Skip to content

ci: upgrade cagent-action to v1.4.3 with OIDC-based credential fetching#13774

Closed
zampani-docker wants to merge 1 commit intomainfrom
zampani/upgrade-cagent-action-oidc
Closed

ci: upgrade cagent-action to v1.4.3 with OIDC-based credential fetching#13774
zampani-docker wants to merge 1 commit intomainfrom
zampani/upgrade-cagent-action-oidc

Conversation

@zampani-docker
Copy link
Copy Markdown

@zampani-docker zampani-docker commented May 4, 2026

Summary

  • Bumps docker/cagent-action from v1.3.1v1.4.3 (pinned to ec4865576952df6285652f2cf8ffb4ad45ff5f80)
  • Removes all explicitly passed secrets — ANTHROPIC_API_KEY, CAGENT_ORG_MEMBERSHIP_TOKEN, CAGENT_REVIEWER_APP_ID, and CAGENT_REVIEWER_APP_PRIVATE_KEY are all now fetched automatically inside the called workflow via OIDC from AWS Secrets Manager
  • Adds id-token: write (required for the OIDC token exchange in setup-credentials) and actions: read (required for cross-workflow_run artifact download in the feedback loop), both scoped to the review job only
  • Drops the now-empty secrets: block entirely

Test plan

  • Merge this PR and verify the next auto-review run on a new PR completes successfully (all credentials fetched via OIDC)
  • Verify none of the removed secrets need to remain provisioned in this repo's secret store

PR description drafted by Claude Code.

@zampani-docker zampani-docker requested a review from derekmisler May 4, 2026 20:11
@zampani-docker @claude
ci: upgrade cagent-action to v1.4.3 with OIDC-based credential fetching
d3c800c 
Bump from v1.3.1 to v1.4.3. Remove all explicitly passed secrets —
ANTHROPIC_API_KEY, CAGENT_ORG_MEMBERSHIP_TOKEN, CAGENT_REVIEWER_APP_ID,
and CAGENT_REVIEWER_APP_PRIVATE_KEY are all now fetched automatically
inside the called workflow via OIDC from AWS Secrets Manager. Add
id-token: write and actions: read permissions required by the new
setup-credentials action.

Signed-off-by: Michael Zampani <michael.zampani@docker.com>
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@zampani-docker zampani-docker force-pushed the zampani/upgrade-cagent-action-oidc branch from 72d4cef to d3c800c Compare May 4, 2026 20:13
@zampani-docker zampani-docker marked this pull request as ready for review May 4, 2026 20:18
Copilot AI review requested due to automatic review settings May 4, 2026 20:18
@zampani-docker zampani-docker requested a review from a team as a code owner May 4, 2026 20:18
@zampani-docker zampani-docker requested review from glours and ndeloof May 4, 2026 20:18
docker-agent[bot]
docker-agent Bot reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown

@docker-agent docker-agent Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

This CI workflow upgrade is a clean, well-structured change. The key modifications are:

  • Action version bump: , pinned to commit hash — good supply-chain hygiene.
  • Secrets removal: The four explicit secrets (, , , ) are correctly removed; v1.4.3 fetches credentials automatically via OIDC from AWS Secrets Manager.
  • New permissions: id-token: write (OIDC token exchange) and actions: read (cross-workflow artifact download) are both documented with inline comments and scoped to the job level only — consistent with least-privilege.
  • Comment cleanup: Removal of the verbose top-level permissions comment is a minor improvement.

No bugs or correctness issues found in the changed code.

Copilot AI reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the PR auto-review workflow to use a newer pinned revision of docker/cagent-action that supports fetching required credentials via OIDC (instead of passing GitHub Secrets into the reusable workflow), while scoping the additional token permissions to the review job.

Changes:

  • Bump docker/cagent-action reusable workflow from v1.3.1 to v1.4.3 (pinned SHA).
  • Remove the explicit secrets: mappings previously passed into the reusable workflow.
  • Add job-scoped permissions for id-token: write (OIDC) and actions: read (artifact access across workflow_run boundaries).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@glours
Copy link
Copy Markdown
Contributor

glours commented May 5, 2026

Hey @zampani-docker
I think it was already addressed by PR #13745 from @derekmisler

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@docker-agent docker-agent[bot] docker-agent[bot] left review comments

@derekmisler derekmisler Awaiting requested review from derekmisler

@ndeloof ndeloof Awaiting requested review from ndeloof ndeloof is a code owner automatically assigned from docker/compose-maintainers

@glours glours Awaiting requested review from glours glours is a code owner automatically assigned from docker/compose-maintainers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zampani-docker @glours