fix(agreements): mint GitHub App installation token in-job

[mbruzda-splunk]

Problem

Add-on repos rolled out from splunk/addonfactory-repository-template now fail the CLA/COC check on every PR, e.g.:

• https://github.com/splunk/splunk-add-on-for-crowdstrike-fdr/actions/runs/27142130630/job/80109909815?pr=971

with:

##[error]Please add a personal access token as an environment variable for writing signatures in a remote repository/organization as mentioned in the README.md file
##[error]Could not retrieve repository contents. Status: unknown

Root cause

The template's caller workflow mints a GitHub App installation token in a separate generate-token job and passes it via job outputs to call-workflow-agreements:

jobs:
  generate-token:
    outputs:
      token: ${{ steps.app-token.outputs.token }}
    steps:
      - uses: actions/create-github-app-token@v3
        ...
  call-workflow-agreements:
    needs: generate-token
    uses: splunk/addonfactory-github-workflows/.github/workflows/reusable-agreements.yaml@v1.4
    secrets:
      PERSONAL_ACCESS_TOKEN: ${{ needs.generate-token.outputs.token }}

GitHub Actions auto-classifies the App installation token as a secret and strips it from job outputs with the annotation:

Skip output 'token' since it may contain secret.

So needs.generate-token.outputs.token resolves to an empty string, PERSONAL_ACCESS_TOKEN is empty in the consuming job, and contributor-assistant/github-action rejects the call. This calling pattern cannot be made to work — the App token must be minted in the same job that consumes it.

Change

reusable-agreements.yaml now mints the App token inside each job when App credentials are supplied:

• Adds two optional secrets: GH_APP_CLIENT_ID and GH_APP_PRIVATE_KEY.
• If both are set, an installation token scoped to splunk/cla-agreement is generated via actions/create-github-app-token@v3 immediately before invoking contributor-assistant/github-action@v2.6.1.
• Falls back to legacy PERSONAL_ACCESS_TOKEN when App credentials are not provided (back-compat with existing callers).
• GH_TOKEN is now optional and defaults to github.token.

Callers using App-token auth can simplify to:

jobs:
  call-workflow-agreements:
    uses: splunk/addonfactory-github-workflows/.github/workflows/reusable-agreements.yaml@vX.Y
    permissions:
      actions: read
      contents: read
      pull-requests: write
      statuses: read
    secrets:
      GH_APP_CLIENT_ID:   ${{ secrets.GH_APP_CLIENT_ID }}
      GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }}

No generate-token job, no PAT.

Backwards compatibility

Fully backwards compatible:

Caller passes	Behavior
PERSONAL_ACCESS_TOKEN (legacy)	Used directly, as before.
GH_APP_CLIENT_ID + GH_APP_PRIVATE_KEY	Token minted in-job and used.
Both	App token wins (preferred).
Neither	Action will fail with original error (no-op for repos without remote signatures setup).

GH_TOKEN is now optional; existing callers passing it continue to work.

Test plan

End-to-end test via downstream PR — patches splunk-add-on-for-crowdstrike-fdr PR #971 to call this branch's reusable-agreements.yaml with the App secrets. Will link the green run here before merge.

Made with Cursor

[mbruzda-splunk]

End-to-end test: GREEN

Tested against splunk/splunk-add-on-for-crowdstrike-fdr PR #973.

A throwaway workflow on that PR calls reusable-agreements.yaml@fix/agreements-mint-app-token-in-job with only:

secrets:
  GH_APP_CLIENT_ID:   ${{ secrets.GH_APP_CLIENT_ID }}
  GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }}

Result: https://github.com/splunk/splunk-add-on-for-crowdstrike-fdr/actions/runs/27171499098

Job	Generate App token	CLA / COC Assistant	Overall
ContributorLicenseAgreement	success	success	success
CodeOfConduct	success	success	success

The action successfully authenticated to splunk/cla-agreement using the in-job-minted installation token — i.e. the failure observed on PR #971 (Could not retrieve repository contents. Status: unknown) is fixed.

Note about the test

The end-to-end run required momentarily widening the if: guard on the action step to also accept github.event_name == 'pull_request', so the test could trigger from the head branch (under pull_request_target, the workflow file would have been read from main, defeating the purpose of testing a branch change). That commit has been reverted (git reset --hard HEAD~1 + force push). What remains on the branch is:

1. fix(agreements): mint GitHub App installation token in-job
2. fix(agreements): bridge secrets to step if via job env

A prior intermediate run with the production if: guards also proved the App-token mint step worked: https://github.com/splunk/splunk-add-on-for-crowdstrike-fdr/actions/runs/27171437154

[srv-rr-github-token]

🎉 This PR is included in version 1.7.2 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀