From 1221080ec584db848a419398dc3cba269d6d6d66 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Sat, 21 Mar 2026 01:15:00 +0000
Subject: [PATCH] fix: use GitHub App token in ci-health-check for cross-repo
 access

The CI/CD health check uses GITHUB_TOKEN which only has access to
the .github repo. Listing workflow runs across the 6 plugin repos
requires org-wide access, causing all repos to show "WARNING: No
workflow runs found".

Fix: generate a GitHub App token (using RELEASE_APP_ID/RELEASE_APP_PRIVATE_KEY,
same as the release workflow) scoped to the org before running the
health check script. Falls back to GITHUB_TOKEN gracefully via
continue-on-error if the secrets are not yet configured.

Once RELEASE_APP_ID is configured as an org secret (tracked separately),
the health check will produce accurate cross-repo CI data.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/ci-health-check.yaml | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci-health-check.yaml b/.github/workflows/ci-health-check.yaml
index 6a77c94..af5ca48 100644
--- a/.github/workflows/ci-health-check.yaml
+++ b/.github/workflows/ci-health-check.yaml
@@ -12,8 +12,22 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v6
 
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        continue-on-error: true
+        with:
+          app-id: ${{ secrets.RELEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+          owner: privilegedescalation
+
       - name: Run CI/CD health check
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
         run: |
-          ./.github/scripts/ci-health-check.sh
\ No newline at end of file
+          if [ "${{ steps.app-token.outcome }}" = "success" ]; then
+            echo "Using GitHub App token for cross-repo access"
+          else
+            echo "::warning::RELEASE_APP_ID not configured — using GITHUB_TOKEN. Cross-repo workflow run data will be unavailable. Configure RELEASE_APP_ID org secret to enable full health check."
+          fi
+          ./.github/scripts/ci-health-check.sh