chore(ci): use GitHub App token to create Rust toolchain update PR#49
Merged
Conversation
PRs opened with GITHUB_TOKEN do not trigger CI checks. Switch to the org-level GitHub App token so that CI runs on the auto-created PR. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ractice - Switch to client-id + PR_AUTOMATION_BOT_PUBLIC_CLIENT_ID (from app-id) - Bump create-github-app-token to v3.1.1 - Use pr-automation-bot-public[bot] as git committer identity - Drop explicit permissions block (app token handles it) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the Rust toolchain auto-update workflow to open PRs using a GitHub App token so that CI runs on the generated PRs (instead of being suppressed for PRs created with GITHUB_TOKEN).
Changes:
- Removes job-level
GITHUB_TOKENwrite permissions and introduces a GitHub App token creation step. - Switches
gh pr createauthentication fromsecrets.GITHUB_TOKENto the GitHub App token. - Updates git commit author identity to the GitHub App bot.
Comments suppressed due to low confidence (1)
.github/workflows/update-rust-toolchain.yml:63
git push origin "$BRANCH" --forcewill use the credentials configured byactions/checkout(typically the defaultGITHUB_TOKEN), not the GitHub App token you generated forgh pr create. If the goal is for the automation to act entirely as the app (and to avoid relying onGITHUB_TOKENwrite perms), create the app token before checkout and pass it viaactions/checkout'stoken:input (or otherwise configure git to use${{ steps.app-token.outputs.token }}) so the push is authenticated with the app token as well.
git config user.name "pr-automation-bot-public[bot]"
git config user.email "pr-automation-bot-public[bot]@users.noreply.github.com"
git checkout -b "$BRANCH"
git add rust-toolchain.toml
git commit -m "$TITLE"
git push origin "$BRANCH" --force
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
adamspofford-dfinity
approved these changes
May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
GITHUB_TOKENdo not trigger CI checks — a GitHub security restriction to prevent recursive workflow loops.PR_AUTOMATION_BOT_PUBLIC_CLIENT_ID/PR_AUTOMATION_BOT_PUBLIC_PRIVATE_KEY) when callinggh pr create, so CI is triggered on the auto-created PR.Context
GITHUB_TOKEN.Test plan
Update Rust Toolchainworkflow manually once this merges and verify that CI checks run on the resulting PR.chore(toolchain): update Rust to 1.95.0 #51 was generated by dispatching the workflow from this PR branch. CI was triggered successfully. The
check-repo-policies / Check Bot Policiesfailure there is expected — the workflow was dispatched from this PR branch, so the generated PR includes changes beyondrust-toolchain.toml.