Refactor CodeRabbit approval handler to use external labeller token f…

[kpj2006]

…or GitHub actions

Addressed Issues:

Screenshots/Recordings:

Additional Notes:

Checklist

• My code follows the project's code style and conventions
• I have made corresponding changes to the documentation
• My changes generate no new warnings or errors
• I have joined the Discord server and I will share a link to this PR with the project maintainers there
• I have read the Contributing Guidelines

⚠️ AI Notice - Important!

We encourage contributors to use AI tools responsibly when creating Pull Requests. While AI can be a valuable aid, it is essential to ensure that your contributions meet the task requirements, build successfully, include relevant tests, and pass all linters. Submissions that do not meet these standards may be closed without warning to maintain the quality and integrity of the project. Please take the time to understand the changes you are proposing and their impact.

Summary by CodeRabbit

• Chores
  • Updated internal workflow configuration to enhance authentication reliability with improved fallback mechanism.

[coderabbitai]

Walkthrough

This PR modifies the GitHub workflow authentication mechanism by replacing secrets.GITHUB_TOKEN with secrets.EXTERNAL_LABELLER_TOKEN || secrets.GITHUB_TOKEN across four workflow steps. The fallback ensures the workflow uses the original token if the external labeller token is unavailable.

Changes

Cohort / File(s)	Summary
GitHub Workflow Authentication .github/workflows/coderabbit-approval.yml	Substituted GitHub token source with fallback logic (EXTERNAL_LABELLER_TOKEN || GITHUB_TOKEN) in four steps: Check if CodeRabbit approved, Remove pending CodeRabbit review label, Add CodeRabbit approved label, and Summary steps. No control flow changes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Add CodeRabbit approval handler and sync PR labels for review status #64: This PR directly modifies the CodeRabbit approval workflow that was originally added in that PR, changing the authentication token source with fallback support.

Suggested reviewers

• Zahnentferner

Poem

🐰 A token here, a token there,
With fallback magic in the air!
When one's not found, we hop with grace,
To the next one in the race! ✨

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: refactoring the CodeRabbit approval handler to use an external labeller token in GitHub Actions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/coderabbit-approval.yml (2)

114-118: 🧹 Nitpick | 🔵 Trivial

Summary step doesn't need the elevated token.

This step only writes to console.log — it makes no GitHub API calls. Using the PAT here unnecessarily widens the attack surface. Consider keeping secrets.GITHUB_TOKEN (or omitting github-token entirely) for this step.

Proposed fix

       - name: Summary
         if: steps.check-approval.outputs.is_coderabbit_approved == 'true'
         uses: actions/github-script@v7
         with:
-          github-token: ${{ secrets.EXTERNAL_LABELLER_TOKEN || secrets.GITHUB_TOKEN }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/coderabbit-approval.yml around lines 114 - 118, The
"Summary" workflow step currently passes an elevated token via the github-token
input to actions/github-script; remove the unnecessary elevated PAT by either
deleting the github-token line or changing it to use the default
secrets.GITHUB_TOKEN (i.e., stop passing secrets.EXTERNAL_LABELLER_TOKEN ||
secrets.GITHUB_TOKEN), so the Summary step (which only console.logs) runs
without the elevated token.

---

7-10: ⚠️ Potential issue | 🟠 Major

PAT bypasses the workflow's permissions block.

The permissions declaration (lines 7–10) only constrains the auto-generated GITHUB_TOKEN. When EXTERNAL_LABELLER_TOKEN is a PAT, it carries its own scopes and ignores this block entirely, so the principle-of-least-privilege intent is silently lost.

Mitigations to consider:

1. Document clearly what scopes EXTERNAL_LABELLER_TOKEN must be created with (ideally only public_repo or fine-grained with pull_requests:write + issues:write).
2. Add a comment in the workflow noting that permissions does not govern the PAT.

Also applies to: 21-21

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/coderabbit-approval.yml around lines 7 - 10, The
workflow's permissions block (permissions: contents/read, pull-requests/write,
issues/write) only applies to the auto-generated GITHUB_TOKEN and is bypassed if
EXTERNAL_LABELLER_TOKEN is a PAT; update the workflow to (1) add an inline
comment above the permissions block and next to the EXTERNAL_LABELLER_TOKEN
reference explicitly stating that PATs ignore the permissions block and carry
their own scopes, and (2) document (in the workflow comments or repository
CONTRIBUTING/SECURITY docs) the minimal required scopes for
EXTERNAL_LABELLER_TOKEN (e.g., public_repo or fine-grained tokens with
pull_requests:write and issues:write) so token creators know the least-privilege
requirements.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/coderabbit-approval.yml:
- Around line 114-118: The "Summary" workflow step currently passes an elevated
token via the github-token input to actions/github-script; remove the
unnecessary elevated PAT by either deleting the github-token line or changing it
to use the default secrets.GITHUB_TOKEN (i.e., stop passing
secrets.EXTERNAL_LABELLER_TOKEN || secrets.GITHUB_TOKEN), so the Summary step
(which only console.logs) runs without the elevated token.
- Around line 7-10: The workflow's permissions block (permissions:
contents/read, pull-requests/write, issues/write) only applies to the
auto-generated GITHUB_TOKEN and is bypassed if EXTERNAL_LABELLER_TOKEN is a PAT;
update the workflow to (1) add an inline comment above the permissions block and
next to the EXTERNAL_LABELLER_TOKEN reference explicitly stating that PATs
ignore the permissions block and carry their own scopes, and (2) document (in
the workflow comments or repository CONTRIBUTING/SECURITY docs) the minimal
required scopes for EXTERNAL_LABELLER_TOKEN (e.g., public_repo or fine-grained
tokens with pull_requests:write and issues:write) so token creators know the
least-privilege requirements.