Skip to content

ci: migrate GitHub release publishing to dd-octo-sts tokens#3357

Merged
PROFeNoM merged 2 commits intomasterfrom
alex/migrate-release-github-to-dd-octo-sts
Jul 25, 2025
Merged

ci: migrate GitHub release publishing to dd-octo-sts tokens#3357
PROFeNoM merged 2 commits intomasterfrom
alex/migrate-release-github-to-dd-octo-sts

Conversation

@PROFeNoM
Copy link
Copy Markdown
Contributor

@PROFeNoM PROFeNoM commented Jul 24, 2025

Description

Replace long-lived AWS SSM secrets with short-lived dd-octo-sts tokens for GitHub release publishing.

Changes:

  • Split "publish release to github" into two jobs for token generation and release publishing
  • Current php script is unchanged
  • Add chainguard policy gitlab-ci-publish-release.sts.yaml with minimal release permissions
  • Replace GITHUB_RELEASE_PAT from AWS SSM with 1-hour dd-octo-sts tokens
  • Add token masking
  • Chainguard policy grants minimal contents: write permissions (See doc)

Reviewer checklist

  • Test coverage seems ok.
  • Appropriate labels assigned.

@PROFeNoM PROFeNoM self-assigned this Jul 24, 2025
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Jul 24, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 61.80%. Comparing base (3a60489) to head (94a90ed).

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #3357      +/-   ##
==========================================
- Coverage   61.93%   61.80%   -0.13%     
==========================================
  Files         140      140              
  Lines       12356    12356              
  Branches     1616     1616              
==========================================
- Hits         7653     7637      -16     
- Misses       3992     4008      +16     
  Partials      711      711

see 3 files with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3a60489...94a90ed. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@PROFeNoM PROFeNoM marked this pull request as ready for review July 24, 2025 13:05
@PROFeNoM PROFeNoM requested a review from a team as a code owner July 24, 2025 13:05
@PROFeNoM PROFeNoM merged commit 4ba40d2 into master Jul 25, 2025
1856 of 1880 checks passed
@PROFeNoM PROFeNoM deleted the alex/migrate-release-github-to-dd-octo-sts branch July 25, 2025 06:48
@github-actions github-actions Bot added this to the 1.11.0 milestone Jul 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bwoebi bwoebi bwoebi approved these changes

Assignees

@PROFeNoM PROFeNoM

Labels

None yet

Projects

None yet

Milestone

1.11.0

Development

Successfully merging this pull request may close these issues.

3 participants

@PROFeNoM @codecov-commenter @bwoebi