Skip to content

ci: pr automation use github app token#769

Merged
andykenward merged 2 commits into
mainfrom
pr/actions-improvements
May 31, 2026
Merged

ci: pr automation use github app token#769
andykenward merged 2 commits into
mainfrom
pr/actions-improvements

Conversation

@andykenward

@andykenward andykenward commented May 31, 2026
edited
Loading

Copy link
Copy Markdown
Owner

What

Switch the PR-creating automation workflows from the default GITHUB_TOKEN to a GitHub App token (minted via actions/create-github-app-token).

Affected:

  • .github/workflows/update.ymldownload, types, and schema jobs
  • .github/workflows/sync-readme-versions.ymlsync job

Why

PRs (and pushes) created with the repository's GITHUB_TOKEN do not trigger new workflow runs — this is GitHub's recursion guard:

"events triggered by the GITHUB_TOKEN … will not create a new workflow run"
Trigger a workflow

As a result, the automated payload / types / GraphQL-schema / README-version PRs were opening with no test, check-dist, or zizmor checks running, so they could merge unvalidated. Using a GitHub App token makes the bot a distinct actor, so CI runs on the resulting PRs.

Notes

  • Uses the recommended client-id input (the legacy app-id still works but is deprecated).
  • Read-only GITHUB_TOKEN uses are intentionally left unchanged: the pnpm run download script and the GraphQL-schema curl in update.yml.
  • The new action is SHA-pinned (bcd2ba4 / v3.2.0) to match repo convention.

Required repo configuration

This will fail until a GitHub App is wired up. Create/install an App with Contents: read & write and Pull requests: read & write, then add:

  • Variable APP_CLIENT_ID — the App's Client ID
  • Secret APP_PRIVATE_KEY — the App's private key (PEM)

🤖 Generated with Claude Code

@changeset-bot

changeset-bot Bot commented May 31, 2026
edited
Loading

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: c7602e4

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

github-advanced-security[bot]
github-advanced-security AI found potential problems May 31, 2026
View reviewed changes
Comment thread .github/workflows/sync-readme-versions.yml Fixed
Comment thread .github/workflows/update.yml Fixed
Comment thread .github/workflows/update.yml Fixed
Comment thread .github/workflows/update.yml Fixed
@andykenward @claude
ci: scope app token to contents and pull-requests
c7602e4 
Limit the minted GitHub App token to the permissions each automation
job actually needs (contents:write to push the branch, pull-requests:write
to open the PR) instead of inheriting the App's blanket installation
permissions, per zizmor.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@andykenward andykenward merged commit caaca8f into main May 31, 2026
10 checks passed
@andykenward andykenward deleted the pr/actions-improvements branch May 31, 2026 18:18
This was referenced May 31, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@andykenward @github-advanced-security