Skip to content

infra: switch sync-motoko workflow to pr-automation-bot-public GitHub App #196

Closed
#197
Closed
infra: switch sync-motoko workflow to pr-automation-bot-public GitHub App#196
#197
Labels
enhancementNew feature or request
@marc0olo

Description

@marc0olo
marc0olo
opened on May 5, 2026

Background

Since the repo is now public, stricter rules apply: workflows using GITHUB_TOKEN with elevated permissions (contents: write, pull-requests: write) to create PRs are not allowed. PR #185 (chore: bump Motoko to v1.7.0) was created this way and must be closed.

The pr-automation-bot-public GitHub App has been granted access to this repo by Bas and should be used for all automated PR creation going forward.

What needs to change

File: .github/workflows/sync-motoko.yml

1. Remove the elevated permissions block

The current workflow declares:

permissions:
  contents: write
  pull-requests: write

These permissions are required when using GITHUB_TOKEN to push branches and create PRs. With the app token they are no longer needed at the job level (the app's installation token carries its own permissions).

2. Add the app token step (at line 23, before the first GH_TOKEN usage)

- name: Create GitHub App Token
  uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
  id: app-token
  with:
    app-id: ${{ vars.PR_AUTOMATION_BOT_PUBLIC_APP_ID }}
    private-key: ${{ secrets.PR_AUTOMATION_BOT_PUBLIC_PRIVATE_KEY }}

Reference: how the sdk repo uses this action — https://github.com/dfinity/sdk/blob/db214a5974444beb3cad66a1b30bfc108acf1937/.github/workflows/update-motoko.yml#L63

3. Replace secrets.GITHUB_TOKEN with the app token

There are two places in the workflow that use GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}:

  • "Get latest Motoko release tag" step — used to query the caffeinelabs/motoko release via gh release view
  • "Create PR" step — used to push the branch and open the PR via gh pr create

Both should become:

env:
  GH_TOKEN: ${{ steps.app-token.outputs.token }}

After the changes are merged

  1. Close PR chore: bump Motoko to v1.7.0 #185 with a note that the workflow will be re-triggered manually once the new setup is in place
  2. Re-trigger the Motoko release check workflow manually via workflow_dispatch to verify the new bot-based PR creation works end-to-end for the same Motoko v1.7.0 sync

Org-level credentials

Type Name
Org variable PR_AUTOMATION_BOT_PUBLIC_APP_ID
Org secret PR_AUTOMATION_BOT_PUBLIC_PRIVATE_KEY

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions