Skip to content

fix: update transfer-issue.yml#376

Open
spc-28 wants to merge 1 commit intoasyncapi:masterfrom
spc-28:fix/issue-transfer
Open

fix: update transfer-issue.yml#376
spc-28 wants to merge 1 commit intoasyncapi:masterfrom
spc-28:fix/issue-transfer

Conversation

@spc-28
Copy link

@spc-28 spc-28 commented Dec 17, 2025
edited
Loading

Description

Addresses /ti command permission errors by using secrets.GH_TOKEN instead of secrets.GITHUB_TOKEN (limited to current repo only).

Issue: #344

github-actions[bot]
github-actions bot reviewed Dec 17, 2025
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome to AsyncAPI. Thanks a lot for creating your first pull request. Please check out our contributors guide useful for opening a pull request.
Keep in mind there are also other channels you can use to interact with AsyncAPI community. For more details check out this issue.

@spc-28 spc-28 changed the title Update transfer-issue.yml fix: update transfer-issue.yml Dec 17, 2025
@Shurtu-gal
Copy link
Collaborator

Shurtu-gal commented Dec 18, 2025

@spc-28 this might work but it was done like this in #342 probably due to security reason or due to it not working with GH_TOKEN as well.

@spc-28
Copy link
Author

spc-28 commented Dec 18, 2025

@Shurtu-gal then i think we should try, GitHub App token that is more secure and organization managed, but requires one time GitHub App setup by org admins

@Shurtu-gal
Copy link
Collaborator

Shurtu-gal commented Dec 18, 2025

I don't understand how does that manage to make this more secure?

1 similar comment
@Shurtu-gal
Copy link
Collaborator

Shurtu-gal commented Dec 18, 2025

I don't understand how does that manage to make this more secure?

@spc-28
Copy link
Author

spc-28 commented Dec 18, 2025

Like instead of using a token tied to a specific account or user, we use an org owned app that only has the permissions we define and doesn’t depend on any user and can be installed to any repo
And also currently i think both GITHUB_TOKEN and GH_TOKEN have permission/scope limitations causing this transfer issue

@Shurtu-gal
Copy link
Collaborator

Shurtu-gal commented Dec 19, 2025

GH_TOKEN has the requisite permission but the workflow itself becomes a large attack surface.

@spc-28
Copy link
Author

spc-28 commented Dec 20, 2025

While reviewing the workflow, I noticed a few areas where we could add some safeguards.
For example, at the moment anyone can trigger the /ti command, if a random user comments /ti on any issue in a repo, the workflow runs without checking whether they’re authorized to do so.

There are a few other similar points as well. They’re not major issues right now, but addressing them could help make the workflow more secure and future proof.

Let me know what you think.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@derberg derberg Awaiting requested review from derberg derberg is a code owner

@Florence-Njeri Florence-Njeri Awaiting requested review from Florence-Njeri Florence-Njeri is a code owner

@Shurtu-gal Shurtu-gal Awaiting requested review from Shurtu-gal Shurtu-gal is a code owner

@asyncapi-bot-eve asyncapi-bot-eve Awaiting requested review from asyncapi-bot-eve asyncapi-bot-eve is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@spc-28 @Shurtu-gal