github actions: Use Github APP authentication instead of personal tokens

shreeya-patel98 · shreeya-patel98 · commit 77b6760335d3 · 2025-12-05T15:43:12.000Z
PRs that were created by this workflow were using my name
due to the personal github token being used here.
Use the latest Github App Authentication method set up by TJ
for us.

Signed-off-by: Shreeya Patel &lt;spatel@ciq.com&gt;
diff --git a/.github/workflows/kernel-build-and-test-x86_64.yml b/.github/workflows/kernel-build-and-test-x86_64.yml
@@ -16,6 +16,13 @@ jobs:
     if: "!contains(github.event.head_commit.message, '[skip ci]') && !contains(github.event.head_commit.message, '[ci skip]')"
 
     steps:
+    - name: Generate GitHub App token
+      id: generate_token
+      uses: actions/create-github-app-token@v1
+      with:
+        app-id: ${{ secrets.APP_ID }}
+        private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
     - name: Checkout kernel source
       uses: actions/checkout@v4
       with:
@@ -28,7 +35,7 @@ jobs:
         repository: ctrliq/kernel-container-build
         ref: automated-testing-v1
         path: kernel-container-build
-        token: ${{ secrets.PRIVATE_REPO_ACCESS_TOKEN }}
+        token: ${{ steps.generate_token.outputs.token }}
 
     # Host deps + KVM / FUSE validation
     - name: Install host dependencies & verify KVM/FUSE
@@ -92,13 +99,20 @@ jobs:
     needs: build
 
     steps:
+    - name: Generate GitHub App token
+      id: generate_token
+      uses: actions/create-github-app-token@v1
+      with:
+        app-id: ${{ secrets.APP_ID }}
+        private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
     - name: Checkout kernel-container-build (test branch)
       uses: actions/checkout@v4
       with:
         repository: ctrliq/kernel-container-build
         ref: automated-testing-v1
         path: kernel-container-build
-        token: ${{ secrets.PRIVATE_REPO_ACCESS_TOKEN }}
+        token: ${{ steps.generate_token.outputs.token }}
 
     - name: Install host dependencies
       run: |
@@ -146,13 +160,20 @@ jobs:
     needs: boot
 
     steps:
+    - name: Generate GitHub App token
+      id: generate_token
+      uses: actions/create-github-app-token@v1
+      with:
+        app-id: ${{ secrets.APP_ID }}
+        private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
     - name: Checkout kernel-container-build (test branch)
       uses: actions/checkout@v4
       with:
         repository: ctrliq/kernel-container-build
         ref: automated-testing-v1
         path: kernel-container-build
-        token: ${{ secrets.PRIVATE_REPO_ACCESS_TOKEN }}
+        token: ${{ steps.generate_token.outputs.token }}
 
     - name: Install host dependencies
       run: |
@@ -226,10 +247,17 @@ jobs:
           sudo apt-get install -y gh
         fi
 
+    - name: Generate GitHub App token for comparison
+      id: generate_token_compare
+      uses: actions/create-github-app-token@v1
+      with:
+        app-id: ${{ secrets.APP_ID }}
+        private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
     - name: Determine base branch for comparison
       id: base_branch
       env:
-        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GH_TOKEN: ${{ steps.generate_token_compare.outputs.token }}
       run: |
         BASE_BRANCH=""
         BRANCH_NAME="${{ github.ref_name }}"
@@ -487,9 +515,16 @@ jobs:
         git checkout origin/main -- .github/scripts/create-pr-body.sh
         chmod +x .github/scripts/create-pr-body.sh
 
+    - name: Generate GitHub App token
+      id: generate_token
+      uses: actions/create-github-app-token@v1
+      with:
+        app-id: ${{ secrets.APP_ID }}
+        private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
     - name: Create Pull Request
       env:
-        GH_TOKEN: ${{ secrets.PRIVATE_REPO_ACCESS_TOKEN }}
+        GH_TOKEN: ${{ steps.generate_token.outputs.token }}
       run: |
         # Reuse base branch from compare-results stage (already computed)
         BASE_BRANCH="${{ needs.compare-results.outputs.base_branch }}"
