refactor: remove HAS_APP_SECRETS — credentials are always available via OIDC

Assisted-By: docker-agent

Author: derekmisler

.github/workflows/pr-describe.yml

@@ -12,8 +12,6 @@ jobs:
     # Only run if comment contains /describe and is on a PR
     if: ${{ (github.event.issue.pull_request && contains(github.event.comment.body, '/describe')) }}
     runs-on: ubuntu-latest
-    env:
-      HAS_APP_SECRETS: 'true'
     permissions:
       contents: read
       pull-requests: write
@@ -73,7 +71,6 @@ jobs:
       # Generate GitHub App token so actions appear as the custom app (optional - falls back to github.token)
       - name: Get GitHub App token
         id: app-token
-        if: env.HAS_APP_SECRETS == 'true'
         continue-on-error: true  # Don't fail workflow if token generation fails
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
         with:

.github/workflows/reply-to-feedback.yml

@@ -32,8 +32,6 @@ jobs:
       issues: write
       actions: read
       id-token: write
-    env:
-      HAS_APP_SECRETS: 'true'
 
     steps:
       - name: Configure AWS credentials
@@ -332,7 +330,7 @@ jobs:
           ref: refs/pull/${{ steps.meta.outputs.pr_number }}/head
 
       - name: Generate GitHub App token
-        if: steps.meta.outputs.proceed == 'true' && steps.auth.outputs.authorized == 'true' && env.HAS_APP_SECRETS == 'true'
+        if: steps.meta.outputs.proceed == 'true' && steps.auth.outputs.authorized == 'true'
         id: app-token
         continue-on-error: true
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2

.github/workflows/review-pr.yml

@@ -129,8 +129,6 @@ jobs:
       pull-requests: write
       issues: write
       id-token: write
-    env:
-      HAS_APP_SECRETS: 'true'
     outputs:
       exit-code: ${{ steps.run-review.outputs.exit-code }}
 
@@ -245,7 +243,7 @@ jobs:
 
       # Generate GitHub App token for custom app identity (optional - falls back to github.token)
       - name: Generate GitHub App token
-        if: steps.membership.outputs.is_member == 'true' && env.HAS_APP_SECRETS == 'true'
+        if: steps.membership.outputs.is_member == 'true'
         id: app-token
         continue-on-error: true # Don't fail workflow if token generation fails
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
@@ -288,8 +286,6 @@ jobs:
       pull-requests: write
       issues: write
       id-token: write
-    env:
-      HAS_APP_SECRETS: 'true'
     outputs:
       exit-code: ${{ steps.run-review.outputs.exit-code }}
 
@@ -361,7 +357,7 @@ jobs:
       # Generate GitHub App token first so the check run is created under the app's identity
       # (prevents GitHub from nesting it under unrelated pull_request-triggered workflows)
       - name: Generate GitHub App token
-        if: steps.membership.outputs.is_member == 'true' && env.HAS_APP_SECRETS == 'true'
+        if: steps.membership.outputs.is_member == 'true'
         id: app-token
         continue-on-error: true # Don't fail workflow if token generation fails
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
@@ -518,8 +514,6 @@ jobs:
       pull-requests: write
       issues: write
       id-token: write
-    env:
-      HAS_APP_SECRETS: 'true'
 
     steps:
       - name: Configure AWS credentials
@@ -769,7 +763,7 @@ jobs:
 
       # Generate GitHub App token for custom app identity (optional - falls back to github.token)
       - name: Generate GitHub App token
-        if: steps.check.outputs.is_agent == 'true' && steps.auth.outputs.authorized == 'true' && env.HAS_APP_SECRETS == 'true'
+        if: steps.check.outputs.is_agent == 'true' && steps.auth.outputs.authorized == 'true'
         id: app-token
         continue-on-error: true
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2

.github/workflows/security-scan.yml

@@ -19,8 +19,6 @@ jobs:
   security-scan:
     name: Security Scan with Docker Agent
     runs-on: ubuntu-latest
-    env:
-      HAS_APP_SECRETS: 'true'
     permissions:
       contents: read
       issues: write
@@ -58,7 +56,6 @@ jobs:
       # Generate GitHub App token so issues appear as the custom app (optional - falls back to github.token)
       - name: Get GitHub App token
         id: app-token
-        if: env.HAS_APP_SECRETS == 'true'
         continue-on-error: true  # Don't fail workflow if token generation fails
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
         with:

.github/workflows/self-review-pr.yml

@@ -46,8 +46,6 @@ jobs:
         github.event.workflow_run.head_repository.full_name != github.repository
       )
     runs-on: ubuntu-latest
-    env:
-      HAS_APP_SECRETS: 'true'
 
     steps:
       - name: Configure AWS credentials
@@ -178,7 +176,7 @@ jobs:
 
       # Generate GitHub App token for custom app identity (optional - falls back to github.token)
       - name: Generate GitHub App token
-        if: steps.membership.outputs.is_member == 'true' && env.HAS_APP_SECRETS == 'true'
+        if: steps.membership.outputs.is_member == 'true'
         id: app-token
         continue-on-error: true # Don't fail workflow if token generation fails
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
@@ -213,8 +211,6 @@ jobs:
       startsWith(github.event.comment.body, '/review') &&
       (github.event.comment.user.type != 'Bot' || github.event.comment.user.login == 'docker-agent[bot]')
     runs-on: ubuntu-latest
-    env:
-      HAS_APP_SECRETS: 'true'
 
     steps:
       - name: Configure AWS credentials
@@ -284,7 +280,7 @@ jobs:
       # Generate GitHub App token first so the check run is created under the app's identity
       # (prevents GitHub from nesting it under unrelated pull_request-triggered workflows)
       - name: Generate GitHub App token
-        if: steps.membership.outputs.is_member == 'true' && env.HAS_APP_SECRETS == 'true'
+        if: steps.membership.outputs.is_member == 'true'
         id: app-token
         continue-on-error: true # Don't fail workflow if token generation fails
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2