From 63c4c78c20947fdcd2c530306bdcb48196ef45b0 Mon Sep 17 00:00:00 2001
From: Vikrant Puppala <vikrant.puppala@databricks.com>
Date: Fri, 22 May 2026 10:21:39 +0000
Subject: [PATCH] ci(integration-tests): use github.token for check-run posters
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Follow-up to #799. The dispatch failure handlers and auto-pass
steps were posting check-runs with `steps.public-token.outputs.token`,
which is itself an App-token-generating step.

That created a silent-failure trap: if the App secrets are
missing or rotated, the App-token step fails, then the failure
handler also fails (no token to authenticate with), and the gate
sits green from the earlier `skip-integration-tests-pr` job's
synthetic-success check — the exact silent-pass anti-pattern
the failure handler exists to prevent.

Discovered by exercising the dispatch end-to-end on a draft PR
before the App secrets were installed (#800 closed). The
canonical adbc-drivers/databricks workflow has the same latent
bug — fix not yet upstreamed there.

The fix is to use the default workflow `${{ github.token }}` for
all check-posting steps. The default token already has
`checks: write` because each job declares the permission.
`steps.public-token` is no longer referenced anywhere; the
generation step is removed to keep the workflow tidy.

The App token is still used (correctly) for the actual dispatch
call into databricks-driver-test, where cross-repo write access
is required.

Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
---
 .../workflows/trigger-integration-tests.yml   | 42 +++++++++----------
 1 file changed, 20 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/trigger-integration-tests.yml b/.github/workflows/trigger-integration-tests.yml
index 5e599fb57..49132fd4a 100644
--- a/.github/workflows/trigger-integration-tests.yml
+++ b/.github/workflows/trigger-integration-tests.yml
@@ -194,15 +194,6 @@ jobs:
           owner: databricks
           repositories: databricks-driver-test
 
-      - name: Generate GitHub App Token (public repo)
-        id: public-token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
-        with:
-          app-id: ${{ secrets.INTEGRATION_TEST_APP_ID }}
-          private-key: ${{ secrets.INTEGRATION_TEST_PRIVATE_KEY }}
-          owner: databricks
-          repositories: databricks-sql-python
-
       - name: Sanitize PR title
         id: sanitize
         uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
@@ -235,7 +226,11 @@ jobs:
         if: steps.changed.outputs.python != 'true'
         uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         with:
-          github-token: ${{ steps.public-token.outputs.token }}
+          # Default workflow token, not the App token — same rationale
+          # as the failure handler below. We don't want a missing-secret
+          # state to silently swallow the green check for path-filtered
+          # no-op runs.
+          github-token: ${{ github.token }}
           script: |
             await github.rest.checks.create({
               owner: context.repo.owner,
@@ -255,7 +250,15 @@ jobs:
         if: failure() && steps.changed.outputs.python == 'true'
         uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         with:
-          github-token: ${{ steps.public-token.outputs.token }}
+          # Use the default workflow token, not the App token. The
+          # App-token-generating step is the *most likely* thing to
+          # fail (missing/rotated secrets, App uninstalled), and using
+          # it here means a token-generation failure also kills this
+          # handler — leaving the gate silently green on the stale
+          # synthetic-success from skip-integration-tests-pr. The
+          # default token has checks:write (declared on this job)
+          # which is all we need.
+          github-token: ${{ github.token }}
           script: |
             await github.rest.checks.create({
               owner: context.repo.owner,
@@ -316,20 +319,13 @@ jobs:
             echo "No driver files changed — will auto-pass"
           fi
 
-      - name: Generate GitHub App Token (public repo)
-        id: public-token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
-        with:
-          app-id: ${{ secrets.INTEGRATION_TEST_APP_ID }}
-          private-key: ${{ secrets.INTEGRATION_TEST_PRIVATE_KEY }}
-          owner: databricks
-          repositories: databricks-sql-python
-
       - name: Auto-pass (no driver changes)
         if: steps.changed.outputs.changed != 'true'
         uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         with:
-          github-token: ${{ steps.public-token.outputs.token }}
+          # Default workflow token — see the trigger-tests-pr job's
+          # equivalent step above for the rationale.
+          github-token: ${{ github.token }}
           script: |
             await github.rest.checks.create({
               owner: context.repo.owner,
@@ -392,7 +388,9 @@ jobs:
         if: failure() && steps.changed.outputs.changed == 'true'
         uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         with:
-          github-token: ${{ steps.public-token.outputs.token }}
+          # Use the default workflow token, not the App token — see
+          # the rationale in the trigger-tests-pr job above.
+          github-token: ${{ github.token }}
           script: |
             await github.rest.checks.create({
               owner: context.repo.owner,