ci: use GitHub App token for cross-repo dispatch instead of expiring PAT#1361
Merged
Merged
Conversation
Replace secrets.DISPATCH_WORKFLOWS_TOKEN (an expiring PAT) with a short-lived GitHub App token minted at runtime via actions/create-github-app-token, scoped to oauth-service and dashboard. Reuses the GH_FRONTEGG_BOT_APP_ID / GH_FRONTEGG_BOT_APP_SECRET pattern already used by the e2e trigger action in this repo. App tokens do not expire, so this removes the recurring token-expiry breakage.
AlexFrontegg
approved these changes
Jul 8, 2026
nivfrontegg
approved these changes
Jul 8, 2026
mariavlasov
approved these changes
Jul 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replace secrets.DISPATCH_WORKFLOWS_TOKEN (an expiring PAT) with a short-lived GitHub App token minted at runtime via actions/create-github-app-token, scoped to oauth-service and dashboard.
Reuses the GH_FRONTEGG_BOT_APP_ID / GH_FRONTEGG_BOT_APP_SECRET pattern already used by the e2e trigger action in this repo. App tokens do not expire, so this removes the recurring token-expiry breakage.
Note
Low Risk
CI-only credential swap for workflow dispatch; no runtime app or package behavior changes, assuming the bot app has dispatch permissions on the target repos.
Overview
After NPM publish, the publish workflow still dispatches
update-react-dependencyworkflows in oauth-service and dashboard, but authentication for those calls no longer usessecrets.DISPATCH_WORKFLOWS_TOKEN.A new Create bot token for dispatch step mints a short-lived token via
actions/create-github-app-token@v1, usingGH_FRONTEGG_BOT_APP_ID/GH_FRONTEGG_BOT_APP_SECRETand limiting access to those two repos—the same bot pattern already used for e2e triggers. The downstreamgithub-scriptstep now passessteps.dispatch_bot_token.outputs.tokenasgithub-tokeninstead of the PAT.Reviewed by Cursor Bugbot for commit fcfa981. Bugbot is set up for automated code reviews on this repo. Configure here.