Skip to content

ci: open the release PR with gh instead of peter-evans/create-pull-request#996

Merged
krassowski merged 5 commits into
masterfrom
phase4/releasepr-gh
Jul 2, 2026
Merged

ci: open the release PR with gh instead of peter-evans/create-pull-request#996
krassowski merged 5 commits into
masterfrom
phase4/releasepr-gh

Conversation

@notluquis

@notluquis notluquis commented Jun 28, 2026

Copy link
Copy Markdown
Collaborator

#867 was a Dependabot bump of peter-evans/create-pull-request. @krassowski's note there was that we should drop the third-party action and use gh pr instead, so this does that rather than bumping it.

What changes: the last two steps of releasepr.yml (the throwaway change plus the peter-evans/create-pull-request call) become one run step that uses git and gh pr create. The checkout gains token: JLAB_APP_TOKEN, and the job gets contents: write and pull-requests: write.

Why this shape: sync_lab_release.yml already opens its PR with git + gh pr create, so this is not a new pattern, it is the one already in the repo. Removing peter-evans takes one more third-party action out of the release path.

What is kept identical, so the release flow does not move: the workflow_dispatch trigger, the pre-release-exists guard, the release-v<version> branch name, the Update auto-release logs commit, and the Release v<version> title and body. It still authenticates with JLAB_APP_TOKEN, which matters because a PR opened with the default GITHUB_TOKEN would not trigger CI.

One real difference worth calling out: peter-evans updated an existing PR in place on a re-run. Here git checkout -b fails if the branch already exists, so a re-run stops instead of touching an open PR. That is the same fail-safe sync_lab_release.yml relies on, so it is consistent with how the repo already does this, but it is a behavior change from peter-evans, not a like-for-like.

This closes #867, since the action it bumps is no longer referenced.

Written with Claude Code. I confirmed the YAML parses and that peter-evans is gone from .github, and the step is modeled on the working gh pr create block in sync_lab_release.yml. The workflow only runs on manual dispatch against an existing pre-release with the app token, so it cannot be exercised from a fork PR. That part I could not run, only read against the existing one.

…quest

Replaces the third-party peter-evans/create-pull-request action with a
plain git + gh pr create step, as requested in #867. The sync_lab_release
workflow already opens its PR this way, so this matches the pattern
already in the repo and drops one more third-party action.

Behavior is kept: same workflow_dispatch trigger, same pre-release guard,
same release-v<version> branch, same commit message and PR title/body,
and the same JLAB_APP_TOKEN so the release PR still triggers CI. The
branch is created with git checkout -b, which fails if it already exists
and so prevents a duplicate PR on a re-run, the same guard peter-evans
gave implicitly.

Note: AI-assisted (Claude Code). Manually verified the YAML parses and peter-evans is gone from .github; the step mirrors the working gh pr create block in sync_lab_release.yml. The workflow itself only runs on dispatch against an existing pre-release with the app token, so it is not exercisable from a fork PR.
Comment thread .github/workflows/releasepr.yml Outdated
Checkout now runs read-only with persist-credentials: false so the token
isn't left in the git config for the whole job, and the write-capable app
token is only used at the push step (via the push URL, not persisted). The
job also drops its blanket contents/pull-requests write permissions, since
the default token only needs read and the app token does the writing.

Addresses the review on this PR and clears zizmor's artipacked finding for
this workflow.

Note: AI-assisted (Claude Code), verified with zizmor that the artipacked
finding on this file is gone after the change.
Copilot AI review requested due to automatic review settings July 1, 2026 22:27

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

Comment thread .github/workflows/releasepr.yml Outdated
Per review, use `gh auth setup-git` so the push uses the app token through
gh's credential helper rather than embedding it in the push URL. The token
never lands in the git config or the command log, and with the credential
helper doing the work the run block can keep `set -x` on for debugging.

Note: AI-assisted (Claude Code). Verified `gh auth git-credential` returns the
GH_TOKEN from the environment (username x-access-token), so the helper
authenticates the push in the runner where GH_TOKEN is set.
@notluquis

Copy link
Copy Markdown
Collaborator Author

Switched to gh auth setup-git, agreed it's cleaner. Checked that gh auth git-credential returns the token from GH_TOKEN in the runner so the push authenticates fine. Kept persist-credentials: false and moved the token to the push step.

krassowski pushed a commit that referenced this pull request Jul 2, 2026
Runs zizmor over .github/workflows and publishes results to the Security tab
via SARIF. Report-only for now (continue-on-error) since the existing
workflows still have findings to clear; a follow-up fixes those and turns this
into a hard gate. Answers the "do we have zizmor setup" question from the
review on #996.

Based this on jupyterlab's own zizmor workflow and put it together with Claude
Code, running zizmor against our workflows locally to confirm it works.
@notluquis notluquis requested a review from krassowski July 2, 2026 14:54
@krassowski krassowski requested a review from Copilot July 2, 2026 15:16

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.

Comment on lines 13 to +19
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

with:
# Read-only checkout: the default token is never persisted into the git
# config. The write-capable app token is only introduced at the push
# step below.
persist-credentials: false
Comment thread .github/workflows/releasepr.yml
Comment thread .github/workflows/releasepr.yml
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

@krassowski krassowski left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's try this

@krassowski krassowski enabled auto-merge (squash) July 2, 2026 15:54
@krassowski krassowski merged commit 6c8d296 into master Jul 2, 2026
15 checks passed
@notluquis notluquis deleted the phase4/releasepr-gh branch July 2, 2026 16:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants