From 7e5ca420903310dff6a31cbd8abfeb4b1b94c396 Mon Sep 17 00:00:00 2001 From: erezrokah Date: Fri, 3 Jul 2026 17:20:27 +0100 Subject: [PATCH 1/2] fix: Grant release token actions:write to trigger Renovate The Trigger Renovate step dispatches a workflow in cloudquery/.github but the app token lacked actions:write and repo scope, causing a 403. --- .github/workflows/release-pr.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index 6218b88..ca5d3bb 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -16,8 +16,13 @@ jobs: with: app-id: ${{ secrets.CQ_APP_ID }} private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }} + owner: cloudquery + repositories: | + cloudquery-platform-api-go + .github permission-contents: write permission-pull-requests: write + permission-actions: write - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5 id: release with: From a4ad64d4e662ddca10f997f0af1ba52e1e092c6d Mon Sep 17 00:00:00 2001 From: erezrokah Date: Fri, 3 Jul 2026 17:24:21 +0100 Subject: [PATCH 2/2] fix: Split release and renovate tokens, target only consumer repos Use a dedicated least-privilege token per step: release-please gets contents+pull-requests write scoped to this repo; the Renovate dispatch gets actions:write scoped to .github. Renovate now targets only the module consumers (platform-cli, mcp) instead of the full org. --- .github/workflows/release-pr.yml | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index ca5d3bb..b439f07 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -10,23 +10,20 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - name: Generate GitHub App token - id: app-token + - name: Generate release token + id: release-token uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3 with: app-id: ${{ secrets.CQ_APP_ID }} private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }} owner: cloudquery - repositories: | - cloudquery-platform-api-go - .github + repositories: cloudquery-platform-api-go permission-contents: write permission-pull-requests: write - permission-actions: write - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5 id: release with: - token: ${{ steps.app-token.outputs.token }} + token: ${{ steps.release-token.outputs.token }} - name: Parse semver string if: steps.release.outputs.release_created id: semver_parser @@ -41,15 +38,28 @@ jobs: TAG_NAME: ${{ steps.release.outputs.tag_name }} with: prerelease: true + - name: Generate renovate dispatch token + id: renovate-token + if: steps.release.outputs.release_created && steps.semver_parser.outputs.prerelease == '' + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3 + with: + app-id: ${{ secrets.CQ_APP_ID }} + private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }} + owner: cloudquery + repositories: .github + permission-actions: write - name: Trigger Renovate uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 if: steps.release.outputs.release_created && steps.semver_parser.outputs.prerelease == '' with: - github-token: ${{ steps.app-token.outputs.token }} + github-token: ${{ steps.renovate-token.outputs.token }} script: | github.rest.actions.createWorkflowDispatch({ owner: 'cloudquery', repo: '.github', workflow_id: 'renovate.yml', ref: 'main', + inputs: { + repositories: 'cloudquery/platform-cli,cloudquery/mcp', + }, })