Skip to content

Use OctoSTS for raising PRs; upgrade actions; run zizmor #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
BehnH wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Use OctoSTS for raising PRs; upgrade actions; run zizmor #25

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
4288d04
Use OctoSTS for generating a GitHub token so PRs don't need to be clo…
BehnH Mar 24, 2026
cdc3973
Bump & pin actions
BehnH Mar 24, 2026
28c4480
Run zizmor static analysis
BehnH Mar 24, 2026
34a5439
Merge branch 'main' into behn/IDE-2946/use-octosts-for-raising-prs
BehnH Mar 24, 2026
b0185c4
Merge branch 'main' into behn/IDE-2946/use-octosts-for-raising-prs
BehnH Mar 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/actions/benchmarks/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ runs:

- name: Upload Results
if: steps.benchmarks.outcome == 'success'
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
Copy link
Copy Markdown
Member

@kinyoklion kinyoklion Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll want to pin all the SHAs, and include a comment of the specific version.

Suggested change
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@c6a366c94c3e0affe28c06c8df20a878f24da3cf # 7.0.0

Copy link
Copy Markdown
Member Author

@BehnH BehnH Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hadn't pinned these since we don't enforce pinning actions from GitHub's official actions org. I'm happy to pin absolutely everything though.

Copy link
Copy Markdown
Member

@kinyoklion kinyoklion Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We've been pinning basically everything, but if our general guidance is going to not be pinning official actions, then I could see that.

with:
name: Benchmarks-${{ steps.go-version.outputs.version }}
path: benchmarks.txt
9 changes: 6 additions & 3 deletions .github/actions/coverage/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,19 +23,22 @@ runs:
echo "coverage_status=$status" >> $GITHUB_OUTPUT

- name: Upload coverage results
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: Coverage-result-${{ steps.go-version.outputs.version }}
path: build/coverage*

- name: Enforce coverage
shell: bash
run: |
if [ "${{ steps.test-coverage.outputs.coverage_status }}" != "0" ]; then
if [ "${STEPS_TEST_COVERAGE_OUTPUTS_COVERAGE_STATUS}" != "0" ]; then
echo "Code isn't fully covered!"
if [ "${{ inputs.enforce }}" == "true" ]; then
if [ "${INPUTS_ENFORCE}" == "true" ]; then
exit 1
fi
else
echo "Code is fully covered!"
fi
env:
STEPS_TEST_COVERAGE_OUTPUTS_COVERAGE_STATUS: ${{ steps.test-coverage.outputs.coverage_status }}
INPUTS_ENFORCE: ${{ inputs.enforce }}
2 changes: 1 addition & 1 deletion .github/actions/unit-tests/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ runs:

- name: Upload test results
if: steps.process-test.outcome == 'success'
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: Test-result-${{ steps.go-version.outputs.version }}
path: junit_report.xml
11 changes: 11 additions & 0 deletions .github/launchdarkly/self.bump-go-versions.sts.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
issuer: https://token.actions.githubusercontent.com
subject_pattern: repo:launchdarkly/go-semver:ref:refs/heads/main
claim_pattern:
event_name: workflow_dispatch|schedule
ref: refs/heads/main
ref_protected: "true"
workflow_ref: launchdarkly/go-semver/.github/workflows/check-go-versions.yml@refs/heads/main

permissions:
contents: write
pull_requests: write
48 changes: 31 additions & 17 deletions .github/workflows/check-go-versions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,19 +4,20 @@ on:
- cron: "0 17 * * *"
workflow_dispatch:

permissions: {}

jobs:
check-go-eol:
runs-on: ubuntu-latest
runs-on: ubuntu-slim
outputs:
latest: ${{ steps.parse.outputs.latest }}
penultimate: ${{ steps.parse.outputs.penultimate }}
timeout-minutes: 2
steps:
- uses: actions/checkout@v4
# Perform a GET request to endoflife.date for the Go language. The response
# contains all Go releases; we're interested in the 0'th and 1'th (latest and penultimate.)
- name: Fetch officially supported Go versions
uses: JamesIves/fetch-api-data-action@396ebea7d13904824f85b892b1616985f847301c # 396ebea7d13904824f85b892b1616985f847301c
uses: JamesIves/fetch-api-data-action@8dc51e982d982157bfd575ed64be3c48b3078037 # v2.5.0
with:
endpoint: https://endoflife.date/api/go.json
configuration: '{ "method": "GET" }'
Expand All @@ -27,40 +28,53 @@ jobs:
run: |
echo "latest=${{ fromJSON(env.fetch-api-data)[0].cycle }}" >> $GITHUB_OUTPUT
echo "penultimate=${{ fromJSON(env.fetch-api-data)[1].cycle }}" >> $GITHUB_OUTPUT

create-prs:
permissions:
contents: write
pull-requests: write
contents: read
id-token: write
needs: check-go-eol
runs-on: ubuntu-latest
runs-on: ubuntu-slim
env:
officialLatestVersion: ${{ needs.check-go-eol.outputs.latest }}
officialPenultimateVersion: ${{ needs.check-go-eol.outputs.penultimate }}
OFFICIAL_LATEST_VERSION: ${{ needs.check-go-eol.outputs.latest }}
OFFICIAL_PENULTIMATE_VERSION: ${{ needs.check-go-eol.outputs.penultimate }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
with:
persist-credentials: false

- name: Get current Go versions
id: go-versions
run: cat ./.github/variables/go-versions.env > $GITHUB_OUTPUT

- name: Update go-versions.env and README.md
if: steps.go-versions.outputs.latest != env.officialLatestVersion
if: steps.go-versions.outputs.latest != env.OFFICIAL_LATEST_VERSION
id: update-go-versions
run: |
sed -i -e "s#latest=[^ ]*#latest=${{ env.officialLatestVersion }}#g" \
-e "s#penultimate=[^ ]*#penultimate=${{ env.officialPenultimateVersion }}#g" \
sed -i -e "s#latest=[^ ]*#latest=${OFFICIAL_LATEST_VERSION}#g" \
-e "s#penultimate=[^ ]*#penultimate=${OFFICIAL_PENULTIMATE_VERSION}#g" \
./.github/variables/go-versions.env

- name: Create GitHub token
uses: launchdarkly/octosts-action@v1
if: steps.update-go-versions.outcome == 'success'
id: github-token
with:
scope: ${{ github.repository }}
identity: 'self.bump-go-versions'

- name: Create pull request
if: steps.update-go-versions.outcome == 'success'
uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6
uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
token: ${{ steps.github-token.outputs.token }}
add-paths: |
.github/variables/go-versions.env
branch: "launchdarklyreleasebot/update-to-go${{ env.officialLatestVersion }}-${{ matrix.branch }}"
branch: "launchdarklyreleasebot/update-to-go${{ env.OFFICIAL_LATEST_VERSION }}-${{ matrix.branch }}"
author: "LaunchDarklyReleaseBot <LaunchDarklyReleaseBot@launchdarkly.com>"
committer: "LaunchDarklyReleaseBot <LaunchDarklyReleaseBot@launchdarkly.com>"
labels: ${{ matrix.branch }}
title: "fix(deps): bump supported Go versions to ${{ env.officialLatestVersion }} and ${{ env.officialPenultimateVersion }}"
commit-message: "Bumps from Go ${{ steps.go-versions.outputs.latest }} -> ${{ env.officialLatestVersion }} and ${{ steps.go-versions.outputs.penultimate }} -> ${{ env.officialPenultimateVersion }}."
title: "fix(deps): bump supported Go versions to ${{ env.OFFICIAL_LATEST_VERSION }} and ${{ env.OFFICIAL_PENULTIMATE_VERSION }}"
commit-message: "Bumps from Go ${{ steps.go-versions.outputs.latest }} -> ${{ env.OFFICIAL_LATEST_VERSION }} and ${{ steps.go-versions.outputs.penultimate }} -> ${{ env.OFFICIAL_PENULTIMATE_VERSION }}."
body: |
- [ ] I have triggered CI on this PR (either close & reopen this PR in Github UI, or `git commit -m "run ci" --allow-empty && git push`)
9 changes: 7 additions & 2 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
paths-ignore:
- '**.md'

permissions:
contents: read

jobs:
go-versions:
uses: ./.github/workflows/go-versions.yml
Expand All @@ -35,9 +38,11 @@ jobs:
matrix:
go-version: ${{ fromJSON(needs.go-versions.outputs.matrix) }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
with:
persist-credentials: 'false'
- name: Setup Go ${{ matrix.go-version }}
uses: actions/setup-go@v5
uses: actions/setup-go@v6
with:
go-version: ${{ matrix.go-version }}
- name: Test
Expand Down
12 changes: 8 additions & 4 deletions .github/workflows/common_ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,11 @@ jobs:
runs-on: ubuntu-latest
name: 'Unit Tests and Coverage'
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
with:
persist-credentials: 'false'
- name: Setup Go ${{ inputs.go-version }}
uses: actions/setup-go@v5
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version }}
- uses: ./.github/actions/unit-tests
Expand All @@ -28,9 +30,11 @@ jobs:
name: 'Benchmarks'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
with:
persist-credentials: 'false'
- name: Setup Go ${{ inputs.go-version }}
uses: actions/setup-go@v5
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version }}
- uses: ./.github/actions/benchmarks
16 changes: 11 additions & 5 deletions .github/workflows/go-versions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,21 +36,27 @@ on:

jobs:
go-versions:
runs-on: ubuntu-latest
runs-on: ubuntu-slim
outputs:
latest: ${{ steps.set-env.outputs.latest }}
penultimate: ${{ steps.set-env.outputs.penultimate }}
all: ${{ steps.set-matrix.outputs.all }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
with:
persist-credentials: 'false'
- name: Set Go Versions
id: set-env
run: cat ./.github/variables/go-versions.env > $GITHUB_OUTPUT
- name: Set Go Version Matrices
id: set-matrix
run: |
if [ "${{ steps.set-env.outputs.penultimate }}" == "${{ steps.set-env.outputs.min }}" ]; then
echo "all=[\"${{ steps.set-env.outputs.latest }}\",\"${{ steps.set-env.outputs.penultimate }}\"]" >> $GITHUB_OUTPUT
if [ "${STEPS_SET_ENV_OUTPUTS_PENULTIMATE}" == "${STEPS_SET_ENV_OUTPUTS_MIN}" ]; then
echo "all=[\"${STEPS_SET_ENV_OUTPUTS_LATEST}\",\"${STEPS_SET_ENV_OUTPUTS_PENULTIMATE}\"]" >> $GITHUB_OUTPUT
else
echo "all=[\"${{ steps.set-env.outputs.latest }}\",\"${{ steps.set-env.outputs.penultimate }}\",\"${{ steps.set-env.outputs.min }}\"]" >> $GITHUB_OUTPUT
echo "all=[\"${STEPS_SET_ENV_OUTPUTS_LATEST}\",\"${STEPS_SET_ENV_OUTPUTS_PENULTIMATE}\",\"${STEPS_SET_ENV_OUTPUTS_MIN}\"]" >> $GITHUB_OUTPUT
fi
env:
STEPS_SET_ENV_OUTPUTS_PENULTIMATE: ${{ steps.set-env.outputs.penultimate }}
STEPS_SET_ENV_OUTPUTS_MIN: ${{ steps.set-env.outputs.min }}
STEPS_SET_ENV_OUTPUTS_LATEST: ${{ steps.set-env.outputs.latest }}
10 changes: 8 additions & 2 deletions .github/workflows/release-please.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,17 @@ on:
- main
workflow_dispatch:


permissions:
contents: write
issues: write
pull-requests: write
Copy link
Copy Markdown

@cursor cursor bot Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unnecessary workflow-level permission overridden by job-level permissions

Low Severity

The newly added workflow-level permissions block includes issues: write, but the only job (release-please) defines its own permissions block (with just contents: write and pull-requests: write), which completely overrides the workflow-level permissions. The issues: write permission has no effect on any job. Given this PR's goal of tightening security posture via zizmor, adding an unused broad permission at the workflow level is counterproductive — it could mislead future contributors into thinking issues: write is needed, and any new job added without its own permissions block would unexpectedly inherit it.

Fix in Cursor Fix in Web

Copy link
Copy Markdown
Member

@kinyoklion kinyoklion Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is likely because we added the job level permissions to main between the opening of this PR and now, so this is redundant now.

I do generally agree that job level permissions are better than workflow level permissions. Especially being as some jobs execute in repo code and other jobs do not.


jobs:
release-please:
runs-on: ubuntu-latest
runs-on: ubuntu-slim
permissions:
contents: write
pull-requests: write
steps:
- uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4
- uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
6 changes: 6 additions & 0 deletions .github/workflows/stale.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,12 @@ on:
# Happen once per day at 1:30 AM
- cron: '30 1 * * *'

permissions:
actions: write
contents: read
issues: write
pull-requests: write

jobs:
sdk-close-stale:
uses: launchdarkly/gh-actions/.github/workflows/sdk-stale.yml@main