Skip to content

ci: sign docs-sync commits with a GitHub App token#10

Merged
tbjers merged 1 commit into
mainfrom
ci/sign-docs-sync-with-github-app
Jul 2, 2026
Merged

ci: sign docs-sync commits with a GitHub App token#10
tbjers merged 1 commit into
mainfrom
ci/sign-docs-sync-with-github-app

Conversation

@tbjers

@tbjers tbjers commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Why

The export-docs.yml workflow opens a docs-sync PR against CoverageTracker/coverage-tracker, which requires signed commits on PRs. Four prior iterations failed for two root causes:

What

Authenticate with a GitHub App installation token so sign-commits: true yields GitHub-Verified commits:

  • Add actions/create-github-app-token@v2 step, scoped with owner: CoverageTracker + repositories: coverage-tracker (mandatory for the cross-repo target).
  • Use the app token in both the coverage-tracker checkout and the create-pull-request step.
  • Remove the Setup Gitsign step and the now-unused id-token: write permission.
  • Keep sign-commits: true.
  • Update README.md provisioning section: PAT → dedicated GitHub App (DOCS_SYNC_APP_ID / DOCS_SYNC_APP_PRIVATE_KEY).

Required manual setup before this works

Create a GitHub App on the CoverageTracker org (Contents RW + Pull requests RW), install it on coverage-tracker, and add secrets DOCS_SYNC_APP_ID + DOCS_SYNC_APP_PRIVATE_KEY to this repo.

Verify

Trigger the workflow, then confirm the docs-sync PR commits carry the green Verified badge and are authored by the app bot — a green run with unverified commits is the current failure mode.

🤖 Generated with Claude Code

The target repo requires signed commits on PRs. create-pull-request's
sign-commits builds commits via the GitHub API, which only signs them
(as the app bot, Verified) when authenticated with a bot token — the
fine-grained PAT left them unsigned. gitsign was a dead end too, since
Sigstore signatures always show Unverified on GitHub.

Mint an installation token via actions/create-github-app-token (scoped
with owner/repositories to the cross-org target), drop the gitsign step
and id-token permission, and keep sign-commits: true.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@tbjers tbjers merged commit d746c9d into main Jul 2, 2026
1 check passed
@tbjers tbjers deleted the ci/sign-docs-sync-with-github-app branch July 2, 2026 20:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant