Skip to content

Auto-PR: fix: replace GitHub App token with PAT for human PR attribution #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
romandidomizio wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Auto-PR: fix: replace GitHub App token with PAT for human PR attribution #7

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 3 additions & 12 deletions .github/workflows/auto-pr-to-main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,25 +19,16 @@ jobs:
create-pr:
runs-on: ubuntu-latest
steps:
- name: Generate GitHub App Token
id: generate-token
uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
repositories: ${{ github.event.repository.name }}

- name: Checkout repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 0
token: ${{ steps.generate-token.outputs.token }}
token: ${{ secrets.ROMAN_PAT }}
Copy link

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The naming convention "ROMAN_PAT" creates operational risks by tying infrastructure automation to an individual user account. This violates SOC2 accountability and service continuity best practices:

  1. Single point of failure - If the user "Roman" leaves the organization or their account is disabled, this critical workflow will break
  2. Unclear ownership - Personal naming obscures that this is a shared infrastructure credential
  3. Audit complexity - Makes it harder to track which actions are automated vs manual user actions
  4. Credential rotation challenges - Personal tokens are less frequently rotated than machine tokens

Consider using a service account pattern or GitHub App with a name like "WEOWN_AUTOMATION_APP" or "WORKFLOW_GITHUB_TOKEN" that clearly indicates this is infrastructure automation, not personal activity.

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR title states this change is for "human PR attribution" but this contradicts SOC2 compliance requirements which mandate clear separation between automated system actions and human actions for audit trail integrity.

If the goal is to attribute PRs to a specific user for notification or ownership purposes, there are better approaches:

  1. Use GitHub App with proper bot identification, then add human reviewers/approvers
  2. Add metadata in PR description identifying the human owner
  3. Use CODEOWNERS file for automatic reviewer assignment

Blurring the line between automated and human actions makes it harder to:

  • Distinguish automated changes from deliberate human commits during incident response
  • Track who actually reviewed and approved automated changes
  • Maintain SOC2 audit evidence showing proper change management controls

This change appears to reduce rather than improve accountability and traceability.

Copilot generated this review using guidance from repository custom instructions.
Copy link

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change lacks required documentation mandated by SOC2 change management processes and the coding guidelines. Required documentation is missing:

  1. No CHANGELOG entry - The repository follows "Keep a Changelog" format (per guideline 1000000) and all infrastructure changes require CHANGELOG entries
  2. No security impact assessment - Switching from GitHub App to PAT is a significant security architecture change that requires documented risk analysis
  3. No migration/rollback plan - What happens if this PAT expires or is revoked? How do we roll back?
  4. No justification for breaking SOC2 best practices - The PR description doesn't explain why "human PR attribution" is necessary or worth the security tradeoffs

Before merging, add:

  • CHANGELOG.md entry documenting this change as a breaking security pattern change
  • Architecture Decision Record (ADR) explaining why PAT is preferred over GitHub App
  • Incident response plan for PAT compromise or expiration

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using a personal access token (PAT) named "ROMAN_PAT" violates SOC2 access control requirements for machine identity management. GitHub App tokens provide better security through:

  1. Automatic token rotation and expiration - App tokens expire after 1 hour, reducing credential exposure window
  2. Granular permissions - App installations can be scoped to specific repositories with minimal required permissions
  3. Audit trail separation - App actions are clearly distinguished from personal user actions
  4. Service continuity - Not tied to individual user account, preventing disruption if user leaves or loses access
  5. Compliance alignment - SOC2 guideline 1000000 requires "Machine Identity for service accounts" not personal tokens

The previous implementation using GitHub App tokens (actions/create-github-app-token@v1) was the correct approach for automated workflows. Consider reverting this change or providing strong justification for using a PAT instead.

Copilot uses AI. Check for mistakes.

- name: Create Pull Request
id: create-pr
env:
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
GITHUB_TOKEN: ${{ secrets.ROMAN_PAT }}
Copy link

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The removal of the GitHub App token generation step eliminates important security controls without replacement:

  1. Token scoping removed - The GitHub App was scoped to specific repositories (repositories: ${{ github.event.repository.name }}), but PATs typically have broader access across all user repositories
  2. Permission boundaries lost - The App permissions were explicitly defined at installation time, but PAT permissions are user-level and harder to audit
  3. Automatic expiration removed - App tokens expire after 1 hour, but PATs can have much longer expiration (or never expire for classic PATs)

This increases the security risk surface significantly. If this PAT is compromised, an attacker would have access to all repositories the user can access, for the entire lifetime of the token.

Verify:

  • What is the expiration policy for ROMAN_PAT?
  • What permissions does this PAT have?
  • Is it scoped to only this repository or all repositories?
  • What happens when the token expires - will the workflow silently fail?

Copilot uses AI. Check for mistakes.
run: |
# Get current branch name
BRANCH_NAME="${{ github.ref_name }}"
Expand Down Expand Up @@ -65,7 +56,7 @@ jobs:
FIRST_COMMIT=$(git log --format=%s -1 "$BRANCH_NAME")
fi

# Fallback if no unique commits are found or subject is empty
# Fallback if FIRST_COMMIT is empty
if [ -z "$FIRST_COMMIT" ]; then
# Determine commit count compared to target branch when possible
if git rev-parse --verify "origin/$TARGET_BRANCH" >/dev/null 2>&1; then
Expand Down
Loading