Skip to content

Commit 2e04a50

Browse files
meysholdtona-agent
meysholdt
and
ona-agent
committed
Use GITHUB_TOKEN env var instead of gh auth login
Avoids read:org scope requirement. Token is extracted from git credential helper, saved to /tmp/.gh-token, and passed inline. Co-authored-by: Ona <no-reply@ona.com>
1 parent a464ee1 commit 2e04a50

2 files changed

Lines changed: 6 additions & 6 deletions

File tree

.ona/fix-codescan-alert.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,14 +17,14 @@ action:
1717
command -v gh && exit 0
1818
curl -sL https://github.com/cli/cli/releases/latest/download/gh_2.74.0_linux_amd64.tar.gz | tar xz -C /tmp
1919
sudo mv /tmp/gh_2.74.0_linux_amd64/bin/gh /usr/local/bin/gh
20-
# Step 2: Authenticate gh using the git credential helper
20+
# Step 2: Export GITHUB_TOKEN from git credential helper
2121
- task:
2222
command: |
23-
printf 'protocol=https\nhost=github.com\n\n' | git credential fill | awk -F= '/password/{print $2}' | gh auth login --with-token
23+
printf 'protocol=https\nhost=github.com\n\n' | git credential fill | awk -F= '/password/{print $2}' > /tmp/.gh-token
2424
# Step 3: Fetch the highest-severity open code scanning alert
2525
- task:
2626
command: |
27-
gh api repos/{owner}/{repo}/code-scanning/alerts \
27+
GITHUB_TOKEN=$(cat /tmp/.gh-token) gh api repos/{owner}/{repo}/code-scanning/alerts \
2828
--jq '[.[] | select(.state=="open")] | sort_by(.rule.security_severity_level // "low") | reverse | .[0]' \
2929
> /tmp/codescan-alert.json
3030
cat /tmp/codescan-alert.json

.ona/fix-dependabot-alert.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,14 +17,14 @@ action:
1717
command -v gh && exit 0
1818
curl -sL https://github.com/cli/cli/releases/latest/download/gh_2.74.0_linux_amd64.tar.gz | tar xz -C /tmp
1919
sudo mv /tmp/gh_2.74.0_linux_amd64/bin/gh /usr/local/bin/gh
20-
# Step 2: Authenticate gh using the git credential helper
20+
# Step 2: Export GITHUB_TOKEN from git credential helper
2121
- task:
2222
command: |
23-
printf 'protocol=https\nhost=github.com\n\n' | git credential fill | awk -F= '/password/{print $2}' | gh auth login --with-token
23+
printf 'protocol=https\nhost=github.com\n\n' | git credential fill | awk -F= '/password/{print $2}' > /tmp/.gh-token
2424
# Step 3: Fetch the highest-severity open Dependabot alert
2525
- task:
2626
command: |
27-
gh api repos/{owner}/{repo}/dependabot/alerts \
27+
GITHUB_TOKEN=$(cat /tmp/.gh-token) gh api repos/{owner}/{repo}/dependabot/alerts \
2828
--jq '[.[] | select(.state=="open")] | sort_by(.security_advisory.cvss.score) | reverse | .[0]' \
2929
> /tmp/dependabot-alert.json
3030
cat /tmp/dependabot-alert.json

0 commit comments

Comments
 (0)