Skip to content

Packaging: GH App token migration (phase 2) - app-token mint + dev5 pin#1184

Open
ihalatci wants to merge 7 commits into
developfrom
ihalatci/gh-app-migration-phase2
Open

Packaging: GH App token migration (phase 2) - app-token mint + dev5 pin#1184
ihalatci wants to merge 7 commits into
developfrom
ihalatci/gh-app-migration-phase2

Conversation

@ihalatci

@ihalatci ihalatci commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Summary

Phase 2 of the citusdata CI migration from the org PAT secret GH_TOKEN to a GitHub App installation token, for the packaging workflows. Three coordinated parts plus the script fix the App token exposed:

1. App-token mint (replaces org PAT)

Replace the GH_TOKEN org-PAT secret with a per-run GitHub App installation token via actions/create-github-app-token@v3 in all token-consuming workflows:

  • app-id: ${{ vars.GH_APP_ID }} (GH_APP_ID is an org variable, not a secret -- no secrets fallback)
  • private-key: ${{ secrets.GH_APP_KEY }} (real secret, retained)
  • token exported to $GITHUB_ENV (GH_TOKEN + GITHUB_TOKEN) so downstream steps/containers receive the App token
  • paired with docker/login-action@v4 where a DockerHub login exists (the 2 nightly workflows)

2. Tools-clone pin -> v0.8.36-dev5

Pin all 7 workflow tools-clones to v0.8.36-dev5 (adds build_packages per-pg-version filter + pytest harness fixes: filtered-count assertion + graceful skip for out-of-set pg versions). The dev3->dev5 delta is behaviorally inert for callers that don't pass postgres_version (guarded by if postgres_version:), so nightly/write workflows iterate identically to before.

3. R1 fix -- drop /user from bot identity resolution

scripts/determine_name / scripts/determine_email previously curled https://api.github.com/user, which 403s under an App installation token (the App identity has no /user endpoint) and, under set -euo pipefail, aborted the build with empty output. Fixed to resolve the packager identity from env first (PACKAGER_NAME/PACKAGER_EMAIL -> RPM_PACKAGER/DEBFULLNAME/DEBEMAIL) with a fixed Citus Bot <bots@citusdata.com> fallback -- no /user call. The R1-fixed images have been reseeded into the citus/packaging-test:* registry tags.

Validation

All 4 push-event workflows GREEN on ae12aad:

Workflow Run Result
Build package for test images 27846085803 22/22
Build Package 27846085807 22/22
Image Health Check 27846085809 22/22
Build & publish citus community nightlies 27846085815 6/6
  • MINT = 207/207 success across all legs -> vars.GH_APP_ID resolves with no fallback.
  • Nightly publish skipped on every leg (Package publishing skipped since current branch is not equal to develop) -- nothing published from the feature branch.
  • GH_TOKEN retained live throughout (zero-downtime; shadowed PAT removal deferred to a later decommission phase).

Dependency

Relies on tools tag v0.8.36-dev5 (citusdata/tools PR #410) being merged/stable before this is re-pinned to a stable tag.

Notes

  • Benign app-id deprecation annotation (app-id -> client-id) is a deferred stable-phase org-secret item; intentionally keeping app-id: vars.GH_APP_ID for now.

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

ihalatci-msft and others added 7 commits June 19, 2026 16:09
@ihalatci-msft
Phase 2: migrate workflows to GitHub App token + pin tools v0.8.36-dev3
abfdb23 
Mint a GitHub App token (actions/create-github-app-token@v3) per job and export it

to GH_TOKEN + GITHUB_TOKEN via \, overriding the workflow-level token for

subsequent steps. Workflow-level secrets.GH_TOKEN refs are kept live (removed only in

Phase 6). Bump tools pin v0.8.36-dev2 -> v0.8.36-dev3 in the 5 signing/publish/health

workflows. docker/login-action already at @v4.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@ihalatci-msft
Phase 2: pin remaining tools clones to v0.8.36-dev3
92be229 
Fold the two leftover v0.8.35 tools clones (update-pgxn-version.yml, update_package_properties.yml) into the Phase 2 dev3 pin so all tools references are consistent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@citus-bot @ihalatci-msft
Phase 2a: drop /user from determine_name/determine_email (R1 App-toke…
16a83d6 
…n fix)

GitHub App installation tokens have no /user endpoint and return 403, which aborted the build container at the identity assignment with empty output. Resolve packager identity env-first (PACKAGER_NAME/PACKAGER_EMAIL, RPM_PACKAGER, DEBFULLNAME/DEBEMAIL) with a fixed 'Citus Bot <bots@citusdata.com>' fallback so the all-platforms test path greens without identity env. ~/.curlrc writes are retained (reused for App-safe /repos + tarball source fetch).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@ihalatci-msft
Phase 2a: pass POSTGRES_VERSION to packaging tests + pin tools v0.8.3…
05f5557 
…6-dev4

Roll-forward fix for the rpm reds: pass the matrix leg's POSTGRES_VERSION into the 'Execute packaging tests' env so dev4's test_build_packages builds+tests ONLY the leg's own locally-built, R1-fixed image instead of iterating all pg versions and docker-pulling stale sibling images (which 403 on /user under the App token). deb/pgxn include-legs leave POSTGRES_VERSION empty -> None -> all/[all], no regression. Re-pins the pytest tools-clone dev3->dev4 in the 3 build/test workflows. Token mints (@V3), docker/login (@v4), the determine_name/determine_email R1 fix, and the dev3 pins in the 4 nightly/write workflows are untouched.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@ihalatci-msft
Phase 2a: re-pin pytest tools-clone v0.8.36-dev4 -> v0.8.36-dev5
cd6d03b 
dev5 fixes the two remaining rpm test-harness bugs surfaced by dev4: (1) the build-count assertion now expects 1xcount when POSTGRES_VERSION is set, and (2) pytest.skip when the leg's matrix pg version is not in the distro's release set (so pg14/pg18 legs skip the test but still run push_images to reseed their update_image-built base images). POSTGRES_VERSION env (added previously) stays as-is. Token mints (@V3), docker/login (@v4), the R1 determine_name/determine_email fix, and the dev3 pins in the 4 nightly/write workflows are untouched.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@ihalatci-msft
Phase 2a: unify all workflow tools-clones to v0.8.36-dev5
d03fd87 
Bump the 4 nightly/write workflows (build-citus-community-nightlies, build-pgazure-nightlies, update-pgxn-version, update_package_properties) from v0.8.36-dev3 to v0.8.36-dev5 so every workflow in the repo pins the same tools tag.

dev3..dev5 changes only packaging_automation/citus_package.py (new optional postgres_version arg, default None -> identical iteration when unset) and tests/test_citus_package.py (pytest-only). Neither nightly passes postgres_version, and update-*/update_package_properties do not invoke citus_package.py, so behavior is unchanged.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@ihalatci-msft
ci: use org variable for app-id, drop secrets fallback
ae12aad 
GH_APP_ID is an org variable, not a secret. Simplify the create-github-app-token app-id input from vars.GH_APP_ID || secrets.GH_APP_ID to just vars.GH_APP_ID across all 6 token mints. private-key stays secrets.GH_APP_KEY (a real secret).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ihalatci @ihalatci-msft @citus-bot