Tweaks to the "Commit Built File Changes" workflow#11808
Conversation
… environment variable.
…g it to an environment variable that's accessible by subsequent steps.
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
There was a problem hiding this comment.
Pull request overview
This PR updates the “Commit Built File Changes” GitHub Actions workflow to reduce token permissions and secret exposure while keeping the GitHub App installation token as the mechanism used for pushing commits back to PR branches.
Changes:
- Replaces
contents: writeonGITHUB_TOKENwith the narroweractions: readpermission needed to fetch workflow artifacts. - Stops writing the GitHub App private key to disk; uses the secret value directly in the JWT generation step.
- Passes the GitHub App installation access token via step outputs instead of exporting it to the job environment, and switches the App ID from a secret to a repo variable.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Trac ticket: https://core.trac.wordpress.org/ticket/64227 (for 7.0)
Trac ticket: https://core.trac.wordpress.org/ticket/64893 (for 7.1)
This makes the following changes:
contents: writepermission from the GitHub token, it's not needed as the app does the pushGH_APP_PRIVATE_KEYenvironment variable so it's just read directly instead of written to disk1178653)Use of AI Tools
AI assistance: Yes
Tool(s): Claude Code
Model(s): Opus 4.7
Used for: Research and collab