Skip to content

Use GitHub App token for CLA commits to satisfy signed commits policy#61

Merged
roryabraham merged 2 commits into
mainfrom
Rory-CLAGitHubAppToken
May 7, 2026
Merged

Use GitHub App token for CLA commits to satisfy signed commits policy#61
roryabraham merged 2 commits into
mainfrom
Rory-CLAGitHubAppToken

Conversation

@roryabraham

Copy link
Copy Markdown
Contributor

Problem

The CLA bot (CLABotify) was using a Personal Access Token (CLA_BOTIFY_TOKEN) to push commits to the Expensify/CLA repository. When the Expensify org enabled the "Enforce signed commits" ruleset on 2026-04-09, this started failing — PAT-authenticated API commits are not automatically signed by GitHub.

Solution

Replace the PAT with a GitHub App installation token. Commits made via the REST API with a GitHub App installation token are automatically signed by GitHub's web-flow GPG key — no GPG key management required.

This adds a new step before the CLA Assistant action that generates a scoped installation token (limited to the Expensify/CLA repository) using actions/create-github-app-token@v3.1.1.

Required setup (before merging)

  1. Create a GitHub App (or reuse an existing one) with contents: write permission, installed on Expensify/CLA
  2. Add two org-level secrets (or secrets on each calling repo):
    • CLA_GITHUB_APP_CLIENT_ID — the App's client ID
    • CLA_GITHUB_APP_PRIVATE_KEY — the App's RSA private key (PEM format)

Fixed Issues

$ https://github.com/Expensify/Expensify/issues/631744

Tests

  • Verify the workflow runs end-to-end after the GitHub App and secrets are configured (trigger by opening a test PR from an external contributor and having them sign the CLA)

PR Author Checklist

  • I linked the correct issue in the Fixed Issues section above
  • I wrote clear testing steps for all QA scenarios
  • I added comments to the code to explain why, not what the code is doing
  • I confirmed my changes don't break any other existing functionality

Made with Cursor

Replaces the CLABotify PAT with a GitHub App installation token.
GitHub App tokens are automatically signed by GitHub's web-flow GPG key,
which satisfies the org-level signed commits enforcement ruleset.
Refs Expensify/Expensify#631744

Co-authored-by: Cursor <cursoragent@cursor.com>
@roryabraham roryabraham requested a review from AndrewGable May 6, 2026 23:58
@roryabraham roryabraham marked this pull request as ready for review May 6, 2026 23:58
@roryabraham roryabraham merged commit 533c327 into main May 7, 2026
4 checks passed
@roryabraham roryabraham deleted the Rory-CLAGitHubAppToken branch May 7, 2026 00:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants