feat(governance): move Argus and server GitHub writes to the AAO Secretariat App identity#5832
Merged
Conversation
…etariat App identity ai-review.yml mints its App token from SECRETARIAT_APP_ID/ SECRETARIAT_APP_PRIVATE_KEY and pins ARGUS_BOT_LOGIN to aao-secretariat[bot]; release machinery keeps the release App — distinct trust surfaces. Server-side GitHub writes (wg-slack-context refresh PRs, knowledge-gap issue filing) authenticate through a new github-app-token module that mints hour-lived installation tokens with node:crypto RS256 (no new dependency). resolveGitHubToken() is the single seam: App token when configured, legacy GITHUB_TOKEN during migration, and fail-closed (never PAT fallback) when a configured App cannot mint. Do not merge before the SECRETARIAT_APP_* Actions secrets exist, or Argus reviews stop minting tokens. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Argus is not auto-reviewing this PR because it modifies protected paths that require human review (.agents/playbook.md, .github/workflows/ai-review.yml). A human reviewer should review and merge this PR; Argus will resume on subsequent PRs once these changes land on main.
This was referenced Jul 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Completes the personification decision from
specs/spec-guardian.md: all Secretariat output on GitHub now authors asaao-secretariat[bot](App ID 4234645), whileaao-release-botreturns to being purely release machinery — two Apps, two trust surfaces.Changes
.github/workflows/ai-review.yml— App-token step mints fromSECRETARIAT_APP_ID/SECRETARIAT_APP_PRIVATE_KEY;ARGUS_BOT_LOGIN→aao-secretariat[bot](review verification and re-run-skip pin on it). The release-PR classification at thePR_AUTHOR == "aao-release-bot[bot]"check intentionally stays on the release App — that's who authors Version Packages PRs. Header comment updated (it still described Argus as reviewing "in bokelley's voice" — stale since chore(governance): add WG constitution, seats, and decision records (spec-guardian stage 1) #5808).server/src/addie/jobs/github-app-token.ts(new) — mints hour-lived installation tokens: RS256 app JWT vianode:crypto(no new dependency), installation lookup + token cache with a 5-minute expiry buffer, escaped-newline PEM tolerance.resolveGitHubToken()is the single seam: Secretariat App token when configured, legacyGITHUB_TOKENPAT during migration, fail-closed (null, never PAT fallback) when a configured App cannot mint.github-pr.ts/github-filer.ts— swap directGITHUB_TOKENreads forresolveGitHubToken(). Digest refresh PRs and knowledge-gap issues author as the bot once Fly secrets land..agents/playbook.md— §App-token convention documents the two-App split.Merge sequencing (important)
Do not merge until the
SECRETARIAT_APP_*Actions secrets exist on this repo — after merge, the next Argus run mints from them, and missing secrets means no reviews. Server-side behavior is safe either way: without Fly secrets it keeps using the PAT; with them it switches to the App.Retirement path once the first bot-authored digest PR is verified:
fly secrets unset GITHUB_TOKEN -a adcp-docs— at that point no long-lived GitHub credential exists anywhere in the system.Test plan
tsc --noEmitclean; workflow YAML parse validated; precommit suite on commit.aao-secretariat[bot]and counts toward required review.aao-secretariat[bot].No changeset — CI/agent infrastructure and Addie server work.
🤖 Generated with Claude Code