From 5573a9775582c70b6df88ab04844110d9938eed9 Mon Sep 17 00:00:00 2001
From: Aidan Daly <aidandal@amazon.com>
Date: Mon, 11 May 2026 15:28:35 -0400
Subject: [PATCH] chore: replace PAT tokens with GitHub App token

Replace secrets.PAT_TOKEN and secrets.AUTOMATION_ACCOUNT_PAT_TOKEN with
short-lived tokens generated by the agentcore-devx-automation GitHub App
(ID: 3637953) via actions/create-github-app-token@v1.

This improves security by using ephemeral tokens scoped to the
installation rather than long-lived personal access tokens.

Requires adding repo variable APP_ID=3637953 and repo secret
APP_PRIVATE_KEY with the app's RSA private key.
---
 .github/workflows/agent-restricted.yml | 9 ++++++++-
 .github/workflows/ci-failure-issue.yml | 9 ++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/agent-restricted.yml b/.github/workflows/agent-restricted.yml
index 7a0948861..d229919a4 100644
--- a/.github/workflows/agent-restricted.yml
+++ b/.github/workflows/agent-restricted.yml
@@ -66,6 +66,13 @@ jobs:
 
       - uses: actions/checkout@v6
 
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - name: Run Strands Agent
         uses: ./.github/actions/strands-action
         with:
@@ -78,6 +85,6 @@ jobs:
           agent_runner: ${{ inputs.agent_runner }}
           aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
           aws_region: 'us-west-2'
-          pat_token: ${{ secrets.PAT_TOKEN }}
+          pat_token: ${{ steps.app-token.outputs.token }}
         env:
           STRANDS_TOOLS_DIRECTORY: 'true'
diff --git a/.github/workflows/ci-failure-issue.yml b/.github/workflows/ci-failure-issue.yml
index 2114154ba..0cbb430a1 100644
--- a/.github/workflows/ci-failure-issue.yml
+++ b/.github/workflows/ci-failure-issue.yml
@@ -19,9 +19,16 @@ jobs:
     permissions:
       issues: write
     steps:
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - uses: actions/github-script@v9
         with:
-          github-token: ${{ secrets.AUTOMATION_ACCOUNT_PAT_TOKEN }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             try {
               const workflowName = context.payload.workflow_run.name;