Mint GitHub App token in versioning workflow#1630
Merged
Conversation
The org-level POLICYENGINE_GITHUB PAT expired on 2026-01-12. Swap it for a short-lived GitHub App token minted via actions/create-github-app-token@v1, using the org-level APP_ID and APP_PRIVATE_KEY secrets already used by sibling repos. This affects only the Publish job's cross-repo update_api.py call (the Versioning job uses the default GITHUB_TOKEN). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The org-level
POLICYENGINE_GITHUBPAT expired on 2026-01-12. In this repo it is only referenced by.github/workflows/versioning.yaml, where thePublishjob passes it asCROSS_REPO_TOKENto.github/update_api.py(which cross-repo-pingspolicyengine-apiso the app picks up the newly published package).With the PAT expired,
CROSS_REPO_TOKENresolves to an empty string; the graceful fallback in the workflow logsSkipping cross-repo API updateand moves on, so the cross-repo ping silently stops firing on every release.Fix
Swap the PAT for a short-lived GitHub App token minted via
actions/create-github-app-token@v1, using the org-levelAPP_ID/APP_PRIVATE_KEYsecrets already set and used by sibling repos (policyengine-core#470,microdf#296,policyengine-us,policyengine-api). Pattern copied from those PRs.Benefits over renewing the PAT:
Scope note: this repo's
Versioningjob already uses the defaultGITHUB_TOKEN(not the PAT) for checkout andadd-and-commit, and thePublishjob runs in the same workflow run vianeeds: Versioning, so App-token-triggered downstream workflow runs aren't needed here. Only thePublishjob changes.Test plan
yaml.safe_loadconfirms the workflow still parsestowncrier build --draftrenders the changelog fragment correctlyPublishjob'sUpdate APIstep actually firesupdate_api.py(not the skip branch) and the corresponding dispatch lands inpolicyengine-apiCaveat
If the GitHub App isn't installed on
policyengine-api, theupdate_api.pystep will fail (rather than silently skip). That would be a separate fix on the App installation side; the checkout + PyPI publish parts are unaffected.