Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions .changeset/fix-ipr-workflow-bot-token.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
---
---

`ipr-agreement.yml` (adcp's own IPR workflow) now mints an installation
token from the `aao-ipr-bot` GitHub App and uses it for both the checkout's
persisted git credentials and the signature-recording script's API calls.

**Why.** The `IPR signatures` branch ruleset on `main` requires PR + status
checks for direct pushes, with bypass granted to org admins, repo admins,
and the `aao-ipr-bot` App (integration `3500425`). The default
`secrets.GITHUB_TOKEN` authenticates as `github-actions[bot]` (integration
`15368`), which is not in the bypass list. Every push to append to
`signatures/ipr-signatures.json` was being rejected with `GH013:
Repository rule violations`, leaving the `IPR Policy / Signature` commit
status pending and blocking PR merges (#3687, plus earlier signers
backfilled in #3636).

The cross-repo callable workflow `ipr-check-callable.yml` already uses
this App-token pattern — adcp's own per-repo workflow just never got
converted. This brings the two into alignment.

**Secrets required (already configured at the org level).**
`IPR_APP_ID` and `IPR_APP_PRIVATE_KEY`.
18 changes: 17 additions & 1 deletion .github/workflows/ipr-agreement.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,27 @@ jobs:
github.event.issue.pull_request != null &&
contains(github.event.comment.body, 'I have read the IPR Policy'))
steps:
# The default GITHUB_TOKEN authenticates as github-actions[bot], which
# is not in the IPR-signatures ruleset bypass list — pushes to main get
# rejected by branch protection (GH013). The aao-ipr-bot App is in the
# bypass list, so we mint an installation token from it and use that
# for both the checkout's persisted credentials (git push) and the
# script's API calls. Same pattern as ipr-check-callable.yml.
- name: Mint AAO IPR Bot installation token
id: app-token
uses: actions/create-github-app-token@v3
with:
app-id: ${{ secrets.IPR_APP_ID }}
private-key: ${{ secrets.IPR_APP_PRIVATE_KEY }}
owner: adcontextprotocol
repositories: adcp

- name: Checkout default branch
uses: actions/checkout@v6
with:
ref: main
fetch-depth: 1
token: ${{ steps.app-token.outputs.token }}
persist-credentials: true

- name: Setup Node
Expand All @@ -46,5 +62,5 @@ jobs:

- name: Check and record IPR signature
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
run: node scripts/ipr/check-and-record.mjs
Loading