fix: use kernel-internal app token in update-cli-coverage workflow#70
Merged
fix: use kernel-internal app token in update-cli-coverage workflow#70
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
|
Bugbot Autofix prepared fixes for 1 of the 1 bugs found in the latest run.
Or push these changes by commenting: Preview (91bfe24f62)diff --git a/.github/workflows/update-cli-coverage.yml b/.github/workflows/update-cli-coverage.yml
--- a/.github/workflows/update-cli-coverage.yml
+++ b/.github/workflows/update-cli-coverage.yml
@@ -26,6 +26,7 @@
with:
app-id: ${{ secrets.ADMIN_APP_ID }}
private-key: ${{ secrets.ADMIN_APP_PRIVATE_KEY }}
+ owner: kernel
- name: Get PR info for manual dispatch
id: pr-info |
Contributor
Author
The actions/create-github-app-token step was generating a token scoped only to the current repository, but the workflow needs to clone and push to kernel/kernel and kernel/cli. Adding 'owner: kernel' grants the token access to all repos the app is installed on in the kernel organization. Applied via @cursor push command
ulziibay-kernel
approved these changes
Feb 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Switch from GH_TOKEN PAT to kernel-internal GitHub App token so pushes and PRs trigger CI.
Changes
secrets.GH_TOKENreferences withsteps.app-token.outputs.tokenkernel-internal[bot]name and proper bot email for commitsWhy
Using a GitHub App token instead of a PAT ensures that:
Note
Low Risk
Workflow-only authentication/identity changes; main risk is misconfigured app secrets/permissions causing the automation to fail to clone/push or open PRs.
Overview
Switches the
update-cli-coverageworkflow from usingsecrets.GH_TOKEN(PAT) to a generated GitHub App token (actions/create-github-app-token@v1withADMIN_APP_ID/ADMIN_APP_PRIVATE_KEY) for allghoperations (PR lookup, repo clones, and CLI update step).Updates the workflow’s git author identity to
kernel-internal[bot]so automated pushes/PRs are attributed to the app/bot (and can trigger downstream CI).Written by Cursor Bugbot for commit f717f2d. This will update automatically on new commits. Configure here.