From 836fd6532faef9c0cf49b2d1b10a3b49d8d733b3 Mon Sep 17 00:00:00 2001 From: Citus Bot Date: Wed, 17 Jun 2026 12:44:58 +0300 Subject: [PATCH 1/2] Phase 1: mint GitHub App token in tools test workflows Replace the org PAT (secrets.GH_TOKEN) with a per-job GitHub App installation token in the five tools test workflows: tool-tests, packaging-methods-tests, statistic-tests, statistic-schedule, citus-package-all-platforms-test. Each consuming job now mints a token via actions/create-github-app-token@v2 (app-id/private-key from the existing GH_APP_ID/GH_APP_KEY org secrets, owner: citusdata) and exports it to \ as GH_TOKEN (plus GITHUB_TOKEN for the all-platforms test). The top-level env GH_TOKEN entries are removed, since top-level/job env cannot reference the steps context. No script or tools-package changes: an installation token is a drop-in for the PAT. secrets.GH_TOKEN remains defined org-wide for zero-downtime during the staged migration. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../citus-package-all-platforms-test.yml | 15 +++++++++++++-- .github/workflows/packaging-methods-tests.yml | 14 +++++++++++--- .github/workflows/statistic-schedule.yml | 12 +++++++++++- .github/workflows/statistic-tests.yml | 12 +++++++++++- .github/workflows/tool-tests.yml | 12 +++++++++++- 5 files changed, 57 insertions(+), 8 deletions(-) diff --git a/.github/workflows/citus-package-all-platforms-test.yml b/.github/workflows/citus-package-all-platforms-test.yml index a7692477..f83a6e68 100644 --- a/.github/workflows/citus-package-all-platforms-test.yml +++ b/.github/workflows/citus-package-all-platforms-test.yml @@ -1,8 +1,6 @@ name: Citus package all platforms tests env: - GH_TOKEN: ${{ secrets.GH_TOKEN }} - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} PACKAGING_PASSPHRASE: ${{ secrets.PACKAGING_PASSPHRASE }} MICROSOFT_EMAIL: gindibay@microsoft.com USER_NAME: Gurkan Indibay @@ -36,6 +34,19 @@ jobs: PLATFORM: ${{ matrix.platform }} steps: + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: citusdata + + - name: Export GitHub App token to environment + run: | + echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" + echo "GITHUB_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" + - name: Checkout repository uses: actions/checkout@v3 diff --git a/.github/workflows/packaging-methods-tests.yml b/.github/workflows/packaging-methods-tests.yml index 7d53056f..68da1a95 100644 --- a/.github/workflows/packaging-methods-tests.yml +++ b/.github/workflows/packaging-methods-tests.yml @@ -1,8 +1,5 @@ name: Packaging helper methods tests -env: - GH_TOKEN: ${{ secrets.GH_TOKEN }} - on: push: branches: @@ -15,6 +12,17 @@ jobs: runs-on: ubuntu-latest steps: + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: citusdata + + - name: Export GitHub App token to environment + run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" + - name: Checkout repository uses: actions/checkout@v3 diff --git a/.github/workflows/statistic-schedule.yml b/.github/workflows/statistic-schedule.yml index 3dcb4b22..d6958a41 100644 --- a/.github/workflows/statistic-schedule.yml +++ b/.github/workflows/statistic-schedule.yml @@ -5,7 +5,6 @@ env: DB_PASSWORD: ${{ secrets.STATS_DB_PASSWORD }} DB_HOST_AND_PORT: ${{ secrets.STATS_DB_HOST_AND_PORT }} DB_NAME: ${{ secrets.STATS_DB_NAME }} - GH_TOKEN: ${{ secrets.GH_TOKEN }} on: schedule: - cron: "0 16 * * *" @@ -25,6 +24,17 @@ jobs: job_name: [docker_pull_citus, github_clone_citus, homebrew_citus] steps: + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: citusdata + + - name: Export GitHub App token to environment + run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" + - name: Checkout repository uses: actions/checkout@v3 diff --git a/.github/workflows/statistic-tests.yml b/.github/workflows/statistic-tests.yml index 5b9eb9ea..b89aa304 100644 --- a/.github/workflows/statistic-tests.yml +++ b/.github/workflows/statistic-tests.yml @@ -5,7 +5,6 @@ env: DB_PASSWORD: ${{ secrets.STATS_DB_PASSWORD }} DB_HOST_AND_PORT: ${{ secrets.STATS_DB_HOST_AND_PORT }} DB_NAME: ${{ secrets.STATS_DB_NAME }} - GH_TOKEN: ${{ secrets.GH_TOKEN }} PACKAGE_CLOUD_API_TOKEN: ${{ secrets.PACKAGE_CLOUD_API_TOKEN }} PACKAGE_CLOUD_ADMIN_API_TOKEN: ${{ secrets.PACKAGE_CLOUD_ADMIN_API_TOKEN }} on: @@ -21,6 +20,17 @@ jobs: runs-on: ubuntu-latest steps: + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: citusdata + + - name: Export GitHub App token to environment + run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" + - name: Checkout repository uses: actions/checkout@v3 diff --git a/.github/workflows/tool-tests.yml b/.github/workflows/tool-tests.yml index 8759a7d5..89ab71d9 100644 --- a/.github/workflows/tool-tests.yml +++ b/.github/workflows/tool-tests.yml @@ -1,7 +1,6 @@ name: Tool Tests env: - GH_TOKEN: ${{ secrets.GH_TOKEN }} MICROSOFT_EMAIL: gindibay@microsoft.com USER_NAME: Gurkan Indibay MAIN_BRANCH: all-citus @@ -27,6 +26,17 @@ jobs: runs-on: ubuntu-latest steps: + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: citusdata + + - name: Export GitHub App token to environment + run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" + - name: Checkout repository uses: actions/checkout@v3 with: From b148bde510962f899c02f434310eebe351acd5d2 Mon Sep 17 00:00:00 2001 From: Citus Bot Date: Wed, 17 Jun 2026 12:53:59 +0300 Subject: [PATCH 2/2] Phase 1: resolve App ID via vars with secrets fallback The mint step failed with '[@octokit/auth-app] appId option is required' because GH_APP_ID resolved empty as a secret reference. GH_APP_ID is an org variable (App IDs are non-sensitive); GH_APP_KEY remains a secret. Use \ ars.GH_APP_ID || secrets.GH_APP_ID\ so the workflow works whether the App ID is stored as a variable or a secret. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/citus-package-all-platforms-test.yml | 2 +- .github/workflows/packaging-methods-tests.yml | 2 +- .github/workflows/statistic-schedule.yml | 2 +- .github/workflows/statistic-tests.yml | 2 +- .github/workflows/tool-tests.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/citus-package-all-platforms-test.yml b/.github/workflows/citus-package-all-platforms-test.yml index f83a6e68..256bc8bc 100644 --- a/.github/workflows/citus-package-all-platforms-test.yml +++ b/.github/workflows/citus-package-all-platforms-test.yml @@ -38,7 +38,7 @@ jobs: id: app-token uses: actions/create-github-app-token@v2 with: - app-id: ${{ secrets.GH_APP_ID }} + app-id: ${{ vars.GH_APP_ID || secrets.GH_APP_ID }} private-key: ${{ secrets.GH_APP_KEY }} owner: citusdata diff --git a/.github/workflows/packaging-methods-tests.yml b/.github/workflows/packaging-methods-tests.yml index 68da1a95..ecd7e7e6 100644 --- a/.github/workflows/packaging-methods-tests.yml +++ b/.github/workflows/packaging-methods-tests.yml @@ -16,7 +16,7 @@ jobs: id: app-token uses: actions/create-github-app-token@v2 with: - app-id: ${{ secrets.GH_APP_ID }} + app-id: ${{ vars.GH_APP_ID || secrets.GH_APP_ID }} private-key: ${{ secrets.GH_APP_KEY }} owner: citusdata diff --git a/.github/workflows/statistic-schedule.yml b/.github/workflows/statistic-schedule.yml index d6958a41..b49daf37 100644 --- a/.github/workflows/statistic-schedule.yml +++ b/.github/workflows/statistic-schedule.yml @@ -28,7 +28,7 @@ jobs: id: app-token uses: actions/create-github-app-token@v2 with: - app-id: ${{ secrets.GH_APP_ID }} + app-id: ${{ vars.GH_APP_ID || secrets.GH_APP_ID }} private-key: ${{ secrets.GH_APP_KEY }} owner: citusdata diff --git a/.github/workflows/statistic-tests.yml b/.github/workflows/statistic-tests.yml index b89aa304..7cf31b40 100644 --- a/.github/workflows/statistic-tests.yml +++ b/.github/workflows/statistic-tests.yml @@ -24,7 +24,7 @@ jobs: id: app-token uses: actions/create-github-app-token@v2 with: - app-id: ${{ secrets.GH_APP_ID }} + app-id: ${{ vars.GH_APP_ID || secrets.GH_APP_ID }} private-key: ${{ secrets.GH_APP_KEY }} owner: citusdata diff --git a/.github/workflows/tool-tests.yml b/.github/workflows/tool-tests.yml index 89ab71d9..c7cfef4d 100644 --- a/.github/workflows/tool-tests.yml +++ b/.github/workflows/tool-tests.yml @@ -30,7 +30,7 @@ jobs: id: app-token uses: actions/create-github-app-token@v2 with: - app-id: ${{ secrets.GH_APP_ID }} + app-id: ${{ vars.GH_APP_ID || secrets.GH_APP_ID }} private-key: ${{ secrets.GH_APP_KEY }} owner: citusdata