ci: repoint app-token mint at live five-app credentials#17
Merged
Conversation
Bump the pinned .github reusable-workflow SHA to f29366f so the App token mint reads the current five-app-fleet variable (ADR-011) instead of the retired MIF_CI_CLIENT_APP_ID: - reusable-dependabot-automerge.yml@f29366f reads vars.AUTOMERGE_CLIENT_APP_ID - reusable-scorecard.yml@f29366f reads vars.CI_CLIENT_APP_ID
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates this repository’s GitHub Actions workflow callers to use the latest SHA-pinned versions of the org .github reusable workflows so GitHub App token minting uses the current “five-app-fleet” credentials, and Scorecard can read branch protection via the CI App key.
Changes:
- Repoint
reusable-scorecard.ymlcaller pin tof29366f…and passapp-private-keyto avoid falling back toGITHUB_TOKEN. - Repoint
reusable-dependabot-automerge.ymlcaller pin tof29366f…to use the current App ID variable contract in the reusable.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .github/workflows/quality-gates.yml | Updates the Scorecard reusable workflow pin and supplies the CI App private key via secrets.app-private-key. |
| .github/workflows/dependabot-automerge.yml | Updates the Dependabot automerge reusable workflow pin to the new SHA. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Bump the pinned
.githubreusable-workflow SHAs tof29366fso the App token mints read the current five-app-fleet credentials instead of the removedMIF_CI_*one.reusable-dependabot-automerge.yml@f29366freadsvars.AUTOMERGE_CLIENT_APP_IDreusable-scorecard.yml@f29366freadsvars.CI_CLIENT_APP_IDThe scorecard (
posture) caller also now passesapp-private-key: secrets.CI_CLIENT_APP_PRIVATE_KEY, matching the accepted pattern inontologiesandMIF. Without the key the reusable falls back toGITHUB_TOKENand Scorecard cannot read branch protection.Why
The legacy
modeled-information-format-ciApp and itsMIF_CI_*variable/secret were retired under ADR-011 (five least-privilege Apps: ci/catalog/pages/automerge/release). The old pins still resolved to reusables that read the removedMIF_CI_CLIENT_APP_ID, so the token mint would find an empty client-id and the auto-merge/scorecard identity would break.Scope
Touches only
.github/workflows/**. The reusable caller contract (app-private-keysecret, inputs) is unchanged, so the bump is drop-in. SHA-pinned to a 40-char commit; no app permissions changed beyond what ADR-011/apps.json define.