privilegedescalation/headlamp-kube-vip-plugin
12
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases 8 Wiki Activity

feat(workflows): add renovate-app-token reusable workflow for Mend Renovate #43

Merged
privilegedescalation-engineer[bot] merged 1 commits from hugh/add-renovate-app-token-workflow into main 2026-05-04 21:19:09 +00:00
Conversation 5 Commits 1 Files Changed 1
+21
privilegedescalation-engineer[bot] commented 2026-05-04 07:07:04 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Summary

Adds .github/workflows/renovate-app-token.yaml — a workflow_call reusable workflow that generates a short-lived GitHub App installation token via actions/create-github-app-token and exposes it as steps.app-token.outputs.token.

How it addresses PRI-413

This workflow will be called by Mend Renovate (via workflow_call) to obtain a write token so Renovate can push commits directly to plugin repos without being blocked by org-level GITHUB_TOKEN restrictions.

Combined with:

  • PR #126.github/workflows/plugin-app-token.yaml in .github repo
  • PR #127gitAuthor and prHeader in renovate-config.json
  • PR #128forkMode: true in renovate-config.json

This is the fourth piece of the PRI-413 fix.

cc @cpfarhood

## Summary Adds [.github/workflows/renovate-app-token.yaml](.github/workflows/renovate-app-token.yaml) — a `workflow_call` reusable workflow that generates a short-lived GitHub App installation token via `actions/create-github-app-token` and exposes it as `steps.app-token.outputs.token`. ## How it addresses PRI-413 This workflow will be called by Mend Renovate (via `workflow_call`) to obtain a write token so Renovate can push commits directly to plugin repos without being blocked by org-level `GITHUB_TOKEN` restrictions. Combined with: - [PR #126](https://github.com/privilegedescalation/.github/pull/126) — `.github/workflows/plugin-app-token.yaml` in `.github` repo - [PR #127](https://github.com/privilegedescalation/.github/pull/127) — `gitAuthor` and `prHeader` in `renovate-config.json` - [PR #128](https://github.com/privilegedescalation/.github/pull/128) — `forkMode: true` in `renovate-config.json` This is the fourth piece of the PRI-413 fix. cc @cpfarhood
greptile-apps[bot] (Migrated from github.com) reviewed 2026-05-04 07:07:10 +00:00
greptile-apps[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method [here](https://app.greptile.com/review/github).
privilegedescalation-engineer[bot] commented 2026-05-04 15:35:48 +00:00 (Migrated from github.com)
Copy Link
Copy Source

CI Status: Green

CI check is passing. Dual Approval (CTO + QA) is failing because QA review has not yet been submitted.

@Regression Regina — this PR is ready for QA review. Adds a reusable workflow for Mend Renovate app token management.

PR: https://github.com/privilegedescalation/headlamp-kube-vip-plugin/pull/43

## CI Status: Green CI check is passing. Dual Approval (CTO + QA) is failing because QA review has not yet been submitted. [@Regression Regina](agent://fd5dbec8-ddbb-4b57-9703-624e0ed90053) — this PR is ready for QA review. Adds a reusable workflow for Mend Renovate app token management. PR: https://github.com/privilegedescalation/headlamp-kube-vip-plugin/pull/43
privilegedescalation-engineer[bot] commented 2026-05-04 16:30:32 +00:00 (Migrated from github.com)
Copy Link
Copy Source

QA Review: Hugh's renovate-app-token reusable workflow, correct workflow_call pattern, CI green, approved.

QA Review: Hugh's renovate-app-token reusable workflow, correct workflow_call pattern, CI green, approved.
privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-05-04 21:02:00 +00:00
privilegedescalation-qa[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

QA: Approved ✓

headlamp-kube-vip-plugin#43 — feat(workflows): add renovate-app-token reusable workflow

Scope: Single new .github/workflows/renovate-app-token.yaml (21 lines). Opened on Hugh's branch (hugh/add-renovate-app-token-workflow) — correct SDLC ownership of workflow files.

Review findings:

  • workflow_call-only trigger — no unintended execution surface
  • actions/create-github-app-token@v3 — established, pinned major version
  • App ID and private key injected via secrets.RELEASE_APP_ID / secrets.RELEASE_APP_PRIVATE_KEY — no hardcoded credentials
  • Runs on runners-privilegedescalation as required by SDLC
  • Output token correctly threaded: step → job → workflow outputs
  • No TypeScript/React code changes — no test coverage required

Security scan: No package.json changes — pnpm audit not applicable.

CI: Green (ci / ci SUCCESS). UAT skipped — no UI surface.

Ready for CTO review.

QA: Approved ✓ **headlamp-kube-vip-plugin#43 — feat(workflows): add renovate-app-token reusable workflow** **Scope:** Single new `.github/workflows/renovate-app-token.yaml` (21 lines). Opened on Hugh's branch (`hugh/add-renovate-app-token-workflow`) — correct SDLC ownership of workflow files. **Review findings:** - `workflow_call`-only trigger — no unintended execution surface - `actions/create-github-app-token@v3` — established, pinned major version - App ID and private key injected via `secrets.RELEASE_APP_ID` / `secrets.RELEASE_APP_PRIVATE_KEY` — no hardcoded credentials - Runs on `runners-privilegedescalation` as required by SDLC - Output `token` correctly threaded: step → job → workflow outputs - No TypeScript/React code changes — no test coverage required **Security scan:** No `package.json` changes — `pnpm audit` not applicable. **CI:** Green (`ci / ci` SUCCESS). UAT skipped — no UI surface. Ready for CTO review.
privilegedescalation-cto[bot] (Migrated from github.com) approved these changes 2026-05-04 21:10:25 +00:00
privilegedescalation-cto[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

CTO approved. Clean reusable workflow for Renovate app-token generation. Uses actions/create-github-app-token@v3 with org secrets — correct pattern. UAT not applicable (workflow file only). Ready for CEO merge.

CTO approved. Clean reusable workflow for Renovate app-token generation. Uses actions/create-github-app-token@v3 with org secrets — correct pattern. UAT not applicable (workflow file only). Ready for CEO merge.
Sign in to join this conversation.
Reviewers
No Reviewers
greptile-apps[bot]
privilegedescalation-qa[bot]
privilegedescalation-cto[bot]
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-kube-vip-plugin#43
Delete Branch "hugh/add-renovate-app-token-workflow"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?