chore: replace maintenance PATs with octavia-bot GitHub App authentication

[aaronsteers]

chore: replace maintenance PATs with octavia-bot GitHub App authentication

Summary

Replaces Personal Access Token (PAT) authentication with octavia-bot GitHub App authentication across 3 workflow files in the PyAirbyte repository. This standardizes authentication for PR automation workflows and removes dependency on individual maintenance PATs (GH_PAT_MAINTENANCE_OCTAVIA, GH_PAT_APPROVINGTON_OCTAVIA).

Workflows updated:

• fix-pr-command.yml - Auto-fix lint/format issues on PRs
• poetry-lock-command.yml - Re-lock dependencies via slash command
• slash_command_dispatch.yml - Dispatch slash commands to other workflows

All workflows now use the standardized actions/create-github-app-token@v2 pattern with OCTAVIA_BOT_APP_ID and OCTAVIA_BOT_PRIVATE_KEY secrets.

Review & Testing Checklist for Human

• Verify octavia-bot secrets exist: Confirm OCTAVIA_BOT_APP_ID and OCTAVIA_BOT_PRIVATE_KEY are properly configured in repository secrets
• Test slash command workflows: Try /fix-pr and /poetry-lock commands on a test PR to ensure end-to-end functionality works
• Check permissions: Verify octavia-bot has necessary permissions (contents: write, pull-requests: write, etc.) to perform the same actions as the replaced PATs
• Validate bot attribution: Ensure commits and PR comments appear correctly attributed to octavia-bot rather than individual user accounts

Notes

These workflows are critical for PR automation and developer productivity. Authentication failures will immediately break slash command functionality. The changes follow the same pattern successfully implemented across other Airbyte repositories.

---

Link to Devin run: https://app.devin.ai/sessions/a0a8897f6d5b4046bf1ebf8866cf1f4e
Requested by: @aaronsteers

Summary by CodeRabbit

• Chores
  • Migrated CI automation to GitHub App authentication, replacing static personal access tokens with short-lived tokens generated at runtime.
  • Updated command dispatch and repository checkout steps to use the new authentication flow, aligning dependent steps accordingly.
  • Improves security, reduces secret maintenance, and increases reliability of automation tasks.
  • No user-facing changes; application behavior remains the same.

[devin-ai-integration]

Original prompt from AJ Steers

Received message in Slack channel #ask-devin-ai:

@Devin - find all instances where the maintenance pat is being used in GitHub workflows across the repos you have checked out. We want to replace all or most with the GitHub App "octavia-bot' which you should find working examples of. Let me review the proposed replacements before you start

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[github-actions]

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

Testing This PyAirbyte Version

You can test this version of PyAirbyte using the following:

# Run PyAirbyte CLI from this branch:
uvx --from 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1725479526-replace-maintenance-pats' pyairbyte --help

# Install PyAirbyte from this branch for development:
pip install 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1725479526-replace-maintenance-pats'

Helpful Resources

• PyAirbyte Documentation
• API Reference

PR Slash Commands

Airbyte Maintainers can execute the following slash commands on your PR:

• /fix-pr - Fixes most formatting and linting issues
• /poetry-lock - Updates poetry.lock file
• /test-pr - Runs tests with the updated PyAirbyte

Community Support

Questions? Join the #pyairbyte channel in our Slack workspace.

📝 Edit this welcome message.

[github-actions]

PyTest Results (Fast Tests Only, No Creds)

301 tests  +25   301 ✅ +26   4m 56s ⏱️ + 1m 38s
  1 suites ± 0     0 💤 ± 0 
  1 files   ± 0     0 ❌  -  1 

Results for commit f66701f. ± Comparison against base commit 43e5af7.

[coderabbitai]

📝 Walkthrough

Walkthrough

Switches three GitHub Actions workflows from using static PAT secrets to a runtime GitHub App installation token. Adds an authentication step using actions/create-github-app-token@v2 and updates downstream steps (checkout/dispatch) to use the generated token. Control flow now depends on the token-generation step.

Changes

Cohort / File(s)	Summary of changes
GitHub App auth migration in workflows \.github/workflows/fix-pr-command.yml, \.github/workflows/poetry-lock-command.yml, \.github/workflows/slash_command_dispatch.yml	Added “Authenticate as GitHub App” step (actions/create-github-app-token@v2, id: get-app-token) using secrets.OCTAVIA_BOT_APP_ID and secrets.OCTAVIA_BOT_PRIVATE_KEY for owner airbytehq and repo PyAirbyte. Replaced PAT-based tokens in subsequent steps with ${{ steps.get-app-token.outputs.token }} (affecting checkout/dispatch steps).

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Maintainer as Maintainer
  participant Workflow as GitHub Actions Workflow
  participant AppToken as create-github-app-token@v2
  participant GitHub as GitHub API
  participant Step as Downstream Step (Checkout/Dispatch)

  Maintainer->>Workflow: Trigger workflow
  Workflow->>AppToken: Run "Authenticate as GitHub App"
  AppToken->>GitHub: Exchange App credentials for installation token
  GitHub-->>AppToken: Return installation token
  AppToken-->>Workflow: Output token (steps.get-app-token.outputs.token)
  Workflow->>Step: Execute with token input
  Step->>GitHub: Perform action with app token
  GitHub-->>Step: API responses

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• ci: Use GitHub App token for CI workflow #687 — Similar migration in CI workflows from PAT to GitHub App tokens, adding the same authentication step and updating token usage.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch devin/1725479526-replace-maintenance-pats

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @coderabbitai title anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (10)

.github/workflows/poetry-lock-command.yml (6)

70-81: Post comments as octavia-bot (use the App token)

Without an explicit token, comments will come from github-actions[bot]. If you want attribution to octavia-bot, pass the App token, wdyt? (github.com)

-    - name: Append comment with job run link
+    - name: Append comment with job run link
       id: first-comment-action
       uses: peter-evans/create-or-update-comment@v4
       with:
+        token: ${{ steps.get-app-token.outputs.token }}
         comment-id: ${{ github.event.inputs.comment-id }}
         issue-number: ${{ github.event.inputs.pr }}

---

121-129: Success comment should also use App token for attribution

Same rationale as above. Proposed change:

-    - name: Append success comment
+    - name: Append success comment
       uses: peter-evans/create-or-update-comment@v4
       if: steps.git-diff.outputs.changes == 'true'
       with:
+        token: ${{ steps.get-app-token.outputs.token }}
         comment-id: ${{ steps.first-comment-action.outputs.comment-id }}
         reactions: hooray

---

130-137: Fix condition referencing a non-existent step output (git-diff-2)

This workflow does not define git-diff-2; the condition will error at runtime. Recommend simplifying to only check git-diff, wdyt?

-      if: steps.git-diff.outputs.changes != 'true' && steps.git-diff-2.outputs.changes != 'true'
+      if: steps.git-diff.outputs.changes != 'true'

---

139-147: Failure comment should use App token for attribution

-    - name: Append failure comment
+    - name: Append failure comment
       uses: peter-evans/create-or-update-comment@v4
       if: failure()
       with:
+        token: ${{ steps.get-app-token.outputs.token }}
         comment-id: ${{ steps.first-comment-action.outputs.comment-id }}
         reactions: confused

---

99-104: Replace deprecated ::set-output with GITHUB_OUTPUT

Using ::set-output is deprecated and will eventually break. Update to write to $GITHUB_OUTPUT, wdyt?

-      run: |
-        git diff --quiet && echo "No changes to commit" || echo "::set-output name=changes::true"
+      run: |
+        if git diff --quiet; then
+          echo "No changes to commit"
+        else
+          echo "changes=true" >> "$GITHUB_OUTPUT"
+        fi

---

115-120: Pushing to contributor forks will likely fail with a GitHub App token

App installation tokens generally don’t have access to a contributor’s fork, even when “Allow edits from maintainers” is enabled (that applies to users, not apps). The prior PAT likely had user access. I’d suggest gating the push to “same-repo PRs only” and falling back to a guidance comment for forks, wdyt?

Example guard and fallback:

-    - name: Push changes to '(${{ steps.vars.outputs.pr-source-repo-name-full }})'
-      if: steps.git-diff.outputs.changes == 'true'
-      run: |
-        git remote add contributor https://github.com/${{ steps.vars.outputs.pr-source-repo-name-full }}.git
-        git push contributor HEAD:${{ steps.vars.outputs.pr-source-git-branch }}
+    - name: Push changes to PR branch (same-repo only)
+      if: steps.git-diff.outputs.changes == 'true' && steps.vars.outputs.pr-source-repo-name-full == github.repository
+      env:
+        GH_APP_TOKEN: ${{ steps.get-app-token.outputs.token }}
+      run: |
+        git remote set-url origin https://x-access-token:${GH_APP_TOKEN}@github.com/${{ github.repository }}.git
+        git push origin HEAD:${{ steps.vars.outputs.pr-source-git-branch }}
+
+    - name: Inform contributor to apply patch (fork PR)
+      if: steps.git-diff.outputs.changes == 'true' && steps.vars.outputs.pr-source-repo-name-full != github.repository
+      uses: peter-evans/create-or-update-comment@v4
+      with:
+        token: ${{ steps.get-app-token.outputs.token }}
+        comment-id: ${{ steps.first-comment-action.outputs.comment-id }}
+        body: |
+          > I couldn't push fixes to your fork with the GitHub App token. Please run `/poetry-lock` locally or enable the bot on your fork, then re-run the command.

.github/workflows/fix-pr-command.yml (4)

62-79: Ensure PR info comments are authored by octavia-bot

Add the App token so comments show as octavia-bot rather than github-actions[bot], wdyt? (github.com)

       uses: peter-evans/create-or-update-comment@v4
       with:
+        token: ${{ steps.get-app-token.outputs.token }}
         comment-id: ${{ github.event.inputs.comment-id }}
         issue-number: ${{ github.event.inputs.pr }}

---

100-104: Modernize output handling (GITHUB_OUTPUT)

Replace deprecated ::set-output usage, wdyt?

-        git diff --quiet && echo "No changes to commit" || echo "::set-output name=changes::true"
+        if git diff --quiet; then
+          echo "No changes to commit"
+        else
+          echo "changes=true" >> "$GITHUB_OUTPUT"
+        fi

---

139-144: Likely failure pushing to contributor forks with App token

As above, App tokens typically can’t push to a contributor’s fork. Suggest gating pushes to same-repo PRs and adding a fallback comment for forks, wdyt?

-    - name: Push changes to '(${{ steps.vars.outputs.pr-source-repo-name-full }})'
-      if: steps.git-diff.outputs.changes == 'true' || steps.git-diff-2.outputs.changes == 'true'
-      run: |
-        git remote add contributor https://github.com/${{ steps.vars.outputs.pr-source-repo-name-full }}.git
-        git push contributor HEAD:${{ steps.vars.outputs.pr-source-git-branch }}
+    - name: Push changes to PR branch (same-repo only)
+      if: (steps.git-diff.outputs.changes == 'true' || steps.git-diff-2.outputs.changes == 'true') && steps.vars.outputs.pr-source-repo-name-full == github.repository
+      env:
+        GH_APP_TOKEN: ${{ steps.get-app-token.outputs.token }}
+      run: |
+        git remote set-url origin https://x-access-token:${GH_APP_TOKEN}@github.com/${{ github.repository }}.git
+        git push origin HEAD:${{ steps.vars.outputs.pr-source-git-branch }}
+
+    - name: Inform contributor to apply patch (fork PR)
+      if: (steps.git-diff.outputs.changes == 'true' || steps.git-diff-2.outputs.changes == 'true') && steps.vars.outputs.pr-source-repo-name-full != github.repository
+      uses: peter-evans/create-or-update-comment@v4
+      with:
+        token: ${{ steps.get-app-token.outputs.token }}
+        comment-id: ${{ steps.first-comment-action.outputs.comment-id }}
+        body: |
+          > I couldn't push fixes to your fork with the GitHub App token. Please enable the bot on your fork or apply the changes locally, then re-run `/fix-pr`.

---

145-153: Post success/failure comments as octavia-bot

Add the App token to all comment steps for consistent attribution, wdyt?

       uses: peter-evans/create-or-update-comment@v4
       with:
+        token: ${{ steps.get-app-token.outputs.token }}
         comment-id: ${{ steps.first-comment-action.outputs.comment-id }}

Also applies to: 154-162, 163-171

🧹 Nitpick comments (1)

.github/workflows/slash_command_dispatch.yml (1)

25-40: Optional: React to commands as octavia-bot

If you want the command acknowledgement reactions to come from octavia-bot, set reaction-token too, wdyt? (github.com)

       uses: peter-evans/slash-command-dispatch@v4
       with:
         repository: ${{ github.repository }}
         token: ${{ steps.get-app-token.outputs.token }}
+        reaction-token: ${{ steps.get-app-token.outputs.token }}
         dispatch-type: workflow
         issue-type: pull-request

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 43e5af7 and f66701f.

📒 Files selected for processing (3)

• .github/workflows/fix-pr-command.yml (1 hunks)
• .github/workflows/poetry-lock-command.yml (1 hunks)
• .github/workflows/slash_command_dispatch.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Pytest (No Creds)
• GitHub Check: Pytest (All, Python 3.11, Windows)
• GitHub Check: Pytest (All, Python 3.11, Ubuntu)
• GitHub Check: Pytest (All, Python 3.10, Windows)
• GitHub Check: Pytest (All, Python 3.10, Ubuntu)
• GitHub Check: Pytest (Fast)

🔇 Additional comments (3)

.github/workflows/poetry-lock-command.yml (1)

48-48: LGTM on switching checkout to App token

Using the installation token for checkout is correct and avoids long-lived PATs.

.github/workflows/fix-pr-command.yml (1)

51-51: LGTM on switching checkout to App token

Good move away from PATs.

.github/workflows/slash_command_dispatch.yml (1)

30-30: LGTM on switching dispatch token to App token

This aligns with the move away from PATs.

[github-actions]

PyTest Results (Full)

364 tests  ±0   348 ✅ ±0   22m 21s ⏱️ +43s
  1 suites ±0    16 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit f66701f. ± Comparison against base commit 43e5af7.