Skip to content

feat(update-copilot-skills): optional App token so update PRs trigger CI #240

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
botantler merged 3 commits into from
May 26, 2026
Merged

feat(update-copilot-skills): optional App token so update PRs trigger CI #240

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
67a66ce
feat(update-copilot-skills): optional App token so update PRs trigger CI
devantler May 26, 2026
7b124e2
fix(update-copilot-skills): don't persist app token in git config
devantler May 26, 2026
ab3f208
fix(update-copilot-skills): scope App token to least privilege
devantler May 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 33 additions & 1 deletion .github/workflows/update-copilot-skills.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,22 @@ on:
required: false
default: false
type: boolean
use-app-token:
description: >-
When `true`, create the update PR with a GitHub App token (minted from the `APP_ID`
variable and the `APP_PRIVATE_KEY` secret) instead of the default `GITHUB_TOKEN`. A PR
opened with `GITHUB_TOKEN` does NOT trigger the caller's `on: pull_request`/`push` CI runs,
so its required checks never report and it stays blocked; an App token avoids this.
Defaults to `false` (previous behaviour using `GITHUB_TOKEN`).
required: false
default: false
type: boolean
secrets:
APP_PRIVATE_KEY:
description: >-
GitHub App private key, required only when `use-app-token` is `true`. Paired with the
`APP_ID` repository/organization variable to mint an App token for PR creation.
required: false
Comment thread
devantler marked this conversation as resolved.

permissions: {}

Expand All @@ -55,10 +71,24 @@ jobs:
contents: write
pull-requests: write
steps:
- name: πŸ”‘ Generate GitHub App token
id: app-token
if: ${{ inputs.use-app-token }}
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
Comment thread
devantler marked this conversation as resolved.
Fixed
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
Comment thread
devantler marked this conversation as resolved.
# Scope the token to least privilege β€” exactly what this job needs
# (checkout read + create-pull-request push/open) β€” instead of
# inheriting the App installation's blanket permissions.
permission-contents: write
permission-pull-requests: write

- name: πŸ“„ Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: true
persist-credentials: false
token: ${{ steps.app-token.outputs.token || github.token }}
Comment thread
devantler marked this conversation as resolved.

- name: πŸ”„ Update installed skills
id: update
Expand All @@ -85,3 +115,5 @@ jobs:
branch: ${{ inputs.pr-branch }}
labels: ${{ inputs.pr-labels }}
delete-branch: true
token: ${{ steps.app-token.outputs.token || github.token }}
branch-token: ${{ steps.app-token.outputs.token || github.token }}
Loading