chore(ci): use GitHub App token for stack sync workflows (#495)

wax911 · home-lab · web-flow · commit 11eeb8d51232 · 2026-06-18T13:16:42.000+02:00
Co-authored-by: home-lab &lt;home-lab@homelab&gt;
diff --git a/.github/workflows/nightly-stack-sync.yml b/.github/workflows/nightly-stack-sync.yml
@@ -15,11 +15,19 @@ jobs:
     name: Regenerate stacks and open PR if drifted
     runs-on: ubuntu-latest
     steps:
+      - name: Generate app token
+        uses: actions/create-github-app-token@v2
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - name: Checkout dev branch
         uses: actions/checkout@v6
         with:
           ref: dev
           fetch-depth: 0
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Set up Python
         uses: actions/setup-python@v6
@@ -60,7 +68,7 @@ jobs:
         if: steps.drift.outputs.drifted == 'true'
         uses: peter-evans/create-pull-request@v8
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
           signoff: true
           delete-branch: true
           commit-message: "chore(stacks): nightly regeneration from compose sources"
diff --git a/.github/workflows/renovate-stack-sync.yml b/.github/workflows/renovate-stack-sync.yml
@@ -13,11 +13,19 @@ jobs:
     if: github.actor == 'renovate[bot]' && github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     steps:
+      - name: Generate app token
+        uses: actions/create-github-app-token@v2
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - name: Checkout Renovate branch
         uses: actions/checkout@v6
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 0
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Set up Python
         uses: actions/setup-python@v6
@@ -33,5 +41,6 @@ jobs:
       - name: Commit regenerated stacks when drift exists
         uses: stefanzweifel/git-auto-commit-action@v7
         with:
+          token: ${{ steps.app-token.outputs.token }}
           commit_message: "chore(stacks): sync generated stacks for renovate update"
           file_pattern: stacks/*.yml
