From 60add6da495152d7e54ad29da93bca2e57af3695 Mon Sep 17 00:00:00 2001
From: Christine Chen <10511452+christineschen@users.noreply.github.com>
Date: Tue, 23 Jun 2026 17:59:16 -0400
Subject: [PATCH 1/2] fix: use GitHub App token for auto-merge workflow

Generate GitHub App token using GH_DOCS_SYNC_APP_ID and GH_DOCS_SYNC_APP_PRIVATE_KEY secrets. Use the app token instead of GITHUB_TOKEN for both close-superseded and auto-merge steps to ensure downstream workflow triggers (sdk_publish.yaml) after merge. This aligns token usage with typescript-sdk and go-sdk implementations.
---
 .github/workflows/auto-merge-speakeasy-pr.yaml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/auto-merge-speakeasy-pr.yaml b/.github/workflows/auto-merge-speakeasy-pr.yaml
index 9ba77ed..29e7603 100644
--- a/.github/workflows/auto-merge-speakeasy-pr.yaml
+++ b/.github/workflows/auto-merge-speakeasy-pr.yaml
@@ -31,9 +31,16 @@ jobs:
       )
     runs-on: ubuntu-latest
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.GH_DOCS_SYNC_APP_ID }}
+          private-key: ${{ secrets.GH_DOCS_SYNC_APP_PRIVATE_KEY }}
+
       - name: Close superseded Speakeasy PRs
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           set -euo pipefail
           CURRENT_PR="${{ github.event.pull_request.number }}"
@@ -64,7 +71,7 @@ jobs:
 
       - name: Auto-merge Speakeasy PR
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           set -euo pipefail
           PR_NUM="${{ github.event.pull_request.number }}"

From 4e551e432f1b7e7ebdabd3e35b27c7a177569c5f Mon Sep 17 00:00:00 2001
From: Christine Chen <10511452+christineschen@users.noreply.github.com>
Date: Tue, 23 Jun 2026 18:14:27 -0400
Subject: [PATCH 2/2] fix: pin create-github-app-token to immutable SHA

Pin actions/create-github-app-token to v3.2.0 commit SHA (bcd2ba49...) instead of mutable @v3 tag to prevent supply chain attacks where a compromised account could force-push malicious code to the tag. This eliminates the risk of secret leakage and malicious code execution in CI workflows.
---
 .github/workflows/auto-merge-speakeasy-pr.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/auto-merge-speakeasy-pr.yaml b/.github/workflows/auto-merge-speakeasy-pr.yaml
index 29e7603..e0035f8 100644
--- a/.github/workflows/auto-merge-speakeasy-pr.yaml
+++ b/.github/workflows/auto-merge-speakeasy-pr.yaml
@@ -33,7 +33,8 @@ jobs:
     steps:
       - name: Generate GitHub App token
         id: app-token
-        uses: actions/create-github-app-token@v3
+        # actions/create-github-app-token@v3.2.0 (immutable SHA)
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1
         with:
           app-id: ${{ secrets.GH_DOCS_SYNC_APP_ID }}
           private-key: ${{ secrets.GH_DOCS_SYNC_APP_PRIVATE_KEY }}