ci: use GitHub App token for workflows that open PRs and push commits (#1174)

* ci: use GitHub App token for workflows that open PRs and push commits

Workflows triggered by GITHUB_TOKEN do not start downstream workflow
runs, so the PRs opened by the daily metadata and catalog-data jobs,
and the auto-update commits pushed onto contributor PR branches by
update-tools, were landing without CI runs.

Switch to a GitHub App installation token (the same RELEASE_APP_*
pattern already used in toolhive-registry-server) for the steps that
open PRs or push commits, so CI runs as expected.

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

* ci: tighten app token usage (perms, concurrency, bot identity)

- Scope the minted installation token to only contents:write and
  pull_requests:write via permission-* inputs, instead of inheriting
  the full set of permissions the GitHub App has on the installation.
- Move workflow-level permissions on update-metadata.yml to the job
  level, leaving the workflow with permissions: {}.
- Add a concurrency group to update-metadata.yml (workflow-level) and
  to ci.yml's update-catalog-data job, so overlapping schedule and
  workflow_dispatch runs cannot race on the force-pushed branch.
- Set git author/committer to the App's bot identity
  (<id>+<app-slug>[bot]@users.noreply.github.com) in all three jobs
  that commit, so commits are unambiguously attributed and can be
  targeted by branch-protection rules.

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

---------

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

Author: rdimitrov

.github/workflows/ci.yml

@@ -77,11 +77,34 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+    concurrency:
+      group: update-catalog-data
+      cancel-in-progress: false
     needs: [lint, validate-and-test]
     if: github.ref == 'refs/heads/main' && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch')
     steps:
+      - name: Generate app token
+        id: app-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        with:
+          client-id: ${{ vars.RELEASE_APP_CLIENT_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+          permission-contents: write
+          permission-pull-requests: write
+
+      - name: Get app user ID
+        id: app-user
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          APP_SLUG: ${{ steps.app-token.outputs.app-slug }}
+        run: |
+          USER_ID=$(gh api "/users/${APP_SLUG}[bot]" --jq .id)
+          echo "id=$USER_ID" >> "$GITHUB_OUTPUT"
+
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -111,8 +134,8 @@ jobs:
         run: |
           BRANCH="update-catalog-data-${VERSION}"
 
-          git config --local user.email "action@github.com"
-          git config --local user.name "GitHub Action"
+          git config --local user.name "${APP_SLUG}[bot]"
+          git config --local user.email "${APP_USER_ID}+${APP_SLUG}[bot]@users.noreply.github.com"
 
           # Create or reset the branch
           git checkout -B "$BRANCH"
@@ -162,8 +185,10 @@ jobs:
             gh pr merge "$BRANCH" --auto --squash || true
           fi
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
           VERSION: ${{ steps.metadata.outputs.version }}
+          APP_SLUG: ${{ steps.app-token.outputs.app-slug }}
+          APP_USER_ID: ${{ steps.app-user.outputs.id }}
 
   build-pr:
     name: Build Check

.github/workflows/update-metadata.yml

@@ -12,19 +12,42 @@ on:
         default: '5'
         type: string
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
 
 jobs:
   update-metadata:
     name: Update Server Metadata
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
+      - name: Generate app token
+        id: app-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        with:
+          client-id: ${{ vars.RELEASE_APP_CLIENT_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+          permission-contents: write
+          permission-pull-requests: write
+
+      - name: Get app user ID
+        id: app-user
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          APP_SLUG: ${{ steps.app-token.outputs.app-slug }}
+        run: |
+          USER_ID=$(gh api "/users/${APP_SLUG}[bot]" --jq .id)
+          echo "id=$USER_ID" >> "$GITHUB_OUTPUT"
+
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -42,11 +65,14 @@ jobs:
           INPUT_COUNT: ${{ github.event.inputs.count || '5' }}
 
       - name: Switch to metadata branch
+        env:
+          APP_SLUG: ${{ steps.app-token.outputs.app-slug }}
+          APP_USER_ID: ${{ steps.app-user.outputs.id }}
         run: |
           BRANCH="catalog-update-metadata"
 
-          git config --local user.email "action@github.com"
-          git config --local user.name "GitHub Action"
+          git config --local user.name "${APP_SLUG}[bot]"
+          git config --local user.email "${APP_USER_ID}+${APP_SLUG}[bot]@users.noreply.github.com"
 
           # Fetch remote branch if it exists so we can build on it
           git fetch origin "$BRANCH" 2>/dev/null || true
@@ -118,5 +144,5 @@ jobs:
             gh pr merge "$BRANCH" --auto --squash || true
           fi
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
           UPDATE_COUNT: ${{ steps.count.outputs.value }}

.github/workflows/update-tools.yml

@@ -351,10 +351,28 @@ jobs:
     if: always() && needs.detect-changes.outputs.has-changes == 'true' && github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     steps:
+      - name: Generate app token
+        id: app-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        with:
+          client-id: ${{ vars.RELEASE_APP_CLIENT_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+          permission-contents: write
+          permission-pull-requests: write
+
+      - name: Get app user ID
+        id: app-user
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          APP_SLUG: ${{ steps.app-token.outputs.app-slug }}
+        run: |
+          USER_ID=$(gh api "/users/${APP_SLUG}[bot]" --jq .id)
+          echo "id=$USER_ID" >> "$GITHUB_OUTPUT"
+
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
           ref: ${{ github.head_ref || github.ref }}
 
       - name: Download all commit info artifacts
@@ -379,8 +397,8 @@ jobs:
       - name: Commit and push all changes
         if: steps.check_changes.outputs.changes == 'true'
         run: |
-          git config --local user.email "action@github.com"
-          git config --local user.name "GitHub Action"
+          git config --local user.name "${APP_SLUG}[bot]"
+          git config --local user.email "${APP_USER_ID}+${APP_SLUG}[bot]@users.noreply.github.com"
 
           # Pull any remote changes first to avoid conflicts
           git pull origin "$BRANCH_REF" --rebase
@@ -436,6 +454,8 @@ jobs:
         env:
           BRANCH_REF: ${{ github.head_ref || github.ref_name }}
           GH_ACTOR: ${{ github.actor }}
+          APP_SLUG: ${{ steps.app-token.outputs.app-slug }}
+          APP_USER_ID: ${{ steps.app-user.outputs.id }}
 
   comment-summary:
     name: Post Summary Comment