Skip to content

Commit 9672fc7

Browse files
PigbibiPigbibi
committed
feat: support github app cross-repo token
1 parent a1c964d commit 9672fc7

2 files changed

Lines changed: 44 additions & 6 deletions

File tree

.github/workflows/monthly_optimization_planner.yml

Lines changed: 38 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,38 @@ jobs:
2626
- name: Checkout
2727
uses: actions/checkout@v6
2828

29+
- name: Create GitHub App token for cross-repo access
30+
id: cross_repo_app_token
31+
if: vars.CROSS_REPO_GITHUB_APP_ID != '' && secrets.CROSS_REPO_GITHUB_APP_PRIVATE_KEY != ''
32+
uses: actions/create-github-app-token@v2
33+
with:
34+
app-id: ${{ vars.CROSS_REPO_GITHUB_APP_ID }}
35+
private-key: ${{ secrets.CROSS_REPO_GITHUB_APP_PRIVATE_KEY }}
36+
owner: ${{ github.repository_owner }}
37+
repositories: |
38+
CryptoLeaderRotation
39+
BinancePlatform
40+
CryptoStrategies
41+
permission-actions: write
42+
permission-issues: write
43+
44+
- name: Resolve cross-repo access token
45+
id: cross_repo_token
46+
env:
47+
APP_TOKEN: ${{ steps.cross_repo_app_token.outputs.token }}
48+
FALLBACK_TOKEN: ${{ secrets.CROSS_REPO_GITHUB_TOKEN }}
49+
run: |
50+
if [ -n "$APP_TOKEN" ]; then
51+
echo "token=$APP_TOKEN" >> "$GITHUB_OUTPUT"
52+
echo "source=github_app" >> "$GITHUB_OUTPUT"
53+
elif [ -n "$FALLBACK_TOKEN" ]; then
54+
echo "token=$FALLBACK_TOKEN" >> "$GITHUB_OUTPUT"
55+
echo "source=personal_access_token" >> "$GITHUB_OUTPUT"
56+
else
57+
echo "Missing cross-repo credentials. Configure GitHub App secrets or CROSS_REPO_GITHUB_TOKEN." >&2
58+
exit 1
59+
fi
60+
2961
- name: Download upstream AI review artifact
3062
env:
3163
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -37,7 +69,7 @@ jobs:
3769
3870
- name: Download downstream AI review artifact
3971
env:
40-
GH_TOKEN: ${{ secrets.CROSS_REPO_GITHUB_TOKEN }}
72+
GH_TOKEN: ${{ steps.cross_repo_token.outputs.token }}
4173
run: |
4274
mkdir -p data/input/downstream
4375
gh run download "${{ inputs.downstream_run_id }}" \
@@ -126,7 +158,7 @@ jobs:
126158
--output-file data/output/monthly_optimization/fanout/crypto_strategies.json \
127159
--allow-permission-skip
128160
env:
129-
GITHUB_TOKEN: ${{ secrets.CROSS_REPO_GITHUB_TOKEN }}
161+
GITHUB_TOKEN: ${{ steps.cross_repo_token.outputs.token }}
130162

131163
- name: Fan out BinancePlatform task issue
132164
run: |
@@ -138,7 +170,7 @@ jobs:
138170
--output-file data/output/monthly_optimization/fanout/binance_platform.json \
139171
--allow-permission-skip
140172
env:
141-
GITHUB_TOKEN: ${{ secrets.CROSS_REPO_GITHUB_TOKEN }}
173+
GITHUB_TOKEN: ${{ steps.cross_repo_token.outputs.token }}
142174

143175
- name: Append fanout summary
144176
run: |
@@ -215,7 +247,7 @@ jobs:
215247
- name: Best-effort label BinancePlatform issue for experiment validation
216248
if: steps.downstream_experiment_target.outputs.should_dispatch == 'true'
217249
env:
218-
GH_TOKEN: ${{ secrets.CROSS_REPO_GITHUB_TOKEN }}
250+
GH_TOKEN: ${{ steps.cross_repo_token.outputs.token }}
219251
TARGET_REPO: ${{ inputs.downstream_repo }}
220252
ISSUE_NUMBER: ${{ steps.downstream_experiment_target.outputs.issue_number }}
221253
run: |
@@ -232,7 +264,7 @@ jobs:
232264
- name: Dispatch BinancePlatform experiment validation
233265
if: steps.downstream_experiment_target.outputs.should_dispatch == 'true'
234266
env:
235-
GH_TOKEN: ${{ secrets.CROSS_REPO_GITHUB_TOKEN }}
267+
GH_TOKEN: ${{ steps.cross_repo_token.outputs.token }}
236268
run: |
237269
set +e
238270
gh workflow run experiment_validation.yml \
@@ -241,7 +273,7 @@ jobs:
241273
status=$?
242274
set -e
243275
if [ "$status" -ne 0 ]; then
244-
echo "Downstream experiment validation dispatch skipped: CROSS_REPO_GITHUB_TOKEN likely needs Actions write on ${{ inputs.downstream_repo }}." >> "$GITHUB_STEP_SUMMARY"
276+
echo "Downstream experiment validation dispatch skipped: ${{ steps.cross_repo_token.outputs.source }} token likely needs Actions write on ${{ inputs.downstream_repo }}." >> "$GITHUB_STEP_SUMMARY"
245277
fi
246278
247279
- name: Upload planner artifact

tests/test_monthly_optimization_planner_workflow_config.py

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,12 @@ def test_planner_workflow_downloads_artifacts_posts_issue_and_fans_out_tasks(sel
1818
self.assertIn("downstream_repo:", workflow)
1919
self.assertIn("actions: write", workflow)
2020
self.assertIn("CROSS_REPO_GITHUB_TOKEN", workflow)
21+
self.assertIn("CROSS_REPO_GITHUB_APP_PRIVATE_KEY", workflow)
22+
self.assertIn("CROSS_REPO_GITHUB_APP_ID", workflow)
23+
self.assertIn("actions/create-github-app-token@v2", workflow)
24+
self.assertIn("Resolve cross-repo access token", workflow)
25+
self.assertIn("source=github_app", workflow)
26+
self.assertIn("source=personal_access_token", workflow)
2127
self.assertIn("gh run download", workflow)
2228
self.assertIn("Resolve downloaded artifact paths", workflow)
2329
self.assertIn("Prepare upstream review payload", workflow)

0 commit comments

Comments
 (0)