Skip to content

fix(ci): add GITHUB_TOKEN to ShellCheck step to avoid rate limits#5053

Merged
openshift-merge-bot[bot] merged 1 commit into
redhat-developer:mainfrom
zdrapela:fix/shellcheck-rate-limit
Jul 4, 2026
Merged

fix(ci): add GITHUB_TOKEN to ShellCheck step to avoid rate limits#5053
openshift-merge-bot[bot] merged 1 commit into
redhat-developer:mainfrom
zdrapela:fix/shellcheck-rate-limit

Conversation

@zdrapela

@zdrapela zdrapela commented Jul 4, 2026

Copy link
Copy Markdown
Member

The shellcheck npm package downloads the ShellCheck binary from GitHub releases at runtime. Without authentication, GitHub API requests hit the 60 req/hr rate limit on shared runner IPs, causing intermittent 403 errors.

This was already fixed in bash-e2e-lint.yaml (#4049) but was not carried over when the ShellCheck step was added to e2e-tests-lint.yaml in #5002.

The shellcheck npm package downloads the ShellCheck binary from GitHub
releases at runtime. Without authentication, GitHub API requests hit
the 60 req/hr rate limit on shared runner IPs, causing intermittent
403 errors.

This was already fixed in bash-e2e-lint.yaml (PR redhat-developer#4049) but was not
carried over when the ShellCheck step was added to e2e-tests-lint.yaml
in PR redhat-developer#5002.

Assisted-by: OpenCode
@openshift-ci openshift-ci Bot requested review from 04kash and kadel July 4, 2026 09:14
@sonarqubecloud

sonarqubecloud Bot commented Jul 4, 2026

Copy link
Copy Markdown

@codecov

codecov Bot commented Jul 4, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 54.77%. Comparing base (4002fc1) to head (9b42022).

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #5053      +/-   ##
==========================================
- Coverage   55.39%   54.77%   -0.62%     
==========================================
  Files         122      110      -12     
  Lines        2365     2147     -218     
  Branches      563      513      -50     
==========================================
- Hits         1310     1176     -134     
+ Misses       1048      970      -78     
+ Partials        7        1       -6     
Flag Coverage Δ
rhdh 54.77% <ø> (-0.62%) ⬇️

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4002fc1...9b42022. Read the comment docs.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@rhdh-qodo-merge

Copy link
Copy Markdown

PR Summary by Qodo

CI: pass GITHUB_TOKEN to ShellCheck to prevent GitHub API rate limiting

🐞 Bug fix ⚙️ Configuration changes 🕐 Less than 10 minutes

Grey Divider

AI Description

• Inject GITHUB_TOKEN into the ShellCheck workflow step to authenticate GitHub release downloads.
• Prevent intermittent 403 failures caused by unauthenticated GitHub API rate limits on shared
 runners.
Diagram

graph TD
  A["e2e-tests-lint workflow"] --> B["Run ShellCheck step"] --> C["shellcheck npm download"] --> D{{"GitHub Releases API"}}
  E["secrets.GITHUB_TOKEN"] -.-> B
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Cache/pin ShellCheck binary
  • ➕ Eliminates runtime GitHub API calls entirely
  • ➕ More deterministic (version and availability)
  • ➖ More maintenance (version bumps, cache invalidation)
  • ➖ Potentially more workflow complexity across OS/arch
2. Use a prebuilt action (e.g., install ShellCheck)
  • ➕ Avoids the shellcheck npm downloader behavior
  • ➕ Standardized installation flow
  • ➖ May diverge from existing yarn-based tooling
  • ➖ Still may require network calls; less control over download/auth details

Recommendation: Keep the PR approach (injecting secrets.GITHUB_TOKEN) because it is the smallest, already-established fix in this repo and directly addresses the unauthenticated GitHub rate limit failure mode without changing tooling or introducing extra maintenance.

Files changed (1) +2 / -0

Other (1) +2 / -0
e2e-tests-lint.yamlAuthenticate ShellCheck download with GITHUB_TOKEN +2/-0

Authenticate ShellCheck download with GITHUB_TOKEN

• Adds an env block to the ShellCheck step to pass secrets.GITHUB_TOKEN. This prevents intermittent 403s caused by GitHub API unauthenticated rate limiting when shellcheck npm fetches release binaries.

.github/workflows/e2e-tests-lint.yaml

@rhdh-qodo-merge

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📜 Skill insights (0)

Context used
✅ Compliance rules (platform): 46 rules

Grey Divider


Remediation recommended

1. Unscoped token permissions 🐞 Bug ⛨ Security
Description
e2e-tests-lint.yaml now injects secrets.GITHUB_TOKEN into a run step, but the job does not
declare explicit permissions, so the token inherits repository-default scopes and becomes
available to all code executed by yarn shellcheck. This increases blast radius if that step (or a
transitive dependency it executes) is compromised, even though the token is only needed for reading
GitHub releases.
Code

.github/workflows/e2e-tests-lint.yaml[R46-48]

+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: yarn shellcheck
Relevance

⭐⭐⭐ High

Team accepted least-privilege workflow permissions: contents: read hardening previously (PR
#4141).

PR-#4141
PR-#4049

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The workflow explicitly exports GITHUB_TOKEN into the ShellCheck run step but does not set job
permissions, so the token’s effective scopes come from repo defaults; other workflows in the repo
explicitly set permissions: contents: read (and disable checkout credential persistence) to reduce
token exposure.

.github/workflows/e2e-tests-lint.yaml[14-52]
.github/workflows/pr.yaml[33-45]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The workflow now passes `GITHUB_TOKEN` into a `run:` step, but the job doesn’t explicitly scope `GITHUB_TOKEN` permissions. This means the token uses repository-default permissions, which can be broader than necessary for downloading GitHub release assets.

## Issue Context
Other workflows in this repo already use explicit least-privilege permissions (and disable checkout credential persistence) to reduce token exposure in CI jobs.

## Fix Focus Areas
- .github/workflows/e2e-tests-lint.yaml[14-52]
- .github/workflows/pr.yaml[33-45]

## Suggested fix
1. Add a `permissions:` block to the `lint` job (or workflow) with only what’s needed, e.g.:
  - `contents: read`
2. Consider aligning `actions/checkout` usage with other workflows by adding `persist-credentials: false` unless this job needs authenticated `git` operations.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Image was built and published successfully. It is available at:

@openshift-ci openshift-ci Bot added the lgtm label Jul 4, 2026
@openshift-merge-bot openshift-merge-bot Bot merged commit f60b7ea into redhat-developer:main Jul 4, 2026
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants