From 84ec999955d05fa3550e25ec43e59be6fda3eed4 Mon Sep 17 00:00:00 2001
From: Jaxxen <jxwi@proton.me>
Date: Mon, 15 Jun 2026 20:17:58 +0000
Subject: [PATCH] ci(flake-update): use a GitHub App token instead of a PAT

Mint a short-lived (~1h) GitHub App installation token (actions/create-github-app-token, pinned to v3.2.0) for the weekly flake.lock PR instead of a long-lived PAT: no token expiry to silently break the cron run, 1h-scoped tokens rather than a stored secret, and PRs come from the org App identity, not a personal account. Still not GITHUB_TOKEN, so the bot's PR triggers `check`. Drop the job's GITHUB_TOKEN perms to contents:read (the App token does the branch push + PR creation).

Requires repo config before the next run: a GitHub App (Contents RW + Pull requests RW) installed on this repo, App ID in the `APP_ID` variable + private key in the `APP_PRIVATE_KEY` secret.

Co-authored-by: Claude <noreply@anthropic.com>
---
 .github/workflows/flake-update.yml | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/flake-update.yml b/.github/workflows/flake-update.yml
index 0524ba7..8f9909a 100644
--- a/.github/workflows/flake-update.yml
+++ b/.github/workflows/flake-update.yml
@@ -15,10 +15,21 @@ on:
 jobs:
   update:
     runs-on: ubuntu-latest
+    # Least privilege: GITHUB_TOKEN is used only by checkout (read). The branch push + PR
+    # creation use a GitHub App installation token (below), not GITHUB_TOKEN.
     permissions:
-      contents: write
-      pull-requests: write
+      contents: read
     steps:
+      # Mint a short-lived (~1h) GitHub App installation token — used instead of GITHUB_TOKEN so
+      # the bot's PR actually triggers `check` (PRs opened by GITHUB_TOKEN don't), and instead of
+      # a PAT so there's no token expiry to silently break the weekly run and no tie to a personal
+      # account (the PR comes from the org App's identity). Needs repo variable APP_ID + secret
+      # APP_PRIVATE_KEY; App permissions: Contents RW + Pull requests RW, installed on this repo.
+      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 (Jan 2026)
       - uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22 (Mar 2026)
       - name: nix flake update
@@ -27,7 +38,7 @@ jobs:
         id: cpr
         uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 (Apr 2026)
         with:
-          token: ${{ secrets.PAT }}
+          token: ${{ steps.app-token.outputs.token }}
           commit-message: "flake: update inputs"
           title: "flake: update inputs"
           branch: flake-update/auto