From 5806f76c89af8f798a9551e5a94aaafe21ba2754 Mon Sep 17 00:00:00 2001
From: Swarup Ghosh <swghosh@redhat.com>
Date: Tue, 9 Jun 2026 12:42:49 +0530
Subject: [PATCH] Use gh-token-minter image for token minting in CI step

Replace inline bash/openssl JWT minting with the gh-token-minter
image's CLI mode, which handles the same logic via ghpat_server.py.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Swarup Ghosh <swghosh@redhat.com>
---
 .../openshift-eng-oape-ai-e2e-main.yaml       | 30 +++----------------
 1 file changed, 4 insertions(+), 26 deletions(-)

diff --git a/ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml b/ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml
index 166ef78592eef..fce1370f113a9 100644
--- a/ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml
+++ b/ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml
@@ -46,37 +46,15 @@ tests:
     - as: mint-gh-token
       commands: |
         set -euo pipefail
-        GH_APP_ID=$(cat /var/run/github-app/app-id)
-        PEM_PATH="/var/run/github-app/private-key.pem"
-
-        HEADER=$(printf '{"alg":"RS256","typ":"JWT"}' | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
-        NOW=$(date +%s)
-        EXP=$((NOW + 300))
-        PAYLOAD=$(printf '{"iat":%d,"exp":%d,"iss":"%s"}' "$NOW" "$EXP" "$GH_APP_ID" | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
-        UNSIGNED="${HEADER}.${PAYLOAD}"
-        SIGNATURE=$(printf '%s' "$UNSIGNED" | openssl dgst -sha256 -sign "$PEM_PATH" -binary | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
-        JWT="${UNSIGNED}.${SIGNATURE}"
-
-        INST_ID=$(curl -sf \
-          -H "Authorization: Bearer ${JWT}" \
-          -H "Accept: application/vnd.github+json" \
-          -H "X-GitHub-Api-Version: 2022-11-28" \
-          https://api.github.com/app/installations \
-          | python3 -c "import sys,json; print(json.load(sys.stdin)[0]['id'])")
-
+        export GH_APP_ID=$(cat /var/run/github-app/app-id)
+        export GH_APP_PEM_FILE_PATH="/var/run/github-app/private-key.pem"
         set +x
-        TOKEN=$(curl -sf -X POST \
-          -H "Authorization: Bearer ${JWT}" \
-          -H "Accept: application/vnd.github+json" \
-          -H "X-GitHub-Api-Version: 2022-11-28" \
-          "https://api.github.com/app/installations/${INST_ID}/access_tokens" \
-          | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])")
-        echo "${TOKEN}" > "${SHARED_DIR}/gh-token"
+        python /app/ghpat_server.py > "${SHARED_DIR}/gh-token"
       credentials:
       - mount_path: /var/run/github-app
         name: openshift-app-platform-shift-github-bot
         namespace: test-credentials
-      from: agent-worker
+      from: gh-token-minter
       resources:
         requests:
           cpu: 100m