Skip to content

feat: switch GitHub credentials to PAT from AWS secret#174

Merged
derekmisler merged 9 commits into
docker:mainfrom
docker-agent:feat/pat-credentials
May 5, 2026
Merged

feat: switch GitHub credentials to PAT from AWS secret#174
derekmisler merged 9 commits into
docker:mainfrom
docker-agent:feat/pat-credentials

Conversation

@docker-agent
Copy link
Copy Markdown
Contributor

@docker-agent docker-agent commented May 5, 2026

Summary

Replaces the GitHub App (app_id + private_key) credential flow with a PAT stored directly in the AWS secret docker-agent-action/github-app.

Closes docker/gordon#500

Changes

New secret shape

{ "pat": "...", "org_membership_token": "..." }
  • pat — repo-scoped PAT; exported as GITHUB_APP_TOKEN
  • org_membership_token — admin-scoped token for org user lookups; exported as ORG_MEMBERSHIP_TOKEN (unchanged role, kept as a separate field)

Both fields are required — the action fails hard if either is absent or empty.

Files changed

File Change
src/credentials/github-app.ts GitHubAppSecretGitHubPATSecret; parse pat + org_membership_token; export GITHUB_APP_TOKEN = pat
src/credentials/app-token.ts Deleted — no longer needed; PAT is fetched directly
src/credentials/index.ts Remove generateAppToken() import and call
src/credentials/__tests__/github-app.test.ts Updated to PAT-based VALID_SECRET; new missing-field tests
src/credentials/__tests__/app-token.test.ts Deleted
src/credentials/__tests__/app-token.integration.test.ts Deleted

Test results

Test Files  10 passed (10)
      Tests 100 passed (100)

Biome CI and tsc pass cleanly.

@docker-agent
feat: switch github credentials to PAT from AWS secret
0e4189d 
Replaces the GitHub App (app_id + private_key) credential flow with a
PAT stored directly in the AWS secret. The secret now holds two fields:
- `pat`: a repo-scoped PAT exported as GITHUB_APP_TOKEN
- `org_membership_token`: an admin-scoped token exported as ORG_MEMBERSHIP_TOKEN

Removes app-token.ts (and its tests) which generated an installation
token via `@octokit/auth-app` — no longer needed since the PAT is
fetched directly. Both fields are required; the action fails hard if
either is absent.

Refs docker/gordon#500

Assisted-By: docker-agent
@docker-agent docker-agent requested a review from a team as a code owner May 5, 2026 15:20
@docker-agent docker-agent requested a review from derekmisler May 5, 2026 15:20
docker-agent[bot]
docker-agent Bot reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@docker-agent docker-agent Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

The PAT credential swap is clean and well-structured. One low-severity robustness note on secret masking order.

Comment thread src/credentials/github-app.ts Outdated
@docker-agent docker-agent mentioned this pull request May 5, 2026
Merged
@derekmisler derekmisler merged commit 0169479 into docker:main May 5, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@docker-agent docker-agent[bot] docker-agent[bot] left review comments

@derekmisler derekmisler derekmisler approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@docker-agent @derekmisler