chore(IDX): standardize token usage (#4074)

This PR makes two changes: - remove workflow permissions where a GitHub token is used (the workflow permissions are not required and only cause confusion) - standardize how we reference the github token -> we specify it during the checkout step so it is automatically used for the rest of the workflow. It is not required to re-specify the token using the `GH_TOKEN` env var in later steps Tested all the workflows and they work, including the container image update workflow. --------- Co-authored-by: IDX GitHub Automation <>
dfinity · Feb 25, 2025 · f942097 · f942097
1 parent 9dd04a5
commit f942097
Show file tree

Hide file tree

Showing 5 changed files with 5 additions and 17 deletions.
diff --git a/.github/workflows-source/ci-pr-only.yml b/.github/workflows-source/ci-pr-only.yml
@@ -69,8 +69,6 @@ jobs:
     name: Lock Generate
     <<: *dind-small-setup
     <<: *skip-merge-group
-    permissions:
-      pull-requests: write
     env:
       CI_EVENT_NAME: ${{ github.event_name }}
     steps:

diff --git a/.github/workflows/ci-generate-ci.yml b/.github/workflows/ci-generate-ci.yml
@@ -12,9 +12,6 @@ on:
 env:
   CI_PROJECT_DIR: ${{ github.workspace }}
 
-permissions:
-  pull-requests: write
-
 jobs:
   generate-ci:
     name: Generate CI

diff --git a/.github/workflows/ci-pr-only.yml b/.github/workflows/ci-pr-only.yml
@@ -54,8 +54,6 @@ jobs:
       options: >-
         -e NODE_NAME
     if: ${{ github.event_name != 'merge_group' }}
-    permissions:
-      pull-requests: write
     env:
       CI_EVENT_NAME: ${{ github.event_name }}
     steps:

diff --git a/.github/workflows/container-base-images.yml b/.github/workflows/container-base-images.yml
@@ -18,16 +18,14 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
-permissions:
-  pull-requests: write
-  packages: write
-  contents: write
-
 jobs:
   build-base-image:
     name: Build Base Container Image
     runs-on: ubuntu-latest
     timeout-minutes: 45
+    permissions:
+      packages: write
+      contents: write
     strategy:
       matrix:
         include:
@@ -119,6 +117,8 @@ jobs:
 
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Get Current Date
         id: date
@@ -142,7 +142,6 @@ jobs:
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
         with:
-          token: ${{ steps.app-token.outputs.token }}
           base: master
           branch: base-image-refs-update-${{ env.DATE }}
           delete-branch: true

diff --git a/.github/workflows/update-mainnet-revisions.yaml b/.github/workflows/update-mainnet-revisions.yaml
@@ -28,8 +28,6 @@ jobs:
           token: ${{ steps.app-token.outputs.token }}
 
       - name: Update IC versions file
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           set -eEuxo pipefail
 
@@ -63,8 +61,6 @@ jobs:
           version: 2.53.0
 
       - name: Update Mainnet canisters file
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           set -eEuxo pipefail