chore: replace CDK_REPO_TOKEN PAT with GitHub App token in e2e workflows (#1201)

aidandaly24 · web-flow · commit fc675346f4f3 · 2026-05-20T11:57:25.000-04:00
Use actions/create-github-app-token@v1 to generate a short-lived token
for cloning the CDK repo instead of the CDK_REPO_TOKEN PAT secret.
diff --git a/.github/workflows/e2e-tests-full.yml b/.github/workflows/e2e-tests-full.yml
@@ -57,6 +57,14 @@ jobs:
           parse-json-secrets: true
       - run: npm ci
       - run: npm run build
+      - name: Generate GitHub App Token
+        if: matrix.cdk-source == 'main'
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          owner: aws
       - name: Build CDK package from main
         if: matrix.cdk-source == 'main'
         run: |
@@ -67,7 +75,7 @@ jobs:
           TARBALL=$(npm pack --pack-destination "$RUNNER_TEMP" | tail -1)
           echo "CDK_TARBALL=$RUNNER_TEMP/$TARBALL" >> "$GITHUB_ENV"
         env:
-          CDK_REPO_TOKEN: ${{ secrets.CDK_REPO_TOKEN }}
+          CDK_REPO_TOKEN: ${{ steps.app-token.outputs.token }}
           CDK_REPO: ${{ secrets.CDK_REPO_NAME }}
       - name: Install CLI globally
         run: npm install -g "$(npm pack | tail -1)"
diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
@@ -79,8 +79,15 @@ jobs:
             E2E,${{ secrets.E2E_SECRET_ARN }}
           parse-json-secrets: true
 
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          owner: aws
       # Build @aws/agentcore-cdk from source for cross-package testing.
-      # Requires secrets: CDK_REPO_NAME (org/repo), CDK_REPO_TOKEN (fine-grained PAT)
+      # Requires secret: CDK_REPO_NAME (org/repo). Token is generated by the App above.
       - name: Build CDK package
         run: |
           CDK_BRANCH="${{ inputs.cdk_branch || 'main' }}"
@@ -92,7 +99,7 @@ jobs:
           TARBALL=$(npm pack --pack-destination "$RUNNER_TEMP" | tail -1)
           echo "CDK_TARBALL=$RUNNER_TEMP/$TARBALL" >> "$GITHUB_ENV"
         env:
-          CDK_REPO_TOKEN: ${{ secrets.CDK_REPO_TOKEN }}
+          CDK_REPO_TOKEN: ${{ steps.app-token.outputs.token }}
           CDK_REPO: ${{ secrets.CDK_REPO_NAME }}
 
       - run: npm ci
