ci(project): switch auto-add-to-project to GitHub App auth

zackees · claude · zackees · commit b7dee0bad179 · 2026-04-18T08:42:39.000-07:00
Replaces the PAT-based token with a token minted from the FastLED
Project Sync GitHub App (ID 3422407). Installation tokens rotate
automatically and scope is narrow (Projects read/write only).

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml
@@ -2,14 +2,21 @@ name: add-to-project
 
 # Auto-adds every new issue / PR to the FastLED Tracker project (#1).
 #
-# This is a minimal fallback sync — the repo also has `project_automation.yml`
-# which handles auto-add PLUS Status field transitions, but that one is gated
-# on a GitHub App being configured (PROJECT_APP_ID / PROJECT_APP_PRIVATE_KEY).
-# Until the App is wired up, this file covers the auto-add behavior using a
-# PAT stored in `secrets.ADD_TO_PROJECT_PAT`.
+# Auth: GitHub App "FastLED Project Sync" — scoped to Projects: read/write +
+# Contents/Issues/Pull requests: read. No expiration (App installation tokens
+# auto-rotate). The App ID lives in a repo variable; the private key lives in
+# a repo secret.
 #
-# The PAT needs `project` and `repo` scopes. Rotate via:
-#   gh secret set ADD_TO_PROJECT_PAT --repo FastLED/FastLED --body "<new-pat>"
+# Required configuration (already set on all 6 feeder repos):
+#   vars.PROJECT_APP_ID           = 3422407
+#   vars.PROJECT_OWNER            = FastLED
+#   vars.PROJECT_NUMBER           = 1
+#   secrets.PROJECT_APP_PRIVATE_KEY = <PEM contents>
+#
+# To rotate the App's private key:
+#   1. On https://github.com/organizations/FastLED/settings/apps generate new key
+#   2. For each repo: gh secret set PROJECT_APP_PRIVATE_KEY --repo FastLED/<repo> < new.pem
+#   3. Revoke the old key in the App settings
 
 on:
   issues:
@@ -23,9 +30,18 @@ permissions:
 jobs:
   add:
     runs-on: ubuntu-latest
-    if: ${{ github.event.sender.type != 'Bot' || true }}
+    if: ${{ vars.PROJECT_APP_ID != '' && vars.PROJECT_OWNER != '' }}
     steps:
-      - uses: actions/add-to-project@v1.0.2
+      - name: Generate App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.PROJECT_APP_ID }}
+          private-key: ${{ secrets.PROJECT_APP_PRIVATE_KEY }}
+          owner: ${{ vars.PROJECT_OWNER }}
+
+      - name: Add to project
+        uses: actions/add-to-project@v1.0.2
         with:
-          project-url: https://github.com/orgs/FastLED/projects/1
-          github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}
+          project-url: https://github.com/orgs/${{ vars.PROJECT_OWNER }}/projects/${{ vars.PROJECT_NUMBER }}
+          github-token: ${{ steps.app-token.outputs.token }}
