chore: replace CDK_REPO_TOKEN PAT with GitHub App token in e2e workflows (#181)

aidandaly24 · web-flow · commit 8435a4361fb8 · 2026-05-11T16:26:40.000-04:00
Use actions/create-github-app-token@v1 to generate a short-lived token
for cloning the CDK repo instead of the CDK_REPO_TOKEN PAT secret.
diff --git a/.github/workflows/e2e-tests-full.yml b/.github/workflows/e2e-tests-full.yml
@@ -57,6 +57,13 @@ jobs:
           parse-json-secrets: true
       - run: npm ci
       - run: npm run build
+      - name: Generate GitHub App Token
+        if: matrix.cdk-source == 'main'
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
       - name: Build CDK package from main
         if: matrix.cdk-source == 'main'
         run: |
@@ -67,7 +74,7 @@ jobs:
           TARBALL=$(npm pack --pack-destination "$RUNNER_TEMP" | tail -1)
           echo "CDK_TARBALL=$RUNNER_TEMP/$TARBALL" >> "$GITHUB_ENV"
         env:
-          CDK_REPO_TOKEN: ${{ secrets.CDK_REPO_TOKEN }}
+          CDK_REPO_TOKEN: ${{ steps.app-token.outputs.token }}
           CDK_REPO: ${{ secrets.CDK_REPO_NAME }}
       - name: Install CLI globally
         run: npm install -g "$(npm pack | tail -1)"
diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
@@ -76,8 +76,12 @@ jobs:
             E2E,${{ secrets.E2E_SECRET_ARN }}
           parse-json-secrets: true
 
-      # Build @aws/agentcore-cdk from source for cross-package testing.
-      # Requires secrets: CDK_REPO_NAME (org/repo), CDK_REPO_TOKEN (fine-grained PAT)
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
       - name: Build CDK package from main
         run: |
           git clone --depth 1 "https://x-access-token:${CDK_REPO_TOKEN}@github.com/${CDK_REPO}.git" /tmp/cdk-repo
@@ -87,7 +91,7 @@ jobs:
           TARBALL=$(npm pack --pack-destination "$RUNNER_TEMP" | tail -1)
           echo "CDK_TARBALL=$RUNNER_TEMP/$TARBALL" >> "$GITHUB_ENV"
         env:
-          CDK_REPO_TOKEN: ${{ secrets.CDK_REPO_TOKEN }}
+          CDK_REPO_TOKEN: ${{ steps.app-token.outputs.token }}
           CDK_REPO: ${{ secrets.CDK_REPO_NAME }}
 
       - run: npm ci
