Commit 7fa48d9
ci(repo-assist): mint App token for safe-outputs and CI triggering
Wire a GitHub App into safe-outputs so all bot operations (PR creation,
branch pushes, comments, labels) run under an installation access token
instead of GITHUB_TOKEN. Two effects:
1. Commits and PR-creation events authored by the App actually trigger
downstream workflows (Lint PR, build); commits authored by GITHUB_TOKEN
are silently suppressed by GitHub Actions to prevent recursion. This
is what caused PR #4560 to land on main with a non-conventional title:
Lint PR never ran. Now it will.
2. Bot activity is attributed to the App identity rather than to whichever
identity GITHUB_TOKEN is acting as, which is clearer in commit history.
Also sets `github-token-for-extra-empty-commit: app` on
`create-pull-request` and `push-to-pull-request-branch` so the post-create
empty-commit trick uses the App token; this covers the case where the
target workflow only listens for `synchronize`/`push` events rather than
`opened`.
Requires repo to have `vars.APP_ID` and `secrets.APP_PRIVATE_KEY` set
(already configured).
Supersedes #4565 (PAT-based variant).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent 3cc85fb commit 7fa48d9
3 files changed
Lines changed: 108 additions & 37 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
5 | 5 | | |
6 | 6 | | |
7 | 7 | | |
8 | | - | |
| 8 | + | |
9 | 9 | | |
10 | | - | |
11 | | - | |
| 10 | + | |
| 11 | + | |
12 | 12 | | |
13 | 13 | | |
14 | 14 | | |
| |||
0 commit comments