fix: use GitHub App token for auto-merge workflow#355
Conversation
Generate GitHub App token using GH_DOCS_SYNC_APP_ID and GH_DOCS_SYNC_APP_PRIVATE_KEY secrets. Use the app token instead of GITHUB_TOKEN for both close-superseded and auto-merge steps to ensure downstream workflow triggers (sdk_publish.yaml) after merge. This aligns token usage with typescript-sdk and go-sdk implementations.
![perry-the-pr-reviewer[bot]](https://avatars.githubusercontent.com/in/3222961?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Pin actions/create-github-app-token to v3.2.0 commit SHA (bcd2ba49...) instead of mutable @V3 tag to prevent supply chain attacks where a compromised account could force-push malicious code to the tag. This eliminates the risk of secret leakage and malicious code execution in CI workflows.
There was a problem hiding this comment.
⚠️ APPROVE unavailable on this installation — the maintainer GitHub App is not
configured, so the verdict below is posted as COMMENT. Event-level approval
(for branch-protection / review requirements) must be added out-of-band.
Perry's Review
Pins actions/create-github-app-token from mutable @v3 semver to the immutable SHA bcd2ba492... (v3.2.0), and replaces GITHUB_TOKEN with the GitHub App token in both the close-superseded and auto-merge workflow steps — enabling downstream workflow triggering after merge.
Verdict: ✅ LGTM
Details
Risk: 🟢 Low — security hardening only; no auth gate removed, no data changed
CI: 0 checks (no CI configured on this PR)
Findings: none
Codex: skipped (trivial tier)
Research: skipped (trivial tier)
Security: SHA pin (bcd2ba49...) verified accurate for actions/create-github-app-token@v3.2.0 — supply-chain risk from prior round addressed. GH_DOCS_SYNC_APP_PRIVATE_KEY passed to a SHA-pinned action (no mutable tag exposure). Categories 1+7 touched; safeguards intact.
Test coverage: no tests for GHA workflow logic — expected
Unresolved threads: 1 outdated Perry thread from prior round (SHA pin suggestion, now implemented)
Scope: incremental — 2 new lines since prior review (comment + SHA pin)
Review: tier=trivial · model=claude-sonnet-latest · score=0.1
1 participant
Summary
Update the auto-merge workflow to use a GitHub App token instead of GITHUB_TOKEN to ensure downstream workflow triggers (sdk_publish.yaml) after merge.
Changes
Rationale
Using GITHUB_TOKEN prevents downstream workflow triggers because GitHub Actions intentionally blocks workflow chains initiated by actions tokens for security. Using a GitHub App token bypasses this limitation while maintaining security through properly scoped app permissions.
Verification
This pattern is already successfully used in: