Auto-PR: fix: replace GitHub App token with PAT for human PR attribution #7
Conversation
- Removed GitHub App token generation step - Use ROMAN_PAT secret for both checkout and gh CLI - PRs will now show romandidomizio as author (not bot) - Enables Copilot auto-review on automated PRs Relates to: PR attribution issue causing Copilot review failures
There was a problem hiding this comment.
Pull request overview
This PR replaces GitHub App token authentication with a personal access token (PAT) in the automated pull request workflow. The stated purpose is to enable "human PR attribution" - attributing automated PRs to a specific user rather than a bot.
Changes:
- Removed GitHub App token generation step (11 lines removed)
- Replaced GitHub App token with personal access token
ROMAN_PATin checkout and PR creation steps - Updated inline comment to clarify fallback behavior
| with: | ||
| fetch-depth: 0 | ||
| token: ${{ steps.generate-token.outputs.token }} | ||
| token: ${{ secrets.ROMAN_PAT }} |
There was a problem hiding this comment.
The naming convention "ROMAN_PAT" creates operational risks by tying infrastructure automation to an individual user account. This violates SOC2 accountability and service continuity best practices:
- Single point of failure - If the user "Roman" leaves the organization or their account is disabled, this critical workflow will break
- Unclear ownership - Personal naming obscures that this is a shared infrastructure credential
- Audit complexity - Makes it harder to track which actions are automated vs manual user actions
- Credential rotation challenges - Personal tokens are less frequently rotated than machine tokens
Consider using a service account pattern or GitHub App with a name like "WEOWN_AUTOMATION_APP" or "WORKFLOW_GITHUB_TOKEN" that clearly indicates this is infrastructure automation, not personal activity.
| with: | ||
| fetch-depth: 0 | ||
| token: ${{ steps.generate-token.outputs.token }} | ||
| token: ${{ secrets.ROMAN_PAT }} |
There was a problem hiding this comment.
The PR title states this change is for "human PR attribution" but this contradicts SOC2 compliance requirements which mandate clear separation between automated system actions and human actions for audit trail integrity.
If the goal is to attribute PRs to a specific user for notification or ownership purposes, there are better approaches:
- Use GitHub App with proper bot identification, then add human reviewers/approvers
- Add metadata in PR description identifying the human owner
- Use CODEOWNERS file for automatic reviewer assignment
Blurring the line between automated and human actions makes it harder to:
- Distinguish automated changes from deliberate human commits during incident response
- Track who actually reviewed and approved automated changes
- Maintain SOC2 audit evidence showing proper change management controls
This change appears to reduce rather than improve accountability and traceability.
| with: | ||
| fetch-depth: 0 | ||
| token: ${{ steps.generate-token.outputs.token }} | ||
| token: ${{ secrets.ROMAN_PAT }} |
There was a problem hiding this comment.
This change lacks required documentation mandated by SOC2 change management processes and the coding guidelines. Required documentation is missing:
- No CHANGELOG entry - The repository follows "Keep a Changelog" format (per guideline 1000000) and all infrastructure changes require CHANGELOG entries
- No security impact assessment - Switching from GitHub App to PAT is a significant security architecture change that requires documented risk analysis
- No migration/rollback plan - What happens if this PAT expires or is revoked? How do we roll back?
- No justification for breaking SOC2 best practices - The PR description doesn't explain why "human PR attribution" is necessary or worth the security tradeoffs
Before merging, add:
- CHANGELOG.md entry documenting this change as a breaking security pattern change
- Architecture Decision Record (ADR) explaining why PAT is preferred over GitHub App
- Incident response plan for PAT compromise or expiration
| id: create-pr | ||
| env: | ||
| GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} | ||
| GITHUB_TOKEN: ${{ secrets.ROMAN_PAT }} |
There was a problem hiding this comment.
The removal of the GitHub App token generation step eliminates important security controls without replacement:
- Token scoping removed - The GitHub App was scoped to specific repositories (
repositories: ${{ github.event.repository.name }}), but PATs typically have broader access across all user repositories - Permission boundaries lost - The App permissions were explicitly defined at installation time, but PAT permissions are user-level and harder to audit
- Automatic expiration removed - App tokens expire after 1 hour, but PATs can have much longer expiration (or never expire for classic PATs)
This increases the security risk surface significantly. If this PAT is compromised, an attacker would have access to all repositories the user can access, for the entire lifetime of the token.
Verify:
- What is the expiration policy for ROMAN_PAT?
- What permissions does this PAT have?
- Is it scoped to only this repository or all repositories?
- What happens when the token expires - will the workflow silently fail?
| with: | ||
| fetch-depth: 0 | ||
| token: ${{ steps.generate-token.outputs.token }} | ||
| token: ${{ secrets.ROMAN_PAT }} |
There was a problem hiding this comment.
Using a personal access token (PAT) named "ROMAN_PAT" violates SOC2 access control requirements for machine identity management. GitHub App tokens provide better security through:
- Automatic token rotation and expiration - App tokens expire after 1 hour, reducing credential exposure window
- Granular permissions - App installations can be scoped to specific repositories with minimal required permissions
- Audit trail separation - App actions are clearly distinguished from personal user actions
- Service continuity - Not tied to individual user account, preventing disruption if user leaves or loses access
- Compliance alignment - SOC2 guideline 1000000 requires "Machine Identity for service accounts" not personal tokens
The previous implementation using GitHub App tokens (actions/create-github-app-token@v1) was the correct approach for automated workflows. Consider reverting this change or providing strong justification for using a PAT instead.
|
@romandidomizio I've opened a new pull request, #8, to work on those changes. Once the pull request is ready, I'll request review from you. |
🤖 Automated Pull Request
📋 Human-in-the-Loop Review Checklist
Review the following before approving this PR:
Security & Compliance
Code Quality & Testing
Documentation & Versioning
Infrastructure & DevOps
📝 Recent Commits
1e7d368 fix: replace GitHub App token with PAT for human PR attribution
🔍 Copilot AI Review: Automated compliance and security validation will run on this PR.
📚 Guidelines: See
.github/copilot-instructions.mdfor complete review criteria.Auto-generated by
.github/workflows/auto-pr-to-main.yml