From b9cb0b723ce485da0a67675d33880c757b1f42d3 Mon Sep 17 00:00:00 2001 From: Brian O'Kelley Date: Thu, 30 Apr 2026 19:29:33 -0400 Subject: [PATCH] fix(ipr): use aao-ipr-bot App token in ipr-agreement workflow The default GITHUB_TOKEN authenticates as github-actions[bot] (integration 15368), which is not in the IPR-signatures ruleset bypass list. Pushes to main get rejected with GH013, leaving "IPR Policy / Signature" pending on every signing PR (#3687, plus the signers backfilled manually in #3636). The aao-ipr-bot GitHub App (integration 3500425) is in the bypass list and is the same actor the cross-repo callable workflow already uses. Mint an installation token from IPR_APP_ID / IPR_APP_PRIVATE_KEY and use it for both the checkout's persisted credentials (git push) and the script's GitHub API calls. Co-Authored-By: Claude Opus 4.7 (1M context) --- .changeset/fix-ipr-workflow-bot-token.md | 23 +++++++++++++++++++++++ .github/workflows/ipr-agreement.yml | 18 +++++++++++++++++- 2 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 .changeset/fix-ipr-workflow-bot-token.md diff --git a/.changeset/fix-ipr-workflow-bot-token.md b/.changeset/fix-ipr-workflow-bot-token.md new file mode 100644 index 0000000000..6055042362 --- /dev/null +++ b/.changeset/fix-ipr-workflow-bot-token.md @@ -0,0 +1,23 @@ +--- +--- + +`ipr-agreement.yml` (adcp's own IPR workflow) now mints an installation +token from the `aao-ipr-bot` GitHub App and uses it for both the checkout's +persisted git credentials and the signature-recording script's API calls. + +**Why.** The `IPR signatures` branch ruleset on `main` requires PR + status +checks for direct pushes, with bypass granted to org admins, repo admins, +and the `aao-ipr-bot` App (integration `3500425`). The default +`secrets.GITHUB_TOKEN` authenticates as `github-actions[bot]` (integration +`15368`), which is not in the bypass list. Every push to append to +`signatures/ipr-signatures.json` was being rejected with `GH013: +Repository rule violations`, leaving the `IPR Policy / Signature` commit +status pending and blocking PR merges (#3687, plus earlier signers +backfilled in #3636). + +The cross-repo callable workflow `ipr-check-callable.yml` already uses +this App-token pattern — adcp's own per-repo workflow just never got +converted. This brings the two into alignment. + +**Secrets required (already configured at the org level).** +`IPR_APP_ID` and `IPR_APP_PRIVATE_KEY`. diff --git a/.github/workflows/ipr-agreement.yml b/.github/workflows/ipr-agreement.yml index 44975be02f..707ba59019 100644 --- a/.github/workflows/ipr-agreement.yml +++ b/.github/workflows/ipr-agreement.yml @@ -32,11 +32,27 @@ jobs: github.event.issue.pull_request != null && contains(github.event.comment.body, 'I have read the IPR Policy')) steps: + # The default GITHUB_TOKEN authenticates as github-actions[bot], which + # is not in the IPR-signatures ruleset bypass list — pushes to main get + # rejected by branch protection (GH013). The aao-ipr-bot App is in the + # bypass list, so we mint an installation token from it and use that + # for both the checkout's persisted credentials (git push) and the + # script's API calls. Same pattern as ipr-check-callable.yml. + - name: Mint AAO IPR Bot installation token + id: app-token + uses: actions/create-github-app-token@v3 + with: + app-id: ${{ secrets.IPR_APP_ID }} + private-key: ${{ secrets.IPR_APP_PRIVATE_KEY }} + owner: adcontextprotocol + repositories: adcp + - name: Checkout default branch uses: actions/checkout@v6 with: ref: main fetch-depth: 1 + token: ${{ steps.app-token.outputs.token }} persist-credentials: true - name: Setup Node @@ -46,5 +62,5 @@ jobs: - name: Check and record IPR signature env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} run: node scripts/ipr/check-and-record.mjs