Skip to content

Default github-token to github.token so the review comment posts without setup#167

Merged
reuvenharrison merged 3 commits into
mainfrom
default-github-token
Jun 16, 2026
Merged

Default github-token to github.token so the review comment posts without setup#167
reuvenharrison merged 3 commits into
mainfrom
default-github-token

Conversation

@reuvenharrison

@reuvenharrison reuvenharrison commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Why

Most repos picked up the encrypted free review by tracking a moving action ref, not by a proactive upgrade, so they never added github-token + permissions. The review link then goes only to the job summary, which almost nobody opens. Production day 2: ~476 reviews created, 3 opened (~0.6%). The feature is on, but invisible.

Change

Default github-token to ${{ github.token }} in breaking/action.yml and changelog/action.yml. The PR comment now posts automatically on any repo whose job GITHUB_TOKEN already has write access, with no workflow edit. Repos whose org forces a read-only default token still fall back to the job summary (the permissions: pull-requests: write line genuinely needs a workflow edit); fork PRs are unchanged (read-only token).

Verified end-to-end in CI: a workflow that does not pass github-token posted the comment via the resolved default (github-actions[bot]). Confirmed the expression default resolves through the Docker args path (the with: block logged github-token: ***, a masked non-empty value, despite nothing being passed).

Comment copy

Since the comment is now posted by default, it's the first-touch notice for many maintainers, so it's been made more transparent:

  • "anyone with the link can open" (states the capability-by-URL model) instead of "anyone can open";
  • precise privacy wording: "encrypted in CI before upload; the decryption key stays in this link's URL fragment, which browsers never send to a server, so oasdiff cannot read your specs" (instead of the absolute "specs stay private");
  • an explicit opt-out footer: "Posted automatically by the oasdiff GitHub Action. To stop posting this comment, set review: false."

🤖 Generated with Claude Code

reuvenharrison and others added 3 commits June 16, 2026 15:35
@reuvenharrison @claude
Default github-token to ${{ github.token }} so the PR comment posts w…
2b13b13 
…ithout setup

Most repos got the encrypted free review by tracking a moving action ref,
not by a proactive upgrade, so they never added github-token + permissions.
Result: the review link goes only to the job summary (a page almost nobody
opens). Day-2 production: ~476 reviews created, 3 opened.

Defaulting github-token to the built-in github.token means the comment is
posted automatically wherever the job's GITHUB_TOKEN already has write
permission, with no workflow edit. Repos whose default token is read-only
still fall back to the summary (the permissions line genuinely needs a
workflow edit); fork PRs are unchanged.

Also makes the comment the honest first-touch notice it now is:
- precise privacy wording (key lives in the URL fragment, never sent to a
  server, so oasdiff cannot read the specs) instead of "specs stay private";
- "anyone with the link can open" (the capability-by-URL model) instead of
  "anyone can open";
- an explicit opt-out line ("set review: false") since the comment is now
  posted by default.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@reuvenharrison @claude
Trim the review comment to essentials
f60eb29 
Drop product-jargon ('in context'), the share prompt (the review page has a
per-change 'Copy link'), the 'anyone with the link' line (covered by the docs
'How it works' link), and 'no install or account needed' (self-evident on
click). Keep the title (the value), the 7-day TTL, the privacy explanation,
and the opt-out footer.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@reuvenharrison @claude
Make the comment's opt-out findable: link to the docs Action section,…
24c0b8a 
… name the upload

A user who got the comment via a moving action ref (not a deliberate opt-in)
is the one most likely to want to turn it off. Two changes so they find how:
- link 'oasdiff GitHub Action' to /docs/free-review#github-action, the section
  that explains what posted the comment and how to disable it;
- reframe the off-switch from 'stop posting this comment' to 'turn this off
  (no spec upload, no comment)', since review: false stops the upload too,
  which is what a privacy-minded first-time reader actually wants.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@reuvenharrison reuvenharrison merged commit efad245 into main Jun 16, 2026
56 checks passed
@reuvenharrison reuvenharrison deleted the default-github-token branch June 16, 2026 13:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@reuvenharrison