From 59397b59c35b1f502320d86b3bd6b022dc166995 Mon Sep 17 00:00:00 2001
From: Marco Walz <marco.walz@dfinity.org>
Date: Tue, 5 May 2026 11:16:21 +0200
Subject: [PATCH 1/3] infra: switch sync-motoko to pr-automation-bot-public
 GitHub App

Replace GITHUB_TOKEN (with elevated permissions) with the
pr-automation-bot-public app token for all authenticated operations:
- Add create-github-app-token step (app-id + private-key from org vars/secrets)
- Remove job-level contents: write + pull-requests: write permissions
- Configure git remote URL with app token before git push
- Use app token for gh release view and gh pr create

Closes #196
---
 .github/workflows/sync-motoko.yml | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/sync-motoko.yml b/.github/workflows/sync-motoko.yml
index 0370a979..31dc4d79 100644
--- a/.github/workflows/sync-motoko.yml
+++ b/.github/workflows/sync-motoko.yml
@@ -8,14 +8,18 @@ on:
 jobs:
   check:
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
 
+      - name: Create GitHub App Token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
+        id: app-token
+        with:
+          app-id: ${{ vars.PR_AUTOMATION_BOT_PUBLIC_APP_ID }}
+          private-key: ${{ secrets.PR_AUTOMATION_BOT_PUBLIC_PRIVATE_KEY }}
+
       - name: Initialize motoko submodule
         run: |
           git config --global url."https://github.com/".insteadOf "git@github.com:"
@@ -32,7 +36,7 @@ jobs:
           echo "git_tag=$GIT_TAG" >> $GITHUB_OUTPUT
           echo "versions_tag=$VERSIONS_TAG" >> $GITHUB_OUTPUT
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
 
       - name: Get currently pinned version
         id: current
@@ -113,8 +117,9 @@ jobs:
       - name: Create PR
         if: steps.check.outputs.needed == 'true'
         run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git config user.name "pr-automation-bot-public[bot]"
+          git config user.email "pr-automation-bot-public[bot]@users.noreply.github.com"
+          git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/${{ github.repository }}.git"
 
           BRANCH="infra/bump-motoko-${{ steps.latest.outputs.versions_tag }}"
           git checkout -b "$BRANCH"
@@ -152,4 +157,4 @@ jobs:
             --title "chore: bump Motoko to ${{ steps.latest.outputs.versions_tag }}" \
             --body-file /tmp/pr-body.md
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}

From ac6332a74acb2f5e2fa29e80d947a0df38b7d329 Mon Sep 17 00:00:00 2001
From: Marco Walz <marco.walz@dfinity.org>
Date: Tue, 5 May 2026 11:26:13 +0200
Subject: [PATCH 2/3] fix(sync-motoko): drop unnecessary git remote set-url

The git push uses implicit checkout credentials (dfinity org defaults
GITHUB_TOKEN to read-write for contents). Only gh pr create needs the
explicit app token via GH_TOKEN. Matches the pattern in
dfinity/icskills sync-upstream.yml.
---
 .github/workflows/sync-motoko.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/sync-motoko.yml b/.github/workflows/sync-motoko.yml
index 31dc4d79..5198cd72 100644
--- a/.github/workflows/sync-motoko.yml
+++ b/.github/workflows/sync-motoko.yml
@@ -119,7 +119,6 @@ jobs:
         run: |
           git config user.name "pr-automation-bot-public[bot]"
           git config user.email "pr-automation-bot-public[bot]@users.noreply.github.com"
-          git remote set-url origin "https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/${{ github.repository }}.git"
 
           BRANCH="infra/bump-motoko-${{ steps.latest.outputs.versions_tag }}"
           git checkout -b "$BRANCH"

From 8b0ce9be09dcc6dce1e88091bd841bb09344816a Mon Sep 17 00:00:00 2001
From: Marco Walz <marco.walz@dfinity.org>
Date: Tue, 5 May 2026 12:32:52 +0200
Subject: [PATCH 3/3] fix(sync-motoko): use client-id and pin
 create-github-app-token to v3.1.1

app-id is deprecated in actions/create-github-app-token in favour of
client-id. Update the input name and bump the pin to v3.1.1
(1b10c78c), which is the version that formalised this change.
---
 .github/workflows/sync-motoko.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/sync-motoko.yml b/.github/workflows/sync-motoko.yml
index 5198cd72..54061e72 100644
--- a/.github/workflows/sync-motoko.yml
+++ b/.github/workflows/sync-motoko.yml
@@ -14,10 +14,10 @@ jobs:
           fetch-depth: 0
 
       - name: Create GitHub App Token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         id: app-token
         with:
-          app-id: ${{ vars.PR_AUTOMATION_BOT_PUBLIC_APP_ID }}
+          client-id: ${{ vars.PR_AUTOMATION_BOT_PUBLIC_CLIENT_ID }}
           private-key: ${{ secrets.PR_AUTOMATION_BOT_PUBLIC_PRIVATE_KEY }}
 
       - name: Initialize motoko submodule