Skip to content

chore: Split release and renovate tokens with least privilege#73

Merged
erezrokah merged 3 commits into
mainfrom
fix/release-please-renovate-token
Jul 3, 2026
Merged

chore: Split release and renovate tokens with least privilege#73
erezrokah merged 3 commits into
mainfrom
fix/release-please-renovate-token

Conversation

@erezrokah

@erezrokah erezrokah commented Jul 3, 2026

Copy link
Copy Markdown
Member

Use a dedicated least-privilege app token per step: release-please gets contents+pull-requests write scoped to this repo, and the Renovate dispatch gets actions:write scoped to .github, targeting only the module consumers (platform-cli, mcp).

erezrokah added 2 commits July 3, 2026 17:20
The Trigger Renovate step dispatches a workflow in cloudquery/.github but
the app token lacked actions:write and repo scope, causing a 403.
Use a dedicated least-privilege token per step: release-please gets
contents+pull-requests write scoped to this repo; the Renovate dispatch
gets actions:write scoped to .github. Renovate now targets only the
module consumers (platform-cli, mcp) instead of the full org.
@erezrokah erezrokah changed the title fix: Grant release token actions:write to trigger Renovate fix: Split release and renovate tokens with least privilege Jul 3, 2026
@erezrokah erezrokah changed the title fix: Split release and renovate tokens with least privilege chore: Split release and renovate tokens with least privilege Jul 3, 2026
@erezrokah erezrokah marked this pull request as ready for review July 3, 2026 16:25
@erezrokah erezrokah merged commit c4951e8 into main Jul 3, 2026
8 checks passed
@erezrokah erezrokah deleted the fix/release-please-renovate-token branch July 3, 2026 16:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant