Draft
fix: github-app auth support in SideRepoOps maintenance workflow generator#43406
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…generator
When a source workflow authenticates its cross-repo checkout with a GitHub App,
the generated agentics-maintenance-<owner>-<repo>.yml now emits a
create-github-app-token mint step at the top of each cross-repo job and uses
the minted token (${{ steps.side-repo-app-token.outputs.token }}) for all
github-token: inputs and GH_TOKEN: env vars.
Changes:
- SideRepoTarget: add GitHubApp *GitHubAppConfig field
- collectSideRepoTargets: track both GitHubToken and GitHubApp from checkout
configs with upgrade-from-nothing semantics (first-seen auth wins)
- effectiveSideRepoToken: return minted token ref when GitHubApp != nil
- sideRepoAppTokenMintStepYAML: new helper that builds the create-github-app-token
step YAML reusing the existing buildGitHubAppTokenMintStepWithMeta infrastructure
- generateSideRepoMaintenanceWorkflow: inject mint step as first step in each
cross-repo job (close-expired-entities, apply_safe_outputs, create_labels,
activity_report) when GitHubApp is configured
- Add unit tests for new collectSideRepoTargets and effectiveSideRepoToken paths
- Add two integration tests: basic App auth flow and App auth + expires combo
Closes #43021
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
- Add log message when a later checkout auth is ignored for the same repo (first-seen wins; makes the choice traceable via maintenanceLog) - Rename test: 'first-seen auth wins' → 'later auth does not override existing auth' - Add assertions in integration test that minted token appears in github-token: inputs and GH_TOKEN: env vars in generated cross-repo steps Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix SideRepoOps maintenance workflow GitHub App checkout auth
fix: github-app auth support in SideRepoOps maintenance workflow generator
Jul 4, 2026
Contributor
🤖 PR Triage — Run §28715668077
Fixes github-app auth in SideRepoOps maintenance workflow generator. +90/-15 Go logic, +122+170 test lines. Medium risk (auth path). Batch with go-bugfix group.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When a source workflow uses
github-app:for cross-repo checkout auth, the generatedagentics-maintenance-<owner>-<repo>.ymlsilently fell back to${{ secrets.GH_AW_GITHUB_TOKEN }}— a secret App-only consumers never set — causing 100% failure on every scheduled run.Changes
pkg/workflow/side_repo_maintenance.goSideRepoTarget: addGitHubApp *GitHubAppConfigfield (mutually exclusive withGitHubToken, matchingCheckoutConfig)collectSideRepoTargets: replacetokenByRepo map[string]stringwith asideRepoAuthstruct tracking both token and app config; first-seen auth wins, later occurrences upgrade only from "no auth" → "has auth"; logs when a conflicting later auth is ignoredeffectiveSideRepoToken: returns${{ steps.side-repo-app-token.outputs.token }}whenGitHubApp != nilsideRepoAppTokenMintStepYAML: new helper that builds thecreate-github-app-tokenstep YAML by delegating to the existingbuildGitHubAppTokenMintStepWithMetainfrastructuregenerateSideRepoMaintenanceWorkflow: injects the mint step as the first step of each cross-repo job (close-expired-entities,apply_safe_outputs,create_labels,activity_report) when app auth is configured;validate_workflowskeepsGITHUB_TOKEN(own-repo only)Example
A source workflow like:
now generates maintenance jobs with:
${{ secrets.GH_AW_GITHUB_TOKEN }}is preserved as the fallback only when neithergithub-token:norgithub-app:is configured.Tests
collectSideRepoTargetscovering app config collection, upgrade-from-nothing, and first-seen-wins semanticseffectiveSideRepoTokenpathsgithub-token:andGH_TOKEN:, ordering)expirescombo (verifiesclose-expired-entitiesalso receives the mint step)