From da2f961b124081ce9bfa4fedd651d055f975355d Mon Sep 17 00:00:00 2001 From: Max Ghenis Date: Fri, 17 Apr 2026 19:51:09 -0400 Subject: [PATCH] Mint GitHub App token in versioning workflow The org PAT POLICYENGINE_GITHUB expired on 2026-01-12. Switch the versioning workflow to mint a short-lived GitHub App token via actions/create-github-app-token@v1 using the org-installed App (APP_ID / APP_PRIVATE_KEY), matching the pattern used across other PolicyEngine repos. Also wires the token into EndBug/add-and-commit so the automated "Update package version" commit is authored by the App and can push to main. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/versioning.yaml | 10 +++++++++- changelog.d/migrate-to-app-token.changed.md | 1 + 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 changelog.d/migrate-to-app-token.changed.md diff --git a/.github/workflows/versioning.yaml b/.github/workflows/versioning.yaml index 212b532..6c54735 100644 --- a/.github/workflows/versioning.yaml +++ b/.github/workflows/versioning.yaml @@ -15,10 +15,16 @@ jobs: if: (github.event.head_commit.message != 'Update package version') runs-on: ubuntu-latest steps: + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} - name: Checkout repo uses: actions/checkout@v4 with: - token: ${{ secrets.POLICYENGINE_GITHUB }} + token: ${{ steps.app-token.outputs.token }} fetch-depth: 0 - name: Setup Python uses: actions/setup-python@v5 @@ -35,3 +41,5 @@ jobs: with: add: "." message: Update package version + github_token: ${{ steps.app-token.outputs.token }} + fetch: false diff --git a/changelog.d/migrate-to-app-token.changed.md b/changelog.d/migrate-to-app-token.changed.md new file mode 100644 index 0000000..fc394fa --- /dev/null +++ b/changelog.d/migrate-to-app-token.changed.md @@ -0,0 +1 @@ +Migrated versioning workflow from expired POLICYENGINE_GITHUB PAT to GitHub App token (APP_ID/APP_PRIVATE_KEY).