From 9bdc535bc01c413ae520783cb47df54bcb73f90d Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Wed, 22 Apr 2026 11:42:21 +0100 Subject: [PATCH 1/2] Replace KICS_BOT_PAT with GitHub App token generation in workflows --- .../alert-update-terraform-modules.yaml | 8 ++++++- .github/workflows/check-apache-license.yaml | 8 ++++++- .../workflows/go-generate-antlr-parser.yaml | 8 ++++++- .github/workflows/mkdocs.yml | 9 +++++++- .github/workflows/prepare-release.yaml | 8 ++++++- .github/workflows/release-dkr-image.yml | 9 +++++++- .../release-docker-github-actions.yaml | 8 ++++++- .github/workflows/release-nightly.yml | 20 ++++++++++++++--- .github/workflows/release.yml | 11 ++++++++-- .github/workflows/update-docs-queries.yaml | 8 ++++++- .github/workflows/update-infra-version.yaml | 10 +++++++-- .github/workflows/update-install-script.yaml | 8 ++++++- .../workflows/update_software_versions.yml | 8 ++++++- .github/workflows/validate-issues.yaml | 22 ++++++++++++++----- .github/workflows/validate-prs.yaml | 20 +++++++++++++---- release/.goreleaser.yml | 2 +- test/fixtures/analyzer_test/github.yaml | 10 +++++++-- 17 files changed, 148 insertions(+), 29 deletions(-) diff --git a/.github/workflows/alert-update-terraform-modules.yaml b/.github/workflows/alert-update-terraform-modules.yaml index bcef86d4099..c419bfe5d9a 100644 --- a/.github/workflows/alert-update-terraform-modules.yaml +++ b/.github/workflows/alert-update-terraform-modules.yaml @@ -24,11 +24,17 @@ jobs: python3 -u .github/scripts/watchers/terraform-modules-update.py \ -c assets/libraries/common.json \ -u https://registry.terraform.io/v1/modules + - name: Generate KICS Bot token + id: kics-bot-token + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 + with: + client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }} + private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }} - name: Create Pull Request uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v6 with: title: "feat(queries): update terraform registry data on commons.json" - token: ${{ secrets.KICS_BOT_PAT }} + token: ${{ steps.kics-bot-token.outputs.token }} commit-message: "feat(queries): update terraform registry data on commons.json" delete-branch: true branch: feature/kicsbot-update-queries-docs diff --git a/.github/workflows/check-apache-license.yaml b/.github/workflows/check-apache-license.yaml index 2fb3474e74a..81a98b11053 100644 --- a/.github/workflows/check-apache-license.yaml +++ b/.github/workflows/check-apache-license.yaml @@ -31,6 +31,12 @@ jobs: else echo "TAG_EXISTS=false" >> $GITHUB_ENV fi + - name: Generate KICS Bot token + id: kics-bot-token + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 + with: + client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }} + private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }} - name: Delete comment if license is fixed if: env.TAG_EXISTS == 'true' uses: thollander/actions-comment-pull-request@e4a76dd2b0a3c2027c3fd84147a67c22ee4c90fa @@ -39,7 +45,7 @@ jobs: Deleting comment... comment-tag: apache_license mode: delete - github-token: ${{ secrets.KICS_BOT_PAT }} + github-token: ${{ steps.kics-bot-token.outputs.token }} - name: Add comment if no license if: env.CHECK_FAILED == 'true' uses: thollander/actions-comment-pull-request@e4a76dd2b0a3c2027c3fd84147a67c22ee4c90fa diff --git a/.github/workflows/go-generate-antlr-parser.yaml b/.github/workflows/go-generate-antlr-parser.yaml index 6e543d9ebd3..d1cde7af08d 100644 --- a/.github/workflows/go-generate-antlr-parser.yaml +++ b/.github/workflows/go-generate-antlr-parser.yaml @@ -25,11 +25,17 @@ jobs: - name: Generate Parser run: | docker run --rm -u $(id -u ${USER}):$(id -g ${USER}) -v $(pwd)/pkg/parser/jsonfilter:/work -it antlr4-generator:dev + - name: Generate KICS Bot token + id: kics-bot-token + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 + with: + client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }} + private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }} - name: Create Pull Request uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v6 with: title: "chore(parser): updating AWS jsonfilter ANTLR generated parser" - token: ${{ secrets.KICS_BOT_PAT }} + token: ${{ steps.kics-bot-token.outputs.token }} commit-message: "chore(parser): updating AWS jsonfilter ANTLR generated parser" delete-branch: true branch: feature/kicsbot-update-jsonfilter-parser diff --git a/.github/workflows/mkdocs.yml b/.github/workflows/mkdocs.yml index 38cd8e8e116..39f9f32e662 100644 --- a/.github/workflows/mkdocs.yml +++ b/.github/workflows/mkdocs.yml @@ -14,10 +14,17 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 + - name: Generate KICS Bot token + id: kics-bot-token + if: always() + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 + with: + client-id: ${{ vars.GH_KICS_CLIENT_ID }} + private-key: ${{ secrets.GH_KICS_APPLICATION_KEY }} - uses: toko-bifrost/ms-teams-deploy-card@dcc94e4ce4088b1e6b6de5c9a3cda4ddcbe97d2e # 3.1.2 if: always() with: - github-token: ${{ secrets.KICS_BOT_PAT }} + github-token: ${{ steps.kics-bot-token.outputs.token }} webhook-uri: ${{ secrets.MSTEAMS_WEBHOOK_URL }} card-layout-start: cozy card-layout-exit: complete diff --git a/.github/workflows/prepare-release.yaml b/.github/workflows/prepare-release.yaml index e1af7bab05c..213a3d71611 100644 --- a/.github/workflows/prepare-release.yaml +++ b/.github/workflows/prepare-release.yaml @@ -26,11 +26,17 @@ jobs: sed -E -i "s/

Version \d+(\.\d+)*<\/h4>/

Version ${{ github.event.inputs.version }}<\/h4>/" docs/index.md sed -E -i "s/()[0-9]{4}\.[0-9]{2}\.[0-9]{2}

/\1${{ steps.cdate.outputs.date }}

/" docs/index.md sed -E -i "s/()/\1v${{ github.event.inputs.version }}\2${{ github.event.inputs.version }}\3/g" docs/index.md + - name: Generate KICS Bot token + id: kics-bot-token + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 + with: + client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }} + private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }} - name: Create pull request uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v6 with: title: "docs(kicsbot): preparing for release ${{ github.event.inputs.version }}" - token: ${{ secrets.KICS_BOT_PAT }} + token: ${{ steps.kics-bot-token.outputs.token }} commit-message: "docs(kicsbot): preparing for release ${{ github.event.inputs.version }}" delete-branch: true branch: feature/kicsbot-update-docs-index diff --git a/.github/workflows/release-dkr-image.yml b/.github/workflows/release-dkr-image.yml index c0913fa246e..ceb5cdea443 100644 --- a/.github/workflows/release-dkr-image.yml +++ b/.github/workflows/release-dkr-image.yml @@ -21,10 +21,17 @@ jobs: id: get-version run: | echo "::set-output name=version::$(git describe --match='v*' --tags --abbrev=0)" + - name: Generate KICS Bot token + id: kics-bot-token + if: always() + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 + with: + client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }} + private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }} - uses: toko-bifrost/ms-teams-deploy-card@dcc94e4ce4088b1e6b6de5c9a3cda4ddcbe97d2e # 3.1.2 if: always() with: - github-token: ${{ secrets.KICS_BOT_PAT }} + github-token: ${{ steps.kics-bot-token.outputs.token }} webhook-uri: ${{ secrets.MSTEAMS_WEBHOOK_URL }} card-layout-start: cozy card-layout-exit: complete diff --git a/.github/workflows/release-docker-github-actions.yaml b/.github/workflows/release-docker-github-actions.yaml index b3fa178d047..6130f784a52 100644 --- a/.github/workflows/release-docker-github-actions.yaml +++ b/.github/workflows/release-docker-github-actions.yaml @@ -69,11 +69,17 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 + - name: Generate KICS Bot token + id: kics-bot-token + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 + with: + client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }} + private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }} - name: Create Pull Request uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v6 with: title: "docs(kicsbot): update images digest" - token: ${{ secrets.KICS_BOT_PAT }} + token: ${{ steps.kics-bot-token.outputs.token }} commit-message: "docs(kicsbot): update github-action image digest" delete-branch: true branch: feature/kicsbot-update-gh-actions-digest diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml index 83d31a15e58..327298e6ecf 100644 --- a/.github/workflows/release-nightly.yml +++ b/.github/workflows/release-nightly.yml @@ -31,10 +31,17 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 + - name: Generate KICS Bot token + id: kics-bot-token + if: always() + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 + with: + client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }} + private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }} - uses: toko-bifrost/ms-teams-deploy-card@dcc94e4ce4088b1e6b6de5c9a3cda4ddcbe97d2e # 3.1.2 if: always() with: - github-token: ${{ secrets.KICS_BOT_PAT }} + github-token: ${{ steps.kics-bot-token.outputs.token }} webhook-uri: ${{ secrets.MSTEAMS_WEBHOOK_URL }} card-layout-start: cozy card-layout-exit: complete @@ -129,10 +136,17 @@ jobs: steps: - name: Check out the repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Generate KICS Bot token + id: kics-bot-token + if: always() + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 + with: + client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }} + private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }} - uses: toko-bifrost/ms-teams-deploy-card@dcc94e4ce4088b1e6b6de5c9a3cda4ddcbe97d2e # 3.1.2 if: always() with: - github-token: ${{ secrets.KICS_BOT_PAT }} + github-token: ${{ steps.kics-bot-token.outputs.token }} webhook-uri: ${{ secrets.MSTEAMS_WEBHOOK_URL }} card-layout-start: cozy card-layout-exit: complete @@ -236,7 +250,7 @@ jobs: uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v6 with: title: "docs(kicsbot): update images digest" - token: ${{ secrets.KICS_BOT_PAT }} + token: ${{ steps.kics-bot-token.outputs.token }} commit-message: "docs(kicsbot): update images digest" delete-branch: true branch: feature/kicsbot-update-queries-docs diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8bcbb42e6ca..91f44bb7181 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,10 +13,17 @@ # uses: actions/checkout@v2.3.4 # with: # fetch-depth: 0 +# - name: Generate KICS Bot token +# id: kics-bot-token +# if: always() +# uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 +# with: +# client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }} +# private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }} # - uses: toko-bifrost/ms-teams-deploy-card@master # if: always() # with: -# github-token: ${{ secrets.KICS_BOT_PAT }} +# github-token: ${{ steps.kics-bot-token.outputs.token }} # webhook-uri: ${{ secrets.MSTEAMS_WEBHOOK_URL }} # card-layout-start: cozy # card-layout-exit: complete @@ -38,6 +45,6 @@ # args: release --rm-dist --timeout 120m # env: # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -# KICS_BOT_PAT: ${{ secrets.KICS_BOT_PAT }} +# KICS_BOT_TOKEN: ${{ steps.kics-bot-token.outputs.token }} # SENTRY_DSN: ${{ secrets.SENTRY_DSN }} # DESCRIPTIONS_URL: ${{ secrets.DESCRIPTIONS_URL }} diff --git a/.github/workflows/update-docs-queries.yaml b/.github/workflows/update-docs-queries.yaml index 1fa55cd7785..0afbf817052 100644 --- a/.github/workflows/update-docs-queries.yaml +++ b/.github/workflows/update-docs-queries.yaml @@ -38,11 +38,17 @@ jobs: -f md \ --t .github/scripts/docs-generator/query-page-generator/templates/query-page-template.md \ --df + - name: Generate KICS Bot token + id: kics-bot-token + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 + with: + client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }} + private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }} - name: Create Pull Request uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v6 with: title: "docs(queries): update queries catalog" - token: ${{ secrets.KICS_BOT_PAT }} + token: ${{ steps.kics-bot-token.outputs.token }} commit-message: "docs(queries): update queries catalog" delete-branch: true branch: feature/kicsbot-update-queries-docs diff --git a/.github/workflows/update-infra-version.yaml b/.github/workflows/update-infra-version.yaml index d5a2dd69083..7871469e3eb 100644 --- a/.github/workflows/update-infra-version.yaml +++ b/.github/workflows/update-infra-version.yaml @@ -15,15 +15,21 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 + - name: Generate KICS Bot token + id: kics-bot-token + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 + with: + client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }} + private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }} - name: Update Terraform Cloud Integration uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3 with: - token: ${{ secrets.KICS_BOT_PAT }} + token: ${{ steps.kics-bot-token.outputs.token }} repository: ${{ secrets.TFC_REPO_PATH }} event-type: new-release - name: Update Infra uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3 with: - token: ${{ secrets.KICS_BOT_PAT }} + token: ${{ steps.kics-bot-token.outputs.token }} repository: ${{ secrets.INFRA_REPO }} event-type: new-release diff --git a/.github/workflows/update-install-script.yaml b/.github/workflows/update-install-script.yaml index 0ca5c054c36..5dc4dec0006 100644 --- a/.github/workflows/update-install-script.yaml +++ b/.github/workflows/update-install-script.yaml @@ -49,11 +49,17 @@ jobs: shell: python3 {0} - name: Update install.sh run: ./.bin/godownloader --repo Checkmarx/kics <(echo ${{ steps.outputs.filter.goreleaser }}) > install.sh + - name: Generate KICS Bot token + id: kics-bot-token + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 + with: + client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }} + private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }} - name: Create Pull Request uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v6 with: title: "chore(install): update install script" - token: ${{ secrets.KICS_BOT_PAT }} + token: ${{ steps.kics-bot-token.outputs.token }} delete-branch: true commit-message: "chore(install): update install script" branch: feature/kicsbot-update-install-script diff --git a/.github/workflows/update_software_versions.yml b/.github/workflows/update_software_versions.yml index 56af42fa0c2..29194cd0e43 100644 --- a/.github/workflows/update_software_versions.yml +++ b/.github/workflows/update_software_versions.yml @@ -23,12 +23,18 @@ jobs: with: files: | *.json + - name: Generate KICS Bot token + id: kics-bot-token + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 + with: + client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }} + private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }} - name: Create pull request if: steps.verify-changed-files.outputs.files_changed == 'true' uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v6 with: title: "build(deps): updating software versions" - token: ${{ secrets.KICS_BOT_PAT }} + token: ${{ steps.kics-bot-token.outputs.token }} commit-message: "build(deps): updating software versions to new release" delete-branch: true branch: feature/kicsbot-software-versions diff --git a/.github/workflows/validate-issues.yaml b/.github/workflows/validate-issues.yaml index 144a08ff0bb..f7ddc503840 100644 --- a/.github/workflows/validate-issues.yaml +++ b/.github/workflows/validate-issues.yaml @@ -29,11 +29,17 @@ jobs: run: | regex=$(python3 .github/scripts/pr-issue-info/get_title_types.py) echo "Title regex: $regex" - echo "$TITLE" | grep -Pq "$regex" || (echo "$ERROR_MSG" && echo "TITLE_CHECK_FAILED=true" >> $GITHUB_ENV) + echo "$TITLE" | grep -Pq "$regex" || (echo "$ERROR_MSG" && echo "TITLE_CHECK_FAILED=true" >> $GITHUB_ENV) + - name: Generate KICS Bot token + id: kics-bot-token + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 + with: + client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }} + private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }} - name: Check for comment tag if: env.TITLE_CHECK_FAILED != 'true' run: | - comments=$(curl -s -H "Authorization: token ${{ secrets.KICS_BOT_PAT }}" \ + comments=$(curl -s -H "Authorization: token ${{ steps.kics-bot-token.outputs.token }}" \ -X GET "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/comments") if echo "$comments" | grep -q "title_check"; then echo "TAG_EXISTS=true" >> $GITHUB_ENV @@ -48,7 +54,7 @@ jobs: Deleting comment, please refresh the page... comment-tag: title_check mode: delete - github-token: ${{ secrets.KICS_BOT_PAT }} + github-token: ${{ steps.kics-bot-token.outputs.token }} - name: Add comment if title fails if: env.TITLE_CHECK_FAILED == 'true' uses: thollander/actions-comment-pull-request@e4a76dd2b0a3c2027c3fd84147a67c22ee4c90fa @@ -57,7 +63,7 @@ jobs: comment-tag: title_check mode: recreate create-if-not-exists: true - github-token: ${{ secrets.KICS_BOT_PAT }} + github-token: ${{ steps.kics-bot-token.outputs.token }} - name: Workflow failed if: env.TITLE_CHECK_FAILED == 'true' run: exit 1 @@ -79,9 +85,15 @@ jobs: run: sudo apt-get install jq - name: Get username run: echo "USERNAME=${{ github.event.issue.user.login }}" >> $GITHUB_ENV + - name: Generate KICS Bot token + id: kics-bot-token + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 + with: + client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }} + private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }} - name: Check user username run: | - response=$(curl -s -H "Authorization: token ${{ secrets.KICS_BOT_PAT }}" "https://api.github.com/orgs/Checkmarx/teams/kics/members") + response=$(curl -s -H "Authorization: token ${{ steps.kics-bot-token.outputs.token }}" "https://api.github.com/orgs/Checkmarx/teams/kics/members") team_members=$(echo "$response" | jq -r '.[].login') if echo "${team_members[@]}" | grep -Pq "^$USERNAME$"; then echo "Contributor belongs to Checkmarx organization" diff --git a/.github/workflows/validate-prs.yaml b/.github/workflows/validate-prs.yaml index 130238291d1..1e649d8f24c 100644 --- a/.github/workflows/validate-prs.yaml +++ b/.github/workflows/validate-prs.yaml @@ -34,10 +34,16 @@ jobs: regex=$(python3 .github/scripts/pr-issue-info/get_title_types.py) echo "Title regex: $regex" echo "$TITLE" | grep -Pq "$regex" || (echo "$ERROR_MSG" && echo "TITLE_CHECK_FAILED=true" >> $GITHUB_ENV) + - name: Generate KICS Bot token + id: kics-bot-token + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 + with: + client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }} + private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }} - name: Check for comment tag if: env.TITLE_CHECK_FAILED != 'true' run: | - comments=$(curl -s -H "Authorization: token ${{ secrets.KICS_BOT_PAT }}" \ + comments=$(curl -s -H "Authorization: token ${{ steps.kics-bot-token.outputs.token }}" \ -X GET "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments") if echo "$comments" | grep -q "title_check"; then echo "TAG_EXISTS=true" >> $GITHUB_ENV @@ -52,7 +58,7 @@ jobs: Deleting comment, please refresh the page... comment-tag: title_check mode: delete - github-token: ${{ secrets.KICS_BOT_PAT }} + github-token: ${{ steps.kics-bot-token.outputs.token }} - name: Add comment if title fails if: env.TITLE_CHECK_FAILED == 'true' uses: thollander/actions-comment-pull-request@e4a76dd2b0a3c2027c3fd84147a67c22ee4c90fa @@ -61,7 +67,7 @@ jobs: comment-tag: title_check mode: recreate create-if-not-exists: true - github-token: ${{ secrets.KICS_BOT_PAT }} + github-token: ${{ steps.kics-bot-token.outputs.token }} - name: Workflow failed if: env.TITLE_CHECK_FAILED == 'true' run: exit 1 @@ -83,9 +89,15 @@ jobs: run: echo "USERNAME=${{ github.event.pull_request.user.login }}" >> $GITHUB_ENV - name: Install JQ run: sudo apt-get install jq + - name: Generate KICS Bot token + id: kics-bot-token + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 + with: + client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }} + private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }} - name: Check user username run: | - response=$(curl -s -H "Authorization: token ${{ secrets.KICS_BOT_PAT }}" "https://api.github.com/orgs/Checkmarx/teams/kics/members") + response=$(curl -s -H "Authorization: token ${{ steps.kics-bot-token.outputs.token }}" "https://api.github.com/orgs/Checkmarx/teams/kics/members") team_members=$(echo "$response" | jq -r '.[].login') if [[ "$USERNAME" == "dependabot[bot]" ]] || echo "${team_members[@]}" | grep -Pq "^$USERNAME$"; then echo "Contributor belongs to Checkmarx organization." diff --git a/release/.goreleaser.yml b/release/.goreleaser.yml index aaf8dc3b0c4..5b2c2109eea 100644 --- a/release/.goreleaser.yml +++ b/release/.goreleaser.yml @@ -41,7 +41,7 @@ brews: - tap: owner: checkmarx name: homebrew-tap - token: "{{ .Env.KICS_BOT_PAT }}" + token: "{{ .Env.KICS_BOT_TOKEN }}" folder: Formula homepage: https://github.com/Checkmarx/kics description: Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your IaC diff --git a/test/fixtures/analyzer_test/github.yaml b/test/fixtures/analyzer_test/github.yaml index b0b65a272d5..88fcaa8828e 100644 --- a/test/fixtures/analyzer_test/github.yaml +++ b/test/fixtures/analyzer_test/github.yaml @@ -19,6 +19,12 @@ jobs: - name: Check for Apache License run: | echo "$BODY" | grep -iPq "I submit this contribution under the Apache-2.0 license." || echo "CHECK_FAILED=true" >> $GITHUB_ENV + - name: Generate KICS Bot token + id: kics-bot-token + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 + with: + client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }} + private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }} - name: Delete comment if license is fixed if: env.CHECK_FAILED != 'true' uses: thollander/actions-comment-pull-request@v2 @@ -27,7 +33,7 @@ jobs: Deleting comment... comment_tag: apache_license mode: delete - GITHUB_TOKEN: ${{ secrets.KICS_BOT_PAT }} + GITHUB_TOKEN: ${{ steps.kics-bot-token.outputs.token }} - name: Add comment if no license if: env.CHECK_FAILED == 'true' uses: thollander/actions-comment-pull-request@v2 @@ -36,7 +42,7 @@ jobs: comment_tag: apache_license mode: recreate create_if_not_exists: true - GITHUB_TOKEN: ${{ secrets.KICS_BOT_PAT }} + GITHUB_TOKEN: ${{ steps.kics-bot-token.outputs.token }} - name: Workflow failed if: env.CHECK_FAILED == 'true' run: exit 1 From 9250fa73e01469b5ad3fafa3957da8a9ef9f2b1a Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Wed, 22 Apr 2026 12:25:07 +0100 Subject: [PATCH 2/2] Replace KICS_BOT_PAT with GitHub App token generation in check-apache-licence workflow --- .github/workflows/check-apache-license.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/check-apache-license.yaml b/.github/workflows/check-apache-license.yaml index 81a98b11053..65d2afd5886 100644 --- a/.github/workflows/check-apache-license.yaml +++ b/.github/workflows/check-apache-license.yaml @@ -21,22 +21,22 @@ jobs: if: env.USERNAME != 'kicsbot' && env.USERNAME != 'dependabot[bot]' run: | echo "$BODY" | grep -iPq "^I submit this contribution under the Apache-2.0 license.$" || echo "CHECK_FAILED=true" >> $GITHUB_ENV + - name: Generate KICS Bot token + id: kics-bot-token + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 + with: + client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }} + private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }} - name: Check for comment tag if: env.CHECK_FAILED != 'true' run: | - comments=$(curl -s -H "Authorization: token ${{ secrets.KICS_BOT_PAT }}" \ + comments=$(curl -s -H "Authorization: token ${{ steps.kics-bot-token.outputs.token }}" \ -X GET "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments") if echo "$comments" | grep -q "apache_license"; then echo "TAG_EXISTS=true" >> $GITHUB_ENV else echo "TAG_EXISTS=false" >> $GITHUB_ENV fi - - name: Generate KICS Bot token - id: kics-bot-token - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 - with: - client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }} - private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }} - name: Delete comment if license is fixed if: env.TAG_EXISTS == 'true' uses: thollander/actions-comment-pull-request@e4a76dd2b0a3c2027c3fd84147a67c22ee4c90fa @@ -54,7 +54,7 @@ jobs: comment-tag: apache_license mode: recreate create-if-not-exists: true - github-token: ${{ secrets.KICS_BOT_PAT }} + github-token: ${{ steps.kics-bot-token.outputs.token }} - name: Workflow failed if: env.CHECK_FAILED == 'true' run: exit 1