From 71184380476f9733aeaab5589f42ad18114d67d2 Mon Sep 17 00:00:00 2001 From: Tal Zaccai Date: Tue, 26 May 2026 16:18:48 -0700 Subject: [PATCH] fix(fix-dependabot-alerts): refresh app token before creating PR GitHub App installation tokens expire after 1 hour, but the build and verify phase routinely runs longer than that. The original app token minted at job start was expired by the time the `Create pull request` step ran, causing `gh pr list` / `gh pr create` to fail with 401 Bad credentials. The `git push` itself succeeded because actions/checkout uses the workflow's own GITHUB_TOKEN (valid for the full job lifetime), so the branch was pushed but no PR was opened. Mint a fresh app token immediately before the create-PR step. Repro: workflow_dispatch run 26475336645 (job duration 1h 14m). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/fix-dependabot-alerts.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/.github/workflows/fix-dependabot-alerts.yml b/.github/workflows/fix-dependabot-alerts.yml index 3156bcfa1..d0622a541 100644 --- a/.github/workflows/fix-dependabot-alerts.yml +++ b/.github/workflows/fix-dependabot-alerts.yml @@ -431,10 +431,25 @@ jobs: echo "shell_ok=true" >> "$GITHUB_OUTPUT" # ── Create PR ─────────────────────────────────────────────────── + # GitHub App installation tokens expire after 1 hour. The build/verify + # phase routinely runs longer than that, so the original app-token + # minted at job start is expired by the time we get here, causing + # `gh pr create` to fail with 401 Bad credentials (the `git push` + # itself works because actions/checkout uses the workflow's own + # GITHUB_TOKEN, which is valid for the full job lifetime). Mint a + # fresh app token immediately before any late-running `gh` calls. + - name: Refresh GitHub App token + id: app-token-pr + if: ${{ steps.fix.outputs.changes == 'true' && steps.build.outputs.build_ok == 'true' }} + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.DEPENDABOT_APP_ID }} + private-key: ${{ secrets.DEPENDABOT_APP_PRIVATE_KEY }} + - name: Create pull request if: ${{ steps.fix.outputs.changes == 'true' && steps.build.outputs.build_ok == 'true' }} env: - GH_TOKEN: ${{ steps.app-token.outputs.token }} + GH_TOKEN: ${{ steps.app-token-pr.outputs.token }} run: | BRANCH="automated/fix-dependabot-alerts-$(date +%Y%m%d)-${{ github.run_number }}"