Skip to content

.github/workflows: fix expired token in publishing images#522

Merged
mostlygeek merged 1 commit intomainfrom
fix-container-publish
Feb 14, 2026
Merged

.github/workflows: fix expired token in publishing images#522
mostlygeek merged 1 commit intomainfrom
fix-container-publish

Conversation

@mostlygeek
Copy link
Copy Markdown
Owner

@mostlygeek mostlygeek commented Feb 14, 2026
edited by coderabbitai bot
Loading

Fixes: #517

Summary by CodeRabbit

  • Chores
    • Configured GitHub Actions workflow permissions to enhance security for container registry operations.

@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Feb 14, 2026
edited
Loading

Walkthrough

Adds a permissions block to the GitHub Actions workflow file, granting GITHUB_TOKEN read access to contents and write access to packages and id-token. No changes to triggers, steps, or other workflow configuration.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow Permissions
.github/workflows/containers.yml		 Added permissions block to grant GITHUB_TOKEN permissions: contents: read, packages: write, id-token: write.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 1
❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Title check ⚠️ Warning The title mentions 'expired token' but the change only adds permissions to the workflow; it doesn't fix an existing expired token issue. Revise the title to accurately reflect the change, such as '.github/workflows: add token permissions for container publishing' or '.github/workflows: configure GITHUB_TOKEN permissions for publishing'.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection ✅ Passed ✅ No merge conflicts detected when merging into main

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix-container-publish

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments
.github/workflows/containers.yml (1)

20-25: Is id-token: write actually needed here?

The contents: read and packages: write permissions are clearly required for checkout and GHCR publishing respectively. However, id-token: write is typically needed for OIDC token requests (e.g., Sigstore cosign keyless signing, cloud provider auth via OIDC). None of the current workflow steps appear to consume an OIDC token.

If it's not needed, consider removing it to follow the principle of least privilege.

Suggested diff 
 permissions:
   contents: read
   packages: write
-  id-token: write

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@mostlygeek mostlygeek merged commit 17e5263 into main Feb 14, 2026
6 of 8 checks passed
@mostlygeek mostlygeek deleted the fix-container-publish branch February 14, 2026 18:06
@coderabbitai coderabbitai bot mentioned this pull request Feb 14, 2026
Merged
rohitpaul pushed a commit to rohitpaul/llama-swap that referenced this pull request Mar 29, 2026
@mostlygeek
.github/workflows: fix expired token in publishing images (mostlygeek…
4d8b853 
…#522)

Fixes: mostlygeek#517
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Cannot pull docker image anymore

1 participant

@mostlygeek