Skip to content

chore: replace all github.token/GITHUB_TOKEN with GitHub App token#1210

Merged
aidandaly24 merged 2 commits into
mainfrom
chore/replace-github-token-with-app-token
May 12, 2026
Merged

chore: replace all github.token/GITHUB_TOKEN with GitHub App token#1210
aidandaly24 merged 2 commits into
mainfrom
chore/replace-github-token-with-app-token

Conversation

@aidandaly24
Copy link
Copy Markdown
Contributor

@aidandaly24 aidandaly24 commented May 12, 2026

Summary

Replace all remaining github.token and secrets.GITHUB_TOKEN usage with short-lived tokens from the agentcore-devx-automation GitHub App via actions/create-github-app-token@v1.

Updated workflows: sync-from-public, sync-preview, release-main-and-preview, release, pr-tarball, cleanup-pr-tarballs, pr-title, strands-command.

Secrets to Delete After Verification

None — these were using the built-in token, not stored secrets.

Test plan

  • Verify APP_ID variable and APP_PRIVATE_KEY secret are set
  • Merge and confirm workflows run successfully

@aidandaly24
chore: replace all github.token/GITHUB_TOKEN with GitHub App token
5767d93 
Replaces all occurrences of \${{ github.token }} and \${{ secrets.GITHUB_TOKEN }}
across .github/workflows/ with a per-job GitHub App token generated via
actions/create-github-app-token@v1 using vars.APP_ID and secrets.APP_PRIVATE_KEY.
@aidandaly24 aidandaly24 requested a review from a team May 12, 2026 17:23
@github-actions github-actions Bot added the size/s PR size: S label May 12, 2026
@github-actions github-actions Bot added the agentcore-harness-reviewing AgentCore Harness review in progress label May 12, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 12, 2026

Package Tarball

aws-agentcore-0.13.1.tgz

How to install

npm install https://github.com/aws/agentcore-cli/releases/download/pr-1210-tarball/aws-agentcore-0.13.1.tgz

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 12, 2026
edited
Loading

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 43.33% 9083 / 20958
🔵 Statements 42.61% 9646 / 22636
🔵 Functions 40.11% 1569 / 3911
🔵 Branches 40.14% 5862 / 14601
Generated in workflow #2833 for commit 0e6d577 by the Vitest Coverage Report Action

@github-actions github-actions Bot removed the agentcore-harness-reviewing AgentCore Harness review in progress label May 12, 2026
notgitika
notgitika previously approved these changes May 12, 2026
View reviewed changes
Comment thread .github/workflows/pr-title.yml
notgitika added a commit that referenced this pull request May 12, 2026
@notgitika
fix: use app-id instead of app-slug for GitHub App token
64b3783 
Aligns with the pattern in PR #1210 and ci-failure-issue.yml.
@notgitika notgitika self-requested a review May 12, 2026 18:12
@aidandaly24 aidandaly24 merged commit 6dc4b7f into main May 12, 2026
13 checks passed
@aidandaly24 aidandaly24 deleted the chore/replace-github-token-with-app-token branch May 12, 2026 18:13
@github-actions github-actions Bot added size/s PR size: S and removed size/s PR size: S labels May 12, 2026
notgitika added a commit that referenced this pull request May 12, 2026
@notgitika
fix: use app-id instead of app-slug for GitHub App token
7e9f6a1 
Aligns with the pattern in PR #1210 and ci-failure-issue.yml.
notgitika added a commit that referenced this pull request May 12, 2026
@notgitika
fix: sync-preview pushes directly on clean merge, PRs only on conflict (
0153694 
#1078)

* fix: sync-preview workflow restores version instead of ignoring files

Instead of keeping preview's entire package.json/package-lock.json
(which discards new deps, scripts, etc. from main), accept main's
content and surgically restore only the version field to preview's
value after merge.

* fix: push directly to preview on clean merge via GitHub App bypass

Use agentcore-devx-automation app token to bypass branch protection
and push directly when the merge is clean (or only version conflicts).
Only creates a PR when there are real conflicts in other files.

* chore: use app-slug instead of app-id for token generation

* fix: address review feedback on sync-preview workflow

- Pass PREVIEW_VERSION via env var instead of string interpolation in
  node -e scripts (safer against special chars)
- Make git add of package-lock.json conditional on file existence to
  match the earlier -f guard
- Replace loose title search for dedup with headRefName prefix filter
  to avoid false positives from unrelated PRs
- Clarify why package.json/package-lock.json are special-cased (preview
  carries a different version string that needs preserving)

* fix: restore preview-owned files after sync merge

Adds a step to restore schemas/agentcore.schema.v1.json and CHANGELOG.md
to preview's versions after merging main. These files are auto-generated
during preview releases — schema-check CI rejects direct modifications
to schemas/, and CHANGELOG.md tracks preview releases separately.

* fix: use app-id instead of app-slug for GitHub App token

Aligns with the pattern in PR #1210 and ci-failure-issue.yml.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@notgitika notgitika notgitika approved these changes

Assignees

No one assigned

Labels

size/s PR size: S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aidandaly24 @notgitika