From b3c4d7520a03836a1b3c891c34b9cb2db0d9a7e7 Mon Sep 17 00:00:00 2001
From: Max Ghenis <mghenis@gmail.com>
Date: Fri, 17 Apr 2026 19:33:24 -0400
Subject: [PATCH] Mint GitHub App token in push workflow

Replace the expired POLICYENGINE_GITHUB org PAT with a short-lived
GitHub App token minted via actions/create-github-app-token in the
versioning and Deploy jobs, and pass the App token to
EndBug/add-and-commit via github_token with fetch: false. Matches the
pattern already used in policyengine-core, microdf,
policyengine-canada, and policyengine-us.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/push.yaml                 | 22 ++++++++++++++++-----
 changelog.d/changed/migrate-to-app-token.md |  1 +
 2 files changed, 18 insertions(+), 5 deletions(-)
 create mode 100644 changelog.d/changed/migrate-to-app-token.md

diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml
index 73ebd43..a05e1db 100644
--- a/.github/workflows/push.yaml
+++ b/.github/workflows/push.yaml
@@ -15,10 +15,16 @@ jobs:
       && !(github.event.head_commit.message == 'Update PolicyEngine Nigeria')
     runs-on: ubuntu-latest
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
       - name: Checkout repo
         uses: actions/checkout@v4
         with:
-          token: ${{ secrets.POLICYENGINE_GITHUB }}
+          token: ${{ steps.app-token.outputs.token }}
       - name: Setup Python
         uses: actions/setup-python@v5
         with:
@@ -37,6 +43,8 @@ jobs:
           committer_name: Github Actions[bot]
           author_name: Github Actions[bot]
           message: Update PolicyEngine Nigeria
+          github_token: ${{ steps.app-token.outputs.token }}
+          fetch: false
   Test:
     runs-on: ${{ matrix.os }}
     if: |
@@ -86,13 +94,17 @@ jobs:
       (github.repository == 'PolicyEngine/policyengine-ng')
       && (github.event.head_commit.message == 'Update PolicyEngine Nigeria')
     runs-on: ubuntu-latest
-    env:
-      GH_TOKEN: ${{ secrets.POLICYENGINE_GITHUB }}
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
       - name: Checkout repo
         uses: actions/checkout@v4
         with:
-          token: ${{ secrets.POLICYENGINE_GITHUB }}
+          token: ${{ steps.app-token.outputs.token }}
       - name: Setup Python
         uses: actions/setup-python@v5
         with:
@@ -104,4 +116,4 @@ jobs:
       - name: Update API
         run: python .github/update_api.py
         env:
-          GITHUB_TOKEN: ${{ secrets.POLICYENGINE_GITHUB }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
diff --git a/changelog.d/changed/migrate-to-app-token.md b/changelog.d/changed/migrate-to-app-token.md
new file mode 100644
index 0000000..9502ffc
--- /dev/null
+++ b/changelog.d/changed/migrate-to-app-token.md
@@ -0,0 +1 @@
+Migrated push workflow from the expired `POLICYENGINE_GITHUB` PAT to a short-lived GitHub App token (`APP_ID` / `APP_PRIVATE_KEY`), so the `versioning` job can push the "Update PolicyEngine Nigeria" commit that triggers Test, Publish, and Deploy. Matches the pattern already used by policyengine-core, policyengine-us, microdf, and policyengine-canada.