From f709cfa4fbc73ebe11204f15cc056a30ad02e1fc Mon Sep 17 00:00:00 2001
From: Jonathan Haas <jonathan@haas.holdings>
Date: Tue, 19 May 2026 18:56:03 -0700
Subject: [PATCH] fix: author evalopsbot canary with actions token

---
 .../workflows/evalopsbot-review-canary.yml    | 29 ++++---------------
 1 file changed, 5 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/evalopsbot-review-canary.yml b/.github/workflows/evalopsbot-review-canary.yml
index 899a140..3373e12 100644
--- a/.github/workflows/evalopsbot-review-canary.yml
+++ b/.github/workflows/evalopsbot-review-canary.yml
@@ -11,7 +11,10 @@ on:
         default: "true"
 
 permissions:
-  contents: read
+  checks: read
+  contents: write
+  pull-requests: write
+  statuses: read
 
 concurrency:
   group: evalopsbot-review-canary
@@ -22,37 +25,15 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 20
     env:
-      GH_TOKEN: ${{ secrets.EVALOPS_PR_LENS_TOKEN || secrets.EVALOPS_REVIEW_GUARD_TOKEN }}
+      GH_TOKEN: ${{ github.token }}
       CANARY_BRANCH: evalopsbot-review-canary
       CANARY_REPO: evalops/.github
       CLEANUP: ${{ github.event_name == 'workflow_dispatch' && inputs.cleanup || 'true' }}
-      PR_LENS_APP_REPOSITORIES: ".github,platform,deploy,maestro-internal,maestro,ensemble,diffscope,chat,cerebro"
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
         with:
           persist-credentials: false
 
-      - name: Configure GitHub App token
-        shell: bash
-        env:
-          APP_ID: ${{ secrets.EVALOPS_PR_LENS_APP_ID }}
-          APP_PRIVATE_KEY: ${{ secrets.EVALOPS_PR_LENS_APP_PRIVATE_KEY }}
-          APP_INSTALLATION_ID: ${{ secrets.EVALOPS_PR_LENS_APP_INSTALLATION_ID }}
-        run: |
-          set -euo pipefail
-          if [ -n "${APP_ID}" ] && [ -n "${APP_PRIVATE_KEY}" ]; then
-            token="$(
-              EVALOPS_PR_LENS_APP_ID="${APP_ID}" \
-              EVALOPS_PR_LENS_APP_PRIVATE_KEY="${APP_PRIVATE_KEY}" \
-              EVALOPS_PR_LENS_APP_INSTALLATION_ID="${APP_INSTALLATION_ID}" \
-              ruby .github/scripts/evalops-pr-lens-review.rb mint-app-token \
-                --owner evalops \
-                --repositories "${PR_LENS_APP_REPOSITORIES}"
-            )"
-            echo "::add-mask::${token}"
-            echo "GH_TOKEN=${token}" >> "${GITHUB_ENV}"
-          fi
-
       - name: Create canary review request
         id: canary
         shell: bash