From 374e7c6e6ba2d764bd3411402536619ce705a78f Mon Sep 17 00:00:00 2001 From: Lucas Pulgar-Escobar Date: Sun, 28 Jun 2026 18:00:07 -0400 Subject: [PATCH 1/4] ci: open the release PR with gh instead of peter-evans/create-pull-request Replaces the third-party peter-evans/create-pull-request action with a plain git + gh pr create step, as requested in #867. The sync_lab_release workflow already opens its PR this way, so this matches the pattern already in the repo and drops one more third-party action. Behavior is kept: same workflow_dispatch trigger, same pre-release guard, same release-v branch, same commit message and PR title/body, and the same JLAB_APP_TOKEN so the release PR still triggers CI. The branch is created with git checkout -b, which fails if it already exists and so prevents a duplicate PR on a re-run, the same guard peter-evans gave implicitly. Note: AI-assisted (Claude Code). Manually verified the YAML parses and peter-evans is gone from .github; the step mirrors the working gh pr create block in sync_lab_release.yml. The workflow itself only runs on dispatch against an existing pre-release with the app token, so it is not exercisable from a fork PR. --- .github/workflows/releasepr.yml | 40 +++++++++++++++++++++------------ 1 file changed, 26 insertions(+), 14 deletions(-) diff --git a/.github/workflows/releasepr.yml b/.github/workflows/releasepr.yml index f062e0fa..bab9f475 100644 --- a/.github/workflows/releasepr.yml +++ b/.github/workflows/releasepr.yml @@ -9,10 +9,15 @@ permissions: jobs: createPR: runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - + with: + token: ${{ secrets.JLAB_APP_TOKEN }} + - name: Get package info shell: bash id: package-info @@ -34,18 +39,25 @@ jobs: return releaseWithTag ? 'true' : 'false' result-encoding: string - - name: Make changes to pull request + - name: Create release pull request if: steps.pre-release-exists.outputs.result == 'true' - run: date +%s > auto-release.log + env: + APP_VERSION: ${{ steps.package-info.outputs.version }} + GITHUB_TOKEN: ${{ secrets.JLAB_APP_TOKEN }} + run: | + set -eux + # git checkout -b fails if the branch already exists, which keeps a + # re-run from opening a duplicate release PR. + BRANCH_NAME="release-v${APP_VERSION}" + git checkout -b "${BRANCH_NAME}" + git config user.name "JupyterLab Desktop Bot" + git config user.email 'jupyterlab-bot@users.noreply.github.com' - - name: Create Release pull request - if: steps.pre-release-exists.outputs.result == 'true' - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6 - with: - token: ${{ secrets.JLAB_APP_TOKEN }} - commit-message: Update auto-release logs - branch: release-v${{ steps.package-info.outputs.version}} - title: 'Release v${{ steps.package-info.outputs.version}}' - body: | - Release v${{ steps.package-info.outputs.version}} - draft: false + date +%s > auto-release.log + git add auto-release.log + git commit -m "Update auto-release logs" + git push --set-upstream origin "${BRANCH_NAME}" + + gh pr create \ + --title "Release v${APP_VERSION}" \ + --body "Release v${APP_VERSION}" From b43fcb2d550d468975f63cdcc41ba80660b5df32 Mon Sep 17 00:00:00 2001 From: Lucas Pulgar-Escobar Date: Wed, 1 Jul 2026 18:25:19 -0400 Subject: [PATCH 2/4] ci: harden the release-PR workflow auth Checkout now runs read-only with persist-credentials: false so the token isn't left in the git config for the whole job, and the write-capable app token is only used at the push step (via the push URL, not persisted). The job also drops its blanket contents/pull-requests write permissions, since the default token only needs read and the app token does the writing. Addresses the review on this PR and clears zizmor's artipacked finding for this workflow. Note: AI-assisted (Claude Code), verified with zizmor that the artipacked finding on this file is gone after the change. --- .github/workflows/releasepr.yml | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/.github/workflows/releasepr.yml b/.github/workflows/releasepr.yml index bab9f475..1a56c708 100644 --- a/.github/workflows/releasepr.yml +++ b/.github/workflows/releasepr.yml @@ -9,14 +9,14 @@ permissions: jobs: createPR: runs-on: ubuntu-latest - permissions: - contents: write - pull-requests: write steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: - token: ${{ secrets.JLAB_APP_TOKEN }} + # Read-only checkout: the default token is never persisted into the git + # config. The write-capable app token is only introduced at the push + # step below. + persist-credentials: false - name: Get package info shell: bash @@ -43,9 +43,11 @@ jobs: if: steps.pre-release-exists.outputs.result == 'true' env: APP_VERSION: ${{ steps.package-info.outputs.version }} - GITHUB_TOKEN: ${{ secrets.JLAB_APP_TOKEN }} + GH_TOKEN: ${{ secrets.JLAB_APP_TOKEN }} run: | - set -eux + # No -x: the push URL carries the token, so keep it out of the log + # (GitHub also masks the secret, this is belt and suspenders). + set -eu # git checkout -b fails if the branch already exists, which keeps a # re-run from opening a duplicate release PR. BRANCH_NAME="release-v${APP_VERSION}" @@ -56,8 +58,13 @@ jobs: date +%s > auto-release.log git add auto-release.log git commit -m "Update auto-release logs" - git push --set-upstream origin "${BRANCH_NAME}" + # Checkout persisted no credentials, so authenticate this one push with + # the app token instead of keeping it in the git config all job long. + git push \ + "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" \ + "HEAD:refs/heads/${BRANCH_NAME}" gh pr create \ + --head "${BRANCH_NAME}" \ --title "Release v${APP_VERSION}" \ --body "Release v${APP_VERSION}" From 714607b80e242ed4c2b99b8c5e12eb3567ca571c Mon Sep 17 00:00:00 2001 From: Lucas Pulgar-Escobar Date: Wed, 1 Jul 2026 23:30:29 -0400 Subject: [PATCH 3/4] ci: authenticate the release push via gh instead of a token URL Per review, use `gh auth setup-git` so the push uses the app token through gh's credential helper rather than embedding it in the push URL. The token never lands in the git config or the command log, and with the credential helper doing the work the run block can keep `set -x` on for debugging. Note: AI-assisted (Claude Code). Verified `gh auth git-credential` returns the GH_TOKEN from the environment (username x-access-token), so the helper authenticates the push in the runner where GH_TOKEN is set. --- .github/workflows/releasepr.yml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/.github/workflows/releasepr.yml b/.github/workflows/releasepr.yml index 1a56c708..532832f0 100644 --- a/.github/workflows/releasepr.yml +++ b/.github/workflows/releasepr.yml @@ -45,9 +45,7 @@ jobs: APP_VERSION: ${{ steps.package-info.outputs.version }} GH_TOKEN: ${{ secrets.JLAB_APP_TOKEN }} run: | - # No -x: the push URL carries the token, so keep it out of the log - # (GitHub also masks the secret, this is belt and suspenders). - set -eu + set -eux # git checkout -b fails if the branch already exists, which keeps a # re-run from opening a duplicate release PR. BRANCH_NAME="release-v${APP_VERSION}" @@ -58,11 +56,11 @@ jobs: date +%s > auto-release.log git add auto-release.log git commit -m "Update auto-release logs" - # Checkout persisted no credentials, so authenticate this one push with - # the app token instead of keeping it in the git config all job long. - git push \ - "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" \ - "HEAD:refs/heads/${BRANCH_NAME}" + # Checkout ran with persist-credentials: false. Wire the app token in + # through gh's credential helper just for this push, so it never lands + # in the git config or the command log; git push then uses GH_TOKEN. + gh auth setup-git + git push origin "HEAD:refs/heads/${BRANCH_NAME}" gh pr create \ --head "${BRANCH_NAME}" \ From d815e5ab18398b2763b0a8dd8a46b2fbf39e5b83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Krassowski?= <5832902+krassowski@users.noreply.github.com> Date: Thu, 2 Jul 2026 16:36:02 +0100 Subject: [PATCH 4/4] Use `GITHUB_REF_NAME` for base Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .github/workflows/releasepr.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/releasepr.yml b/.github/workflows/releasepr.yml index 532832f0..6a86679b 100644 --- a/.github/workflows/releasepr.yml +++ b/.github/workflows/releasepr.yml @@ -64,5 +64,6 @@ jobs: gh pr create \ --head "${BRANCH_NAME}" \ + --base "${GITHUB_REF_NAME}" \ --title "Release v${APP_VERSION}" \ --body "Release v${APP_VERSION}"