chore(ci): Replace GH_CQ_BOT PAT with GitHub App tokens (#41)

erezrokah · web-flow · commit 4ee27fca2458 · 2026-03-27T11:37:15.000Z
* chore(ci): Replace GH_CQ_BOT PAT with GitHub App tokens

Replace the non-expiring personal access token (GH_CQ_BOT) with
short-lived tokens from the cloudquery-ci GitHub App using
actions/create-github-app-token@v3.

* Add Renovate configuration file

* Update KICS GitHub Action version
diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -0,0 +1,3 @@
+{
+  extends: ["github>cloudquery/.github//.github/renovate-default.json5"],
+}
diff --git a/.github/workflows/release_please.yml b/.github/workflows/release_please.yml
@@ -16,7 +16,15 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
+        with:
+          app-id: ${{ secrets.CQ_APP_ID }}
+          private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }}
+          permission-contents: write
+          permission-pull-requests: write
       - uses: googleapis/release-please-action@v4
         id: release
         with:
-          token: ${{ secrets.GH_CQ_BOT }}
+          token: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -50,13 +50,20 @@ jobs:
         working-directory: ${{ matrix.module }}
 
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
+        with:
+          app-id: ${{ secrets.CQ_APP_ID }}
+          private-key: ${{ secrets.CQ_APP_PRIVATE_KEY }}
+          permission-pull-requests: write
       - name: Checkout
         uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           fetch-depth: 0
-          token: ${{ secrets.GH_CQ_BOT }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Configure Git for Pull Request
         if: github.event_name == 'pull_request'
@@ -140,7 +147,7 @@ jobs:
           echo "KICS_RESULTS_DIR=$results_dir" >> $GITHUB_ENV
 
       - name: Run KICS scan
-        uses: checkmarx/kics-github-action@v1.7.0
+        uses: checkmarx/kics-github-action@05aa5eb70eede1355220f4ca5238d96b397e30a6 # v2.1.20
         with:
           path: ${{ matrix.module }}
           config_path: .kics.config

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+{`
	`2`	`+ extends: ["github>cloudquery/.github//.github/renovate-default.json5"],`
	`3`	`+}`