Skip to content

ci: use dedicated PAT for cross-repo workflow dispatch#562

Merged
lwshang merged 1 commit into
mainfrom
lwshang/ci_promote_launcher_pat
May 19, 2026
Merged

ci: use dedicated PAT for cross-repo workflow dispatch#562
lwshang merged 1 commit into
mainfrom
lwshang/ci_promote_launcher_pat

Conversation

@lwshang
Copy link
Copy Markdown
Contributor

@lwshang lwshang commented May 19, 2026
edited
Loading

Summary

  • The promote-network-launcher workflow added in ci: add network-launcher bump and promote workflows #561 failed on its first run with HTTP 403 from gh workflow runPR_AUTOMATION_BOT_PUBLIC does not have actions: write on dfinity/icp-cli-network-launcher (its scope is PR creation, not workflow dispatch).
  • Replace the GitHub App token with a fine-grained PAT (NETWORK_LAUNCHER_DISPATCH_PAT) scoped only to Actions: Read and write on dfinity/icp-cli-network-launcher.
  • Inline-document the rotation steps so the next rotation (max 1y expiry) doesn't require digging through git history.

Notes

  • The PAT is pending org-level approval from IDX (standard for fine-grained PATs in the dfinity org).
  • A separate PAT will be created for the reverse direction (icp-cli-network-launchericp-cli) and stored in that repo — see icp-cli-network-launcher#60.

Test plan

  • PAT approved by IDX and added as NETWORK_LAUNCHER_DISPATCH_PAT secret on dfinity/icp-cli
  • After merge, trigger the workflow (re-write network-launcher-version or re-run the failed run) and confirm the dispatch into icp-cli-network-launcher succeeds

🤖 Generated with Claude Code

@lwshang @claude
ci: use dedicated PAT for cross-repo workflow dispatch
3c771f1 
PR_AUTOMATION_BOT_PUBLIC lacks `actions: write` on
icp-cli-network-launcher, so the previous `gh workflow run` step failed
with HTTP 403. Switch to a fine-grained PAT scoped only to that repo,
and document the rotation steps inline.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@lwshang lwshang mentioned this pull request May 19, 2026
Merged
2 tasks
@lwshang lwshang marked this pull request as ready for review May 19, 2026 20:03
@lwshang lwshang requested a review from a team as a code owner May 19, 2026 20:03
@lwshang lwshang enabled auto-merge (squash) May 19, 2026 20:03
@lwshang lwshang merged commit d1c51c5 into main May 19, 2026
89 checks passed
@lwshang lwshang deleted the lwshang/ci_promote_launcher_pat branch May 19, 2026 20:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adamspofford-dfinity adamspofford-dfinity adamspofford-dfinity approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lwshang @adamspofford-dfinity