Skip to content

Use GitHub App token in update workflows#55

Draft
rujche wants to merge 6 commits into
mainfrom
rujche/main-use-github-app-instead-of-PAT
Draft

Use GitHub App token in update workflows#55
rujche wants to merge 6 commits into
mainfrom
rujche/main-use-github-app-instead-of-PAT

Conversation

@rujche

@rujche rujche commented Jul 1, 2026

Copy link
Copy Markdown
Member

What

  • Replace ACCESS_TOKEN usage with GitHub App installation token in update workflows.
  • Add a reusable local action for token generation at .github/actions/github-app-token/action.yml.
  • Scope GitHub App tokens to azure-sdk-for-java via a repositories input to enforce least privilege.
  • Set persist-credentials: false on authenticated actions/checkout steps that use installation tokens.
  • Update PR/push flow to use same-repo branch format with GitHub App token.
  • Upgrade actions/checkout from v3 to v4 in the updated workflows.
  • Pin third-party actions to fixed release tags:
    • actions/create-github-app-token@v3.2.0
    • vsoch/pull-request-action@1.1.1
  • Ensure same-repo checkout uses the workflow triggering ref (avoid default-branch drift).
  • Fix hyphenated composite action input references using bracket syntax.

Why

  • The 'Microsoft Open Source' enterprise forbids access via a personal access tokens (classic) if the token's lifetime is greater than 8 days.. See: https://github.com/Azure/spring-cloud-azure-tools/actions/runs/28485381020/job/84430597949
  • Remove PAT dependency and standardize on GitHub App auth.
  • Reduce token blast radius and credential persistence risk in workflow runners.
  • Improve reproducibility and supply-chain hygiene by avoiding floating refs.
  • Keep local action execution aligned with the exact workflow ref.

Updated files

  • .github/actions/github-app-token/action.yml
  • .github/workflows/update-spring-cloud-azure-support-file.yml
  • .github/workflows/test-spring-boot-rc-version.yml
  • .github/workflows/update-spring-dependencies.yml

@rujche rujche requested review from Netyyyy, Copilot and moarychan July 1, 2026 02:06
@rujche rujche self-assigned this Jul 1, 2026
@rujche rujche added the enhancement New feature or request label Jul 1, 2026
@rujche rujche moved this from Todo to In Progress in Spring Cloud Azure Jul 1, 2026
@rujche rujche added this to the 2026-07 milestone Jul 1, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request updates the repository’s scheduled/manual “update” workflows to stop using a long-lived PAT (ACCESS_TOKEN) and instead generate a scoped GitHub App installation token via a new local composite action. This improves least-privilege access to Azure/azure-sdk-for-java, reduces credential persistence risks during checkouts, and tightens action supply-chain hygiene via pinned versions.

Changes:

  • Added a reusable local composite action to generate a GitHub App installation token, scoped via a repositories input.
  • Updated update/test workflows to use the installation token for actions/github-script, cross-repo checkout, pushes, and PR creation (and set persist-credentials: false where the installation token is used for checkout).
  • Upgraded actions/checkout to v4 and pinned vsoch/pull-request-action to a fixed release tag.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
.github/actions/github-app-token/action.yml New composite action wrapping actions/create-github-app-token with proper hyphenated input referencing and repo scoping support.
.github/workflows/update-spring-cloud-azure-support-file.yml Replaced PAT usage with GitHub App token; updated checkout/push/PR creation flow and pinned action versions.
.github/workflows/test-spring-boot-rc-version.yml Replaced PAT usage with GitHub App token; updated checkout/push/PR creation flow and pinned action versions.
.github/workflows/update-spring-dependencies.yml Replaced PAT usage with GitHub App token; updated checkout/push/PR creation flow, added persist-credentials: false, and pinned action versions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

Status: In Progress

Development

Successfully merging this pull request may close these issues.

3 participants