Skip to content

feat(governance): move Argus and server GitHub writes to the AAO Secretariat App identity#5832

Merged
bokelley merged 1 commit into
mainfrom
github-app-setup
Jul 7, 2026
Merged

feat(governance): move Argus and server GitHub writes to the AAO Secretariat App identity#5832
bokelley merged 1 commit into
mainfrom
github-app-setup

Conversation

@bokelley

@bokelley bokelley commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Summary

Completes the personification decision from specs/spec-guardian.md: all Secretariat output on GitHub now authors as aao-secretariat[bot] (App ID 4234645), while aao-release-bot returns to being purely release machinery — two Apps, two trust surfaces.

Changes

  • .github/workflows/ai-review.yml — App-token step mints from SECRETARIAT_APP_ID / SECRETARIAT_APP_PRIVATE_KEY; ARGUS_BOT_LOGINaao-secretariat[bot] (review verification and re-run-skip pin on it). The release-PR classification at the PR_AUTHOR == "aao-release-bot[bot]" check intentionally stays on the release App — that's who authors Version Packages PRs. Header comment updated (it still described Argus as reviewing "in bokelley's voice" — stale since chore(governance): add WG constitution, seats, and decision records (spec-guardian stage 1) #5808).
  • server/src/addie/jobs/github-app-token.ts (new) — mints hour-lived installation tokens: RS256 app JWT via node:crypto (no new dependency), installation lookup + token cache with a 5-minute expiry buffer, escaped-newline PEM tolerance. resolveGitHubToken() is the single seam: Secretariat App token when configured, legacy GITHUB_TOKEN PAT during migration, fail-closed (null, never PAT fallback) when a configured App cannot mint.
  • github-pr.ts / github-filer.ts — swap direct GITHUB_TOKEN reads for resolveGitHubToken(). Digest refresh PRs and knowledge-gap issues author as the bot once Fly secrets land.
  • .agents/playbook.md — §App-token convention documents the two-App split.

Merge sequencing (important)

Do not merge until the SECRETARIAT_APP_* Actions secrets exist on this repo — after merge, the next Argus run mints from them, and missing secrets means no reviews. Server-side behavior is safe either way: without Fly secrets it keeps using the PAT; with them it switches to the App.

Retirement path once the first bot-authored digest PR is verified: fly secrets unset GITHUB_TOKEN -a adcp-docs — at that point no long-lived GitHub credential exists anywhere in the system.

Test plan

  • 7 new unit tests for the token module (PAT passthrough, null when unconfigured, mint + JWT shape, caching, expiry re-mint, fail-closed on mint failure, escaped-newline PEM). All 23 tests across the three touched suites pass.
  • tsc --noEmit clean; workflow YAML parse validated; precommit suite on commit.
  • Post-merge: first Argus review posts as aao-secretariat[bot] and counts toward required review.
  • Post-Fly-secrets: digest refresh PR authors as aao-secretariat[bot].

No changeset — CI/agent infrastructure and Addie server work.

🤖 Generated with Claude Code

…etariat App identity

ai-review.yml mints its App token from SECRETARIAT_APP_ID/
SECRETARIAT_APP_PRIVATE_KEY and pins ARGUS_BOT_LOGIN to
aao-secretariat[bot]; release machinery keeps the release App —
distinct trust surfaces. Server-side GitHub writes (wg-slack-context
refresh PRs, knowledge-gap issue filing) authenticate through a new
github-app-token module that mints hour-lived installation tokens with
node:crypto RS256 (no new dependency). resolveGitHubToken() is the
single seam: App token when configured, legacy GITHUB_TOKEN during
migration, and fail-closed (never PAT fallback) when a configured App
cannot mint.

Do not merge before the SECRETARIAT_APP_* Actions secrets exist, or
Argus reviews stop minting tokens.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

@aao-release-bot aao-release-bot Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Argus is not auto-reviewing this PR because it modifies protected paths that require human review (.agents/playbook.md, .github/workflows/ai-review.yml). A human reviewer should review and merge this PR; Argus will resume on subsequent PRs once these changes land on main.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant