Skip to content

e2e: mint GitHub App installation token instead of PAT secret#23

Merged
thepagent merged 1 commit into
mainfrom
e2e-app-token
Jul 13, 2026
Merged

e2e: mint GitHub App installation token instead of PAT secret#23
thepagent merged 1 commit into
mainfrom
e2e-app-token

Conversation

@chaodu-agent

Copy link
Copy Markdown
Contributor

Summary

Phase 0 spike (#22) verified that GitHub App installation tokens are accepted by api.githubcopilot.com. This switches the E2E workflow's credential from the long-lived E2E_GHPOOL_PAT secret (currently an OAuth token that rotates with gh re-auth — a latent CI breakage) to a short-lived installation token minted per run from the existing APP_ID/APP_PRIVATE_KEY secrets.

Changes

  • actions/create-github-app-token@v2 step mints the token (owner: openabdev); GITHUB_TOKEN for the script now comes from the step output
  • Removed the separate secret-gate step — create-github-app-token fails loudly when secrets are absent, preserving the fail-fast property from the Add e2e test script and workflow for MCP proxy #21 review
  • Still no pull_request trigger (App credentials never exposed to forks); least-privilege permissions unchanged

Tested

Dispatched this workflow on this branch: run 2920815335213/13 e2e checks pass with the App-minted token, including issue_read on #15 (App has the required repo permissions).

Follow-up (after merge)

E2E_GHPOOL_PAT secret can be deleted.

Phase 0 spike (#22) verified installation tokens work against the hosted
MCP endpoint. Drops the E2E_GHPOOL_PAT long-lived secret dependency; the
token is now short-lived and minted per run from APP_ID/APP_PRIVATE_KEY.
create-github-app-token fails loudly if secrets are absent, preserving
the fail-fast property from the #21 review.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants