From 054e1241f44452cd7307f051c1b244cdef6984fe Mon Sep 17 00:00:00 2001
From: erezrokah <erezrokah@users.noreply.github.com>
Date: Thu, 26 Mar 2026 15:45:55 +0000
Subject: [PATCH] chore(ci): Replace GH_CQ_BOT PAT with GitHub App tokens

Replace the non-expiring personal access token (GH_CQ_BOT) with
short-lived tokens from the cloudquery-ci GitHub App using
actions/create-github-app-token@v3.
---
 .github/.kodiak.toml                 |  2 +-
 .github/workflows/prepare.yml        |  9 ++++++++-
 .github/workflows/release-please.yml | 10 +++++++++-
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml
index 10cb6bba..60dec355 100644
--- a/.github/.kodiak.toml
+++ b/.github/.kodiak.toml
@@ -2,7 +2,7 @@
 version = 1
 
 [approve]
-auto_approve_usernames = ["cq-bot"]
+auto_approve_usernames = ["cloudquery-ci"]
 
 [merge.message]
 body = "pull_request_body"
diff --git a/.github/workflows/prepare.yml b/.github/workflows/prepare.yml
index b31e0d53..39e9d50d 100644
--- a/.github/workflows/prepare.yml
+++ b/.github/workflows/prepare.yml
@@ -10,9 +10,16 @@ jobs:
   prepare-dist:
     runs-on: ubuntu-latest
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
+        with:
+          app-id: ${{ secrets.CQ_APP_ID }}
+          private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }}
+          permission-contents: write
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GH_CQ_BOT }}
+          token: ${{ steps.app-token.outputs.token }}
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: "lts/*"
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index dd400ed3..feb42383 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -11,6 +11,14 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
+        with:
+          app-id: ${{ secrets.CQ_APP_ID }}
+          private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }}
+          permission-contents: write
+          permission-pull-requests: write
       - uses: GoogleCloudPlatform/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4
         with:
-          token: ${{ secrets.GH_CQ_BOT }}
+          token: ${{ steps.app-token.outputs.token }}