[generate_manifest] use GitHub app instead of token

[GabrielDrapor]

PR Type

Enhancement

---

Description

• Replace GITHUB_TOKEN with GitHub App authentication

• Add GitHub App token generation step

• Update checkout and pull request actions to use app token

---

Diagram Walkthrough

flowchart LR
  A["GitHub App Secrets"] --> B["Generate App Token"]
  B --> C["Checkout Repository"]
  B --> D["Create Pull Request"]
  E["GITHUB_TOKEN"] -.-> F["Removed"]

Loading

File Walkthrough

	Relevant files
Enhancement	generate-manifest.yml Replace GITHUB_TOKEN with GitHub App authentication            .github/workflows/generate-manifest.yml Add GitHub App token generation step using actions/create-github-app-token@v1 Replace GITHUB_TOKEN with app token in checkout action Replace GITHUB_TOKEN with app token in create-pull-request action Use BOT_APP_ID and BOT_PRIVATE_KEY secrets for authentication +9/-2

---

Summary by CodeRabbit

• Chores
  • Updated CI workflow to use GitHub App authentication for repository checkout and pull request creation.
  • Centralized token generation in the workflow for consistent authentication across steps.
  • Improved reliability of automated pull request generation by aligning all steps to the same authentication method.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

The workflow .github/workflows/generate-manifest.yml now creates a GitHub App token via actions/create-github-app-token@v1 and uses that token for repository checkout and PR creation, replacing usage of secrets.GITHUB_TOKEN.

Changes

Cohort / File(s)	Summary
Workflow auth via GitHub App .github/workflows/generate-manifest.yml	Add step to generate GitHub App token (using BOT_APP_ID and BOT_PRIVATE_KEY). Replace secrets.GITHUB_TOKEN with app-token output for checkout and PR creation steps.

Sequence Diagram(s)

sequenceDiagram
  participant GH Actions as Workflow
  participant GitHub as GitHub API
  participant App as GitHub App

  GH Actions->>GitHub: Start generate-manifest workflow
  GH Actions->>App: actions/create-github-app-token (BOT_APP_ID, BOT_PRIVATE_KEY)
  App-->>GH Actions: App installation token
  GH Actions->>GitHub: Checkout repo using App token
  GH Actions->>GH Actions: Generate manifest
  GH Actions->>GitHub: Create Pull Request using App token

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• [generate_manifest] use GITHUB_TOKEN to create PR & improve commit message #236 — Also modifies the same workflow to change the auth token for the PR creation step, indicating overlapping authentication adjustments.

Suggested labels

Review effort 1/5

Poem

I thump my paws on YAML ground,
A token swap—no extra sound.
Hop-hop, the App now signs the deed,
Checkout, PR—swift as speed.
With secret keys in burrow tight,
Our manifest springs into light. 🐇✨

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between bd91fc5 and 08b1fc1.

📒 Files selected for processing (1)

• .github/workflows/generate-manifest.yml (2 hunks)

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch Jiarui/smart-registry-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[qodo-merge-pro]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Permissions Scope Ensure the GitHub App has sufficient repository permissions (contents, pull requests) for the target repos where branches/PRs are created; workflow permissions alone are set, but App permissions must match or the token may fail when pushing or opening PRs, especially across orgs or private repos. permissions: contents: write pull-requests: write Token Propagation Confirm all actions that require authentication use the app token; for example, any future git push or API calls in omitted steps must use GITHUB_TOKEN override or explicit headers, otherwise auth may mix tokens and cause permission errors. - name: Checkout repository uses: actions/checkout@v4 with: token: ${{ steps.app-token.outputs.token }} - name: Set up Python uses: actions/setup-python@v4 with: python-version: '3.11' App Token Expiry GitHub App tokens are short-lived; if the workflow has long-running steps before creating the PR, consider re-issuing the token or placing token-dependent steps close together to avoid expiration issues. - name: Generate GitHub App token id: app-token uses: actions/create-github-app-token@v1 with: app-id: ${{ secrets.BOT_APP_ID }} private-key: ${{ secrets.BOT_PRIVATE_KEY }}

[qodo-merge-pro]

CI Feedback 🧐

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: codex

Failed stage: Run Codex [❌]

Failure summary: The action failed because a permission check for the GitHub actor qodo-merge-pro[bot] did not pass. The script fetched the collaborator permission via: - gh api "/repos/${GITHUB_REPOSITORY}/collaborators/qodo-merge-pro[bot]/permission" | jq -r '.permission' - It then exited with status 1 if the permission was not admin or write. The retrieved permission was neither admin nor write, causing the conditional to trigger and the step to exit with code 1.

Relevant error logs: 1: ##[group]Runner Image Provisioner 2: Hosted Compute Agent ... 116: ##[endgroup] 117: ##[group]Run set -euo pipefail 118: �[36;1mset -euo pipefail�[0m 119: �[36;1m�[0m 120: �[36;1mPERMISSION=$(gh api \�[0m 121: �[36;1m "/repos/${GITHUB_REPOSITORY}/collaborators/qodo-merge-pro[bot]/permission" \�[0m 122: �[36;1m | jq -r '.permission')�[0m 123: �[36;1m�[0m 124: �[36;1mif [[ "$PERMISSION" != "admin" && "$PERMISSION" != "write" ]]; then�[0m 125: �[36;1m exit 1�[0m 126: �[36;1mfi�[0m 127: shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} 128: env: 129: GH_TOKEN: *** 130: ##[endgroup] 131: ##[error]Process completed with exit code 1. 132: Post job cleanup.

[qodo-merge-pro]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Set explicit app token owner Explicitly set the repository owner so the app token is minted for the correct installation, avoiding "No installation found" errors on forks or org repos. Use the repository owner from the GitHub context to keep it flexible. .github/workflows/generate-manifest.yml [21-26] - name: Generate GitHub App token id: app-token uses: actions/create-github-app-token@v1 with: app-id: ${{ secrets.BOT_APP_ID }} private-key: ${{ secrets.BOT_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} Apply / Chat Suggestion importance[1-10]: 6 __ Why: This is a good practice suggestion that improves the workflow's robustness by explicitly setting the owner, which can prevent potential token generation issues in forked repositories.	Low
Organization best practice	Pin the action version Pin third-party GitHub Actions to a specific version or commit SHA instead of a floating major tag to prevent unintended updates. Update the uses: reference to an immutable hash or a tagged minor/patch release. .github/workflows/generate-manifest.yml [21-26] - name: Generate GitHub App token id: app-token - uses: actions/create-github-app-token@v1 + uses: actions/[email protected] with: app-id: ${{ secrets.BOT_APP_ID }} private-key: ${{ secrets.BOT_PRIVATE_KEY }} Apply / Chat Suggestion importance[1-10]: 6 __ Why: Relevant best practice - Avoid unpinned or floating GitHub Actions to ensure supply-chain security and reproducible builds.	Low
More

[mcpm-semantic-release]

🎉 This PR is included in version 2.7.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀