Skip to content

Switch preview-deploy team check from PAT to GitHub App token#68

Open
nicholasdbrady wants to merge 1 commit into
mainfrom
preview-deploy-github-app-token
Open

Switch preview-deploy team check from PAT to GitHub App token#68
nicholasdbrady wants to merge 1 commit into
mainfrom
preview-deploy-github-app-token

Conversation

@nicholasdbrady

Copy link
Copy Markdown
Member

Why

The FORGEBOOK_TEAM_READ_TOKEN fine-grained PAT from #67 turned out to be impractical: Microsoft's open-source enterprise policy caps fine-grained PATs at 8 days, which would require manually regenerating and updating the secret every week, and the workflow would silently break the moment it expired. That secret was never actually created, so the team-membership check has been failing loudly since #67 merged (as designed, but not sustainable long-term).

Approach

Replaced the PAT with a minimal GitHub App:

  • The app needs exactly one permission: Organization permissions -> Members: Read-only.
  • Installed on the microsoft-foundry org.
  • actions/create-github-app-token (official GitHub Action) mints a fresh 1-hour installation token at the start of each preview-deploy.yml run, from the app's ID and private key. Nothing to rotate, ever.
  • Bonus: API calls now show up as the app's identity in audit logs, not a personal account.

What's needed before this works

Same category of manual, one-time setup as the PAT would have needed, just a different UI flow:

  1. Create a GitHub App owned by microsoft-foundry with Members: Read-only org permission (no other permissions, no webhook needed).
  2. Install it on the microsoft-foundry org.
  3. Generate a private key for the app.
  4. Add FORGEBOOK_APP_ID and FORGEBOOK_APP_PRIVATE_KEY as forgebook repo secrets.

Once those exist, re-running Deploy PR Preview on any open fork PR (e.g. #66) will complete the team-membership check without any further rotation.

No functional change to the build/cleanup halves of the split from #67 — this only touches how preview-deploy.yml authenticates for the team-membership check.

Microsoft's open-source enterprise policy caps fine-grained PATs at 8 days,
which makes the FORGEBOOK_TEAM_READ_TOKEN approach from #67 impractical: it
would need manual rotation every week and silently break the workflow on
expiry. Replaced it with a minimal GitHub App (org permission: Members,
read-only) installed on microsoft-foundry. actions/create-github-app-token
mints a fresh 1-hour installation token per run from the app's ID + private
key, so there is nothing to rotate.

Requires a maintainer to create and install the app, then set the
FORGEBOOK_APP_ID and FORGEBOOK_APP_PRIVATE_KEY repo secrets (replacing the
now-unused FORGEBOOK_TEAM_READ_TOKEN, which was never actually created).

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant