LSIF: allow auth via GITHUB_TOKEN from GitHub Actions
Created by: chrismwendt
This allows LSIF upload authentication via the built-in GITHUB_TOKEN in GitHub actions, which eliminates one more manual step from uploading LSIF through a GitHub action.
Unfortunately, this also allows uploads from any GitHub app installed on the given repository, even ones with read-only access. I haven't found a way to determine that the given token is associated with GitHub Actions and not some other random GitHub App. I also haven't found a zero-impact way to determine that the given token has write access to the repository. @sqs Is this acceptable?
Merge request reports
Merged by
(Aug 23, 2025 10:40am UTC)
Activity
Created by: codecov[bot]
Codecov Report
Merging #7114 into master will increase coverage by
<.01%. The diff coverage is9.09%.@@ Coverage Diff @@ ## master #7114 +/- ## ========================================== + Coverage 39.3% 39.31% +<.01% ========================================== Files 1230 1230 Lines 63911 63889 -22 Branches 6055 6053 -2 ========================================== - Hits 25118 25115 -3 + Misses 36498 36479 -19 Partials 2295 2295Impacted Files Coverage Δ internal/extsvc/github/client.go 67.72% <9.09%> (-3.63%)
cmd/frontend/graphqlbackend/search_repositories.go 81.01% <0%> (-0.47%)web/src/search/searchFilterSuggestions.ts 100% <0%> (ø)
cmd/frontend/graphqlbackend/location.go 0% <0%> (ø)cmd/frontend/graphqlbackend/codeintel.go 0% <0%> (ø)web/src/search/results/SearchResultsList.tsx 62.41% <0%> (+0.17%)cmd/frontend/graphqlbackend/search_commits.go 38.37% <0%> (+0.61%)lsif/src/server/backend/database.ts 82.31% <0%> (+1.1%)cmd/frontend/graphqlbackend/git_tree_entry.go 18.18% <0%> (+1.23%)cmd/frontend/graphqlbackend/markdown.go 50% <0%> (+21.42%)Created by: sqs
Unfortunately, this also allows uploads from any GitHub app installed on the given repository. I haven't found a way to determine that the given token is associated with GitHub Actions and not some other random GitHub App. @sqs Is this acceptable?
Yeah, that is acceptable. What are you concerned about? Anyone who holds a token that lets them perform write operations on the repository can do much worse than upload bad LSIF data to Sourcegraph.
Created by: chrismwendt
Unfortunately, this also allows uploads from any GitHub app installed on the given repository. I haven't found a way to determine that the given token is associated with GitHub Actions and not some other random GitHub App. @sqs Is this acceptable?
Yeah, that is acceptable. What are you concerned about? Anyone who holds a token that lets them perform write operations on the repository can do much worse than upload bad LSIF data to Sourcegraph.
Read-only access is sufficient to pass the auth check in this PR (clarified the description). I believe only GitHub App owners can create installation access tokens, so the set of people with access is likely very small (~1 per GitHub App installed on a repository).
