Skip to content

ci: repoint app-token mint at live five-app credentials#17

Merged
zircote merged 1 commit into
mainfrom
fix/app-token-live-credentials
Jul 1, 2026
Merged

ci: repoint app-token mint at live five-app credentials#17
zircote merged 1 commit into
mainfrom
fix/app-token-live-credentials

Conversation

@zircote

@zircote zircote commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

What

Bump the pinned .github reusable-workflow SHAs to f29366f so the App token mints read the current five-app-fleet credentials instead of the removed MIF_CI_* one.

  • reusable-dependabot-automerge.yml@f29366f reads vars.AUTOMERGE_CLIENT_APP_ID
  • reusable-scorecard.yml@f29366f reads vars.CI_CLIENT_APP_ID

The scorecard (posture) caller also now passes app-private-key: secrets.CI_CLIENT_APP_PRIVATE_KEY, matching the accepted pattern in ontologies and MIF. Without the key the reusable falls back to GITHUB_TOKEN and Scorecard cannot read branch protection.

Why

The legacy modeled-information-format-ci App and its MIF_CI_* variable/secret were retired under ADR-011 (five least-privilege Apps: ci/catalog/pages/automerge/release). The old pins still resolved to reusables that read the removed MIF_CI_CLIENT_APP_ID, so the token mint would find an empty client-id and the auto-merge/scorecard identity would break.

Scope

Touches only .github/workflows/**. The reusable caller contract (app-private-key secret, inputs) is unchanged, so the bump is drop-in. SHA-pinned to a 40-char commit; no app permissions changed beyond what ADR-011/apps.json define.

Bump the pinned .github reusable-workflow SHA to f29366f so the App token
mint reads the current five-app-fleet variable (ADR-011) instead of the
retired MIF_CI_CLIENT_APP_ID:
- reusable-dependabot-automerge.yml@f29366f reads vars.AUTOMERGE_CLIENT_APP_ID
- reusable-scorecard.yml@f29366f reads vars.CI_CLIENT_APP_ID
Copilot AI review requested due to automatic review settings July 1, 2026 01:36

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates this repository’s GitHub Actions workflow callers to use the latest SHA-pinned versions of the org .github reusable workflows so GitHub App token minting uses the current “five-app-fleet” credentials, and Scorecard can read branch protection via the CI App key.

Changes:

  • Repoint reusable-scorecard.yml caller pin to f29366f… and pass app-private-key to avoid falling back to GITHUB_TOKEN.
  • Repoint reusable-dependabot-automerge.yml caller pin to f29366f… to use the current App ID variable contract in the reusable.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/quality-gates.yml Updates the Scorecard reusable workflow pin and supplies the CI App private key via secrets.app-private-key.
.github/workflows/dependabot-automerge.yml Updates the Dependabot automerge reusable workflow pin to the new SHA.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zircote zircote merged commit 82c4d82 into main Jul 1, 2026
24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants