chore: migrate nightly scan to GitHub App token

[maniSbindra]

Summary

The nightly scan workflow (nightly-scan.yml) was originally designed to use a GitHub App token (actions/create-github-app-token) for pushing scan results directly to main. However, the required secrets (APP_ID, APP_PRIVATE_KEY) are not configured, and creating/installing a GitHub App on the microsoft org requires permissions not currently available.

Current Workaround

The workflow has been updated to use the built-in GITHUB_TOKEN with a branch + manual PR approach:

1. The nightly scan runs and produces scan artifacts
2. Results are committed to a nightly-scan-results branch
3. The workflow attempts to create or update a PR targeting main
4. If GitHub blocks that action, the workflow still succeeds and emits a manual PR link in the job summary
5. A team member manually opens, reviews, and merges the PR

Path-Scoped Validation

A dedicated CI check (validate-nightly-pr.yml) ensures that nightly scan PRs only modify the 3 expected files:

• azure_linux_images.db
• docs/daily_recommendations.md
• docs/daily_recommendations.json

If any other file is modified, the check fails. Additionally, the nightly scan workflow includes inline path validation before pushing results.

Current Repository Limitation

On this repository, GitHub Actions can push the nightly-scan-results branch with GITHUB_TOKEN, but it cannot create or update pull requests. The workflow currently fails with:

GraphQL: GitHub Actions is not permitted to create or approve pull requests (createPullRequest)

To keep the nightly scan usable without broader org changes, the workflow now degrades gracefully:

• It pushes the results branch successfully
• It emits a manual PR URL in the workflow summary when PR creation/update is blocked
• A human opens the PR manually, which then allows normal PR-triggered checks to run

Security Considerations

• Path validation prevents unexpected files from being committed or merged
• Manual review ensures a human verifies scan results before they land on main
• Residual risk: If upstream tools (Syft, Trivy) or MCR images were compromised, they could produce valid-looking but incorrect scan data. This risk exists equally in all approaches, including the original direct-push design with a GitHub App token.
• Audit trail: Every nightly update is visible as a PR with a full diff, which is more auditable than the original direct-push approach.

Future Migration to GitHub App Token

Once a GitHub App is available and installed on this repo:

1. Create a GitHub App with contents: write and the permissions needed for the desired merge model
2. Install it on the microsoft/sbi repository
3. Add APP_ID and APP_PRIVATE_KEY as repository secrets
4. Revert the workflow to use actions/create-github-app-token
5. Decide whether to keep the PR-based flow or return to direct push, depending on branch protection and review requirements
6. Simplify the nightly workflow and supporting validation once the new authentication model is in place

[maniSbindra]

Known Limitation: GITHUB_TOKEN and PR Workflow Triggers

GitHub does not trigger pull_request or push workflow events for actions performed by GITHUB_TOKEN. This means:

1. The validate-nightly-pr.yml check will not auto-trigger on PRs created by the nightly scan workflow
2. If CI/lint are configured as required status checks on main, they also will not trigger automatically
3. Auto-merge will stay queued until required checks are satisfied

Workarounds

• No required checks: If main branch protection has no required status checks, auto-merge works immediately
• Manual trigger: Close and reopen the PR, or push an empty commit to the branch, to trigger workflow runs
• GitHub App (recommended long-term): A GitHub App token triggers downstream workflows. This is the proper fix (see issue description above)

Inline Validation

To mitigate the workflow trigger limitation, the nightly scan workflow includes inline path validation. It verifies that only the 3 expected files are staged before creating the PR. The external validate-nightly-pr.yml serves as defense-in-depth for manually-pushed changes to the nightly-scan-results branch.