From 5dadfe636771f06c4113abe13dc9f3b491231ece Mon Sep 17 00:00:00 2001 From: Jesse Hills <3060199+jesserockz@users.noreply.github.com> Date: Mon, 11 May 2026 17:04:09 +1200 Subject: [PATCH] [ci] codeowner-review-request: mint least-privilege App token (#16351) --- .github/workflows/codeowner-review-request.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeowner-review-request.yml b/.github/workflows/codeowner-review-request.yml index 76be6ecd7b..cd6c1d34c6 100644 --- a/.github/workflows/codeowner-review-request.yml +++ b/.github/workflows/codeowner-review-request.yml @@ -17,9 +17,10 @@ on: - release - beta +# PR/review writes (requestReviewers, issues.createComment) are performed with the App token minted below, +# so the workflow's GITHUB_TOKEN only needs read access for checkout. permissions: - pull-requests: write - contents: read + contents: read # actions/checkout to read CODEOWNERS and the shared codeowners.js helper jobs: request-codeowner-reviews: @@ -32,9 +33,20 @@ jobs: with: ref: ${{ github.event.pull_request.base.sha }} + - name: Generate a token + id: generate-token + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 + with: + client-id: ${{ vars.ESPHOME_GITHUB_APP_CLIENT_ID }} + private-key: ${{ secrets.ESPHOME_GITHUB_APP_PRIVATE_KEY }} + # Scope the minted App token to the minimum needed by the github-script step below. + permission-pull-requests: write # pulls.listFiles, pulls.get, pulls.listReviews, pulls.requestReviewers + permission-issues: write # issues.listComments and issues.createComment (PR comments use the issues API) + - name: Request reviews from component codeowners uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: + github-token: ${{ steps.generate-token.outputs.token }} script: | const { loadCodeowners, getEffectiveOwners } = require('./.github/scripts/codeowners.js');