow token.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
was named BOT_TOKEN but now sourced from secrets.GITHUB_TOKEN - misleading. rename the workflow env and the os.environ lookup in the python updater so the name reflects what is actually injected.
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| ref: master | ||
| token: ${{ secrets.BOT_TOKEN }} | ||
| ssh-key: ${{ secrets.CHANGELOG_DEPLOY_KEY }} | ||
|
|
There was a problem hiding this comment.
Scoped the description to clarify this PR drops BOT_TOKEN refs in append_changelog.yml. clear_changelog.yml still uses BOT_TOKEN but triggers on a release branch that doesn't exist today (no remote ref), so it's dormant - out of scope for this PR; happy to migrate it the same way when/if release comes back.
| run: | | ||
| python scripts/update_changelog.py \ | ||
| --pr-numbers "${{ github.event.inputs.pr_numbers }}" | ||
| - name: Commit & push |
There was a problem hiding this comment.
Fixed in 08ed200 - made pr_numbers required: true on workflow_dispatch. Real bug; the script's fallback to ev["pull_request"] would KeyError on a manual run with no list. There's no sensible default for the manual path so this lets GitHub's input form reject empty submits before the script runs.
scripts/update_changelog.py falls back to reading the pull_request field of the event payload when --pr-numbers is empty, but that field doesn't exist for workflow_dispatch, so a manual run with no PR list KeyErrors. there's no sensible default for the manual path, so make the input required and let github reject empty submits.
About the PR
Follow-up to #77 and #78. The post-merge changelog workflow has been chasing a moving target:
GITHUB_TOKENis blocked by thePRS ONLYruleset, fine-grained PATs don't carry team membership for ruleset bypass, and the built-ingithub-actionsintegration cannot be added as a bypassIntegrationactor (must be installed at org level). The ruleset already listsDeployKey(any) withbypass_mode: always, so this swaps to a deploy-key-driven push and removes this workflow's PAT dependency.Why / Balance
No gameplay impact - CI only. Restores reliable post-merge changelog updates and removes a recurring failure mode tied to PAT lifetime.
Technical details
actions/checkoutnow usesssh-key: ${{ secrets.CHANGELOG_DEPLOY_KEY }}. That single setting auths the clone over SSH and configuresoriginto use SSH, so the latergit push origin HEAD:masterrides the same keyBOT_TOKENreference in.github/workflows/append_changelog.yml. The Python updater needs a token only to read PR metadata via/pulls/{n}and/pulls/{n}/commits, so it now readssecrets.GITHUB_TOKEN(which has full read forpull_request_targetandworkflow_dispatch)GH_TOKENso the name reflects what's actually injected, with a matching update toscripts/update_changelog.pypermissions:tocontents: read+pull-requests: read- we no longer need write on the auto-issued token, the deploy key handles writespr_numbersrequired for manual dispatch - the script falls back to the event payload'spull_requestfield when the list is empty, which doesn't exist onworkflow_dispatchevents.github/workflows/clear_changelog.ymlstill referencesBOT_TOKEN, but it triggers on PRs to areleasebranch that doesn't exist in this repo today, so it's dormant. Out of scope here; can migrate it the same way if/whenreleasecomes back.Setup (out of band)
A repo deploy key named
Changelog bothas been added with write access enabled, and its private half is stored as repo secretCHANGELOG_DEPLOY_KEY. The expiredBOT_TOKENPAT can be revoked once this lands.Media
N/A - CI only.
Requirements
Breaking changes
None.
Backfill plan (post-merge)