Skip to content

Use dedicated CI GitHub App token instead of PAT#317

Merged
umair-ably merged 1 commit intomainfrom
fix/dependabot-lockfile-regeneration
Apr 14, 2026
Merged

Use dedicated CI GitHub App token instead of PAT#317
umair-ably merged 1 commit intomainfrom
fix/dependabot-lockfile-regeneration

Conversation

@umair-ably
Copy link
Copy Markdown
Collaborator

@umair-ably umair-ably commented Apr 14, 2026

PATs don't work with SAML SSO-enforced orgs. GitHub Apps bypass SSO and are scoped to just contents:write on the installed repo.

This is still aiming to auto regen lockfiles on dependabot PRs

@umair-ably
Use dedicated CI GitHub App token instead of PAT
cab6f5f 
PATs don't work with SAML SSO-enforced orgs. GitHub Apps bypass SSO
and are scoped to just contents:write on the installed repo.
@umair-ably umair-ably force-pushed the fix/dependabot-lockfile-regeneration branch from 4933cd3 to cab6f5f Compare April 14, 2026 14:30
@vercel
Copy link
Copy Markdown

vercel bot commented Apr 14, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
cli-web-cli Ready Ready Preview, Comment Apr 14, 2026 2:31pm

Request Review

@claude-code-ably-assistant
Copy link
Copy Markdown

claude-code-ably-assistant bot commented Apr 14, 2026

Walkthrough: This PR updates the Dependabot lockfile regeneration workflow to use a dedicated GitHub App token instead of a Personal Access Token (PAT). PATs do not work with SAML SSO-enforced GitHub organizations, whereas GitHub App tokens bypass SSO restrictions and are more narrowly scoped (contents:write on this repo only).

@claude-code-ably-assistant
Copy link
Copy Markdown

claude-code-ably-assistant bot commented Apr 14, 2026

Walkthrough

This PR updates the Dependabot lockfile regeneration workflow to use a dedicated GitHub App token instead of a Personal Access Token (PAT). The change is necessary because PATs do not work with SAML SSO-enforced GitHub organizations, whereas GitHub App tokens bypass SSO restrictions. The App token is also more narrowly scoped (contents:write on this repo only), improving security posture.

Changes

Area Files Summary
Config .github/workflows/dependabot-lockfile.yml Add actions/create-github-app-token@v3 step to generate a short-lived App token; replace hardcoded CI_PAT secret with the generated token for checkout

Review Notes

  • New secrets required: Two new repository secrets must be configured — CI_APP_ID and CI_APP_PRIVATE_KEY — before this workflow will succeed. Verify these are already provisioned in the repo settings.
  • Dependency on GitHub App installation: The actions/create-github-app-token@v3 action requires the GitHub App to be installed on this repository with contents:write permission. If not installed, the token generation step will fail and Dependabot PRs will stop getting lockfiles regenerated.
  • No behavioral change: The lockfile regeneration logic itself is unchanged; only the authentication mechanism differs.
  • Old secret can be removed: Once confirmed working, the CI_PAT secret is no longer needed and can be deleted from repo settings.

@umair-ably umair-ably requested a review from AndyTWF April 14, 2026 14:34
@umair-ably umair-ably merged commit 95e0780 into main Apr 14, 2026
8 of 9 checks passed
@umair-ably umair-ably deleted the fix/dependabot-lockfile-regeneration branch April 14, 2026 14:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AndyTWF AndyTWF AndyTWF approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@umair-ably @AndyTWF