From 9c28f9ce51507b1b65f60b36e20ef3513126eee8 Mon Sep 17 00:00:00 2001
From: Missy Messa <mjanecke@microsoft.com>
Date: Thu, 21 May 2026 09:30:54 -0700
Subject: [PATCH] Reduce GitHub PAT rotation interval from 60 to 30 days

The previous 60-day rotation interval left only a 30-day buffer before
the 90-day PAT expiration on GitHub. If manual rotations or timing
drift caused mismatches between the KeyVault next-rotation-on tag and
the actual PAT expiry, builds would fail unexpectedly.

Reducing to 30 days provides a 60-day buffer, making it much less
likely that a PAT expires before secret-manager triggers rotation.

Fixes: https://dev.azure.com/dnceng/internal/_workitems/edit/9752

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .../SecretTypes/GitHubAccessToken.cs                            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/SecretManager/Microsoft.DncEng.SecretManager/SecretTypes/GitHubAccessToken.cs b/src/SecretManager/Microsoft.DncEng.SecretManager/SecretTypes/GitHubAccessToken.cs
index 711b02875..ee0bc56eb 100644
--- a/src/SecretManager/Microsoft.DncEng.SecretManager/SecretTypes/GitHubAccessToken.cs
+++ b/src/SecretManager/Microsoft.DncEng.SecretManager/SecretTypes/GitHubAccessToken.cs
@@ -8,7 +8,7 @@ namespace Microsoft.DncEng.SecretManager.SecretTypes;
 [Name("github-access-token")]
 public class GitHubAccessToken : GitHubAccountInteractiveSecretType<GitHubAccessToken.Parameters>
 {
-    private const int _nextRotationOnDeltaDays = 60;
+    private const int _nextRotationOnDeltaDays = 30;
     private const int _expirationInDays = 90;
 
     public class Parameters