Skip to content

ci: use GitHub App token for cross-repo dispatch instead of expiring PAT#1361

Merged
raz-shlomo-frontegg merged 1 commit into
masterfrom
fix/dispatch-token-to-github-app
Jul 8, 2026
Merged

ci: use GitHub App token for cross-repo dispatch instead of expiring PAT#1361
raz-shlomo-frontegg merged 1 commit into
masterfrom
fix/dispatch-token-to-github-app

Conversation

@raz-shlomo-frontegg

@raz-shlomo-frontegg raz-shlomo-frontegg commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Replace secrets.DISPATCH_WORKFLOWS_TOKEN (an expiring PAT) with a short-lived GitHub App token minted at runtime via actions/create-github-app-token, scoped to oauth-service and dashboard.

Reuses the GH_FRONTEGG_BOT_APP_ID / GH_FRONTEGG_BOT_APP_SECRET pattern already used by the e2e trigger action in this repo. App tokens do not expire, so this removes the recurring token-expiry breakage.


Note

Low Risk
CI-only credential swap for workflow dispatch; no runtime app or package behavior changes, assuming the bot app has dispatch permissions on the target repos.

Overview
After NPM publish, the publish workflow still dispatches update-react-dependency workflows in oauth-service and dashboard, but authentication for those calls no longer uses secrets.DISPATCH_WORKFLOWS_TOKEN.

A new Create bot token for dispatch step mints a short-lived token via actions/create-github-app-token@v1, using GH_FRONTEGG_BOT_APP_ID / GH_FRONTEGG_BOT_APP_SECRET and limiting access to those two repos—the same bot pattern already used for e2e triggers. The downstream github-script step now passes steps.dispatch_bot_token.outputs.token as github-token instead of the PAT.

Reviewed by Cursor Bugbot for commit fcfa981. Bugbot is set up for automated code reviews on this repo. Configure here.

Replace secrets.DISPATCH_WORKFLOWS_TOKEN (an expiring PAT) with a
short-lived GitHub App token minted at runtime via
actions/create-github-app-token, scoped to oauth-service and dashboard.

Reuses the GH_FRONTEGG_BOT_APP_ID / GH_FRONTEGG_BOT_APP_SECRET pattern
already used by the e2e trigger action in this repo. App tokens do not
expire, so this removes the recurring token-expiry breakage.
@raz-shlomo-frontegg raz-shlomo-frontegg merged commit ccdda1a into master Jul 8, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants