ci(prereleaser): verify user membership for running workflow

[prashant-shahi]

CI

• verify user membership for running workflow

Summary by CodeRabbit

• Security
  • Enhanced release workflow with a new verification job.
  • Added a verification step to ensure only authorized team members can trigger releases.
  • Improved conditional execution for the charts job based on verification results.

[coderabbitai]

Walkthrough

The pull request modifies the GitHub Actions workflow in .github/workflows/prereleaser.yaml by introducing a new verify job. This job inherits secrets and requires specific inputs for user validation. The charts job has been updated to depend on the verify job, and it includes a conditional execution clause that allows it to run based on the success of the verify job or if triggered by a repository_dispatch event.

Changes

File	Change Summary
.github/workflows/prereleaser.yaml	Added verify job for user authorization Added job dependency needs: [verify] to charts job Added conditional execution for charts job based on verify job success or repository_dispatch

Sequence Diagram

sequenceDiagram
    participant Trigger as Workflow Trigger
    participant Verify as Verify Job
    participant GitHub as GitHub API
    participant Charts as Charts Job

    Trigger->>Verify: Initiate workflow
    Verify->>GitHub: Check user membership
    alt User is authorized
        GitHub-->>Verify: Membership confirmed
        Verify->>Charts: Proceed with job
    else User is unauthorized
        GitHub-->>Verify: Membership denied
        Verify-->>Trigger: Workflow fails
    end

Loading

Poem

🐰 Release Rabbit's Verification Verse 🚀
In workflows where tokens dance and spin,
A guardian checks who shall begin.
Only releasers pass this gate so bright,
With GitHub's magic token shining light!

Hop, verify, deploy with glee! 🌟

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1550599 and 15c0f57.

📒 Files selected for processing (1)

• .github/workflows/prereleaser.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/prereleaser.yaml

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/prereleaser.yaml (1)

21-31: LGTM! Secure token generation implementation.

The implementation correctly uses GitHub App token for authentication, which is a security best practice as it provides limited, scoped access compared to personal access tokens.

Ensure the GitHub App has minimal required permissions set in the app settings.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between db2b9c4 and a69bb6d.

📒 Files selected for processing (1)

• .github/workflows/prereleaser.yaml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/prereleaser.yaml

32-32: shellcheck reported issue in this script: SC2036:warning:13:1: If you wanted to assign the output of the pipeline, use a=$(b | c)

(shellcheck)

---

32-32: shellcheck reported issue in this script: SC2030:info:13:1: Modification of gh_response is local (to subshell caused by pipeline)

(shellcheck)

---

32-32: shellcheck reported issue in this script: SC2031:info:18:8: gh_response was modified in a subshell. That change might be lost

(shellcheck)

🔇 Additional comments (1)

.github/workflows/prereleaser.yaml (1)

57-57: LGTM! Proper job dependency.

The dependency on the verify job ensures that authorization checks complete before proceeding with the release process.

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (1)

.github/workflows/prereleaser.yaml (1)

47-50: ⚠️ Potential issue

Security bypass: Remove repository_dispatch skip condition

Skipping the verification for repository_dispatch events creates a security bypass path. This is particularly concerning as it allows circumventing the team membership check.

- if [[ "${{ github.event.name }}" == "repository_dispatch" ]]; then
-   echo "skipping, event is triggered from other repository workflow"
-   exit 0
- fi

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a69bb6d and e522c7d.

📒 Files selected for processing (1)

• .github/workflows/prereleaser.yaml (1 hunks)

🔇 Additional comments (3)

.github/workflows/prereleaser.yaml (3)

21-23: LGTM: Job definition follows best practices

The verify job is properly defined with a standard runner configuration.

---

51-55: Fix team name inconsistency

The team name "releaser" is used here but the PR description mentions "releasers". Verify the correct team name to avoid authentication failures.

✅ Verification successful

Let me gather more information to verify the team name in the repository.

---

Team name "releaser" is correct

Based on the search results, the team name "releaser" (singular) is consistently used within the codebase, particularly in the workflow files:

• .github/workflows/prereleaser.yaml: Uses "releaser" in the team verification step
• The workflow also references signoz/primus.workflows/.github/workflows/releaser.yaml

The PR description's mention of "releasers" appears to be incorrect, as the codebase consistently uses the singular form "releaser".

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the correct team name

# Check team name usage across workflows
echo "Checking team name usage:"
rg -i "releaser[s]?\b" .github/workflows/

Length of output: 610

---

Script:

#!/bin/bash
# Check team name in other configuration files and documentation
echo "Checking team name in other files:"
rg -i "releaser[s]?\b" -g '!.github/workflows/*' --type yaml --type md

# Check Makefile for the github-verify-team-membership target
echo -e "\nChecking Makefile for team verification:"
rg "github-verify-team-membership" -A 5

Length of output: 288

---

24-41: Verify GitHub App token permissions

The implementation uses a GitHub App token for authentication, which is a security best practice. However, we should verify that the GitHub App has the minimum required permissions.

✅ Verification successful

Let me gather more information about how this token is being used in the workflow.

---

GitHub App token usage is appropriate and well-scoped

The GitHub App token is used appropriately with minimal scope:

• Token is only used for checking out the signoz/primus repository
• Verifies releaser team membership when manually triggered
• Token is passed to a reusable workflow for charts release

The implementation follows security best practices:

• Uses GitHub App authentication instead of personal access tokens
• Token is scoped to the repository owner
• Token is generated per workflow run
• Token permissions are implicitly limited to the required operations (repo access)

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check GitHub App permissions in the repository

# Check for workflow files referencing the GitHub App
echo "Checking for GitHub App usage:"
rg -l "PRIMUS_APP_ID|PRIMUS_PRIVATE_KEY" .github/workflows/

# Check for other potential token usages
echo -e "\nChecking for other token usages:"
rg "create-github-app-token" .github/workflows/

Length of output: 380

---

Script:

#!/bin/bash
# Check the complete workflow file to understand token usage scope
echo "Checking prereleaser.yaml workflow:"
cat .github/workflows/prereleaser.yaml

# Check if there are any other workflows that might be related
echo -e "\nChecking related workflows:"
fd -e yaml -e yml . .github/workflows/ --exec head -n 1 {}

Length of output: 2327

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/prereleaser.yaml (1)

Line range hint 1-38: Comprehensive security review needed

Based on past review comments and current analysis, several security aspects need attention:

1. Verify that release.yaml has similar team membership checks
2. Define minimum required permissions for the GitHub App token
3. Implement proper security checks for all event types
4. Consider implementing additional security measures:
   • Branch protection rules
   • Required reviewers
   • Environment protection rules

Would you like me to help create a comprehensive security model that addresses these concerns?

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e522c7d and 1550599.

📒 Files selected for processing (1)

• .github/workflows/prereleaser.yaml (1 hunks)

🔇 Additional comments (1)

.github/workflows/prereleaser.yaml (1)

29-32: ⚠️ Potential issue

Remove security bypass and improve stability in charts job

Critical security and stability issues:

1. The condition || github.event.name == 'repository_dispatch' creates a security bypass, allowing unverified users to trigger releases through repository_dispatch events.
2. Using @main reference is unstable.
3. secrets: inherit violates the principle of least privilege.

Apply this diff to fix these issues:

-    if: ${{ always() && (needs.verify.result == 'success' || github.event.name == 'repository_dispatch') }}
-    uses: signoz/primus.workflows/.github/workflows/releaser.yaml@main
-    secrets: inherit
+    if: ${{ needs.verify.result == 'success' }}
+    uses: signoz/primus.workflows/.github/workflows/[email protected]
+    secrets:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
     needs: 

Let's verify the impact of repository_dispatch events: