ci: open the release PR with gh instead of peter-evans/create-pull-request#996
Merged
Conversation
…quest Replaces the third-party peter-evans/create-pull-request action with a plain git + gh pr create step, as requested in #867. The sync_lab_release workflow already opens its PR this way, so this matches the pattern already in the repo and drops one more third-party action. Behavior is kept: same workflow_dispatch trigger, same pre-release guard, same release-v<version> branch, same commit message and PR title/body, and the same JLAB_APP_TOKEN so the release PR still triggers CI. The branch is created with git checkout -b, which fails if it already exists and so prevents a duplicate PR on a re-run, the same guard peter-evans gave implicitly. Note: AI-assisted (Claude Code). Manually verified the YAML parses and peter-evans is gone from .github; the step mirrors the working gh pr create block in sync_lab_release.yml. The workflow itself only runs on dispatch against an existing pre-release with the app token, so it is not exercisable from a fork PR.
krassowski
reviewed
Jul 1, 2026
Checkout now runs read-only with persist-credentials: false so the token isn't left in the git config for the whole job, and the write-capable app token is only used at the push step (via the push URL, not persisted). The job also drops its blanket contents/pull-requests write permissions, since the default token only needs read and the app token does the writing. Addresses the review on this PR and clears zizmor's artipacked finding for this workflow. Note: AI-assisted (Claude Code), verified with zizmor that the artipacked finding on this file is gone after the change.
krassowski
reviewed
Jul 1, 2026
Per review, use `gh auth setup-git` so the push uses the app token through gh's credential helper rather than embedding it in the push URL. The token never lands in the git config or the command log, and with the credential helper doing the work the run block can keep `set -x` on for debugging. Note: AI-assisted (Claude Code). Verified `gh auth git-credential` returns the GH_TOKEN from the environment (username x-access-token), so the helper authenticates the push in the runner where GH_TOKEN is set.
Collaborator
Author
|
Switched to |
This was referenced Jul 2, 2026
krassowski
pushed a commit
that referenced
this pull request
Jul 2, 2026
Runs zizmor over .github/workflows and publishes results to the Security tab via SARIF. Report-only for now (continue-on-error) since the existing workflows still have findings to clear; a follow-up fixes those and turns this into a hard gate. Answers the "do we have zizmor setup" question from the review on #996. Based this on jupyterlab's own zizmor workflow and put it together with Claude Code, running zizmor against our workflows locally to confirm it works.
Comment on lines
13
to
+19
| - name: Checkout | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
|
|
||
| with: | ||
| # Read-only checkout: the default token is never persisted into the git | ||
| # config. The write-capable app token is only introduced at the push | ||
| # step below. | ||
| persist-credentials: false |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
#867 was a Dependabot bump of
peter-evans/create-pull-request. @krassowski's note there was that we should drop the third-party action and usegh prinstead, so this does that rather than bumping it.What changes: the last two steps of
releasepr.yml(the throwaway change plus thepeter-evans/create-pull-requestcall) become onerunstep that usesgitandgh pr create. The checkout gainstoken: JLAB_APP_TOKEN,and the job getscontents: writeandpull-requests: write.Why this shape:
sync_lab_release.ymlalready opens its PR withgit+gh pr create, so this is not a new pattern, it is the one already in the repo. Removing peter-evans takes one more third-party action out of the release path.What is kept identical, so the release flow does not move: the
workflow_dispatchtrigger, the pre-release-exists guard, therelease-v<version>branch name, theUpdate auto-release logscommit, and theRelease v<version>title and body. It still authenticates withJLAB_APP_TOKEN, which matters because a PR opened with the defaultGITHUB_TOKENwould not trigger CI.One real difference worth calling out: peter-evans updated an existing PR in place on a re-run. Here
git checkout -bfails if the branch already exists, so a re-run stops instead of touching an open PR. That is the same fail-safesync_lab_release.ymlrelies on, so it is consistent with how the repo already does this, but it is a behavior change from peter-evans, not a like-for-like.This closes #867, since the action it bumps is no longer referenced.
Written with Claude Code. I confirmed the YAML parses and that
peter-evansis gone from.github, and the step is modeled on the workinggh pr createblock insync_lab_release.yml. The workflow only runs on manual dispatch against an existing pre-release with the app token, so it cannot be exercised from a fork PR. That part I could not run, only read against the existing one.