chore: replace maintenance PATs with octavia-bot GitHub App authentication (#748)

aaronsteers · devin-ai-integration[bot] · web-flow · commit f946d410362f · 2025-09-05T12:38:35.000-07:00
Co-authored-by: Devin AI &lt;158243242+devin-ai-integration[bot]@users.noreply.github.com&gt;
diff --git a/.github/workflows/autofix-command.yml b/.github/workflows/autofix-command.yml
@@ -27,12 +27,20 @@ jobs:
     runs-on: "${{ matrix.os }}-latest"
     steps:
       # Custom steps to fetch the PR and checkout the code:
+      - name: Authenticate as GitHub App
+        uses: actions/create-github-app-token@v2
+        id: get-app-token
+        with:
+          owner: "airbytehq"
+          repositories: "airbyte-python-cdk"
+          app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }}
+          private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }}
       - name: Checkout Airbyte
         uses: actions/checkout@v4
         with:
           # Important that this is set so that CI checks are triggered again
           # Without this we would be forever waiting on required checks to pass
-          token: ${{ secrets.GH_PAT_APPROVINGTON_OCTAVIA }}
+          token: ${{ steps.get-app-token.outputs.token }}
 
       - name: Checkout PR (${{ github.event.inputs.pr }})
         uses: dawidd6/action-checkout-pr@v1
diff --git a/.github/workflows/poe-command.yml b/.github/workflows/poe-command.yml
@@ -20,9 +20,17 @@ jobs:
       GCP_GSM_CREDENTIALS: ${{ secrets.GCP_GSM_CREDENTIALS }}
     runs-on: ubuntu-latest
     steps:
+      - name: Authenticate as GitHub App
+        uses: actions/create-github-app-token@v2
+        id: get-app-token
+        with:
+          owner: "airbytehq"
+          repositories: "airbyte-python-cdk"
+          app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }}
+          private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }}
       - name: Run Poe Slash Command Processor
         uses: aaronsteers/poe-command-processor@v1
         with:
           pr: ${{ github.event.inputs.pr }}
           comment-id: ${{ github.event.inputs.comment-id }}
-          github-token: ${{ secrets.GH_PAT_MAINTENANCE_OCTAVIA }}
+          github-token: ${{ steps.get-app-token.outputs.token }}
diff --git a/.github/workflows/poetry-lock-command.yml b/.github/workflows/poetry-lock-command.yml
@@ -24,12 +24,20 @@ jobs:
     runs-on: "${{ matrix.os }}-latest"
     steps:
       # Custom steps to fetch the PR and checkout the code:
+      - name: Authenticate as GitHub App
+        uses: actions/create-github-app-token@v2
+        id: get-app-token
+        with:
+          owner: "airbytehq"
+          repositories: "airbyte-python-cdk"
+          app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }}
+          private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }}
       - name: Checkout Airbyte
         uses: actions/checkout@v4
         with:
           # Important that this is set so that CI checks are triggered again
           # Without this we would be forever waiting on required checks to pass
-          token: ${{ secrets.GH_PAT_APPROVINGTON_OCTAVIA }}
+          token: ${{ steps.get-app-token.outputs.token }}
 
       - name: Checkout PR (${{ github.event.inputs.pr }})
         uses: dawidd6/action-checkout-pr@v1
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -358,11 +358,19 @@ jobs:
       - uses: actions/setup-python@v5
         with:
           python-version: "3.10"
+      - name: Authenticate as GitHub App
+        uses: actions/create-github-app-token@v2
+        id: get-app-token
+        with:
+          owner: "airbytehq"
+          repositories: "airbyte-platform-internal"
+          app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }}
+          private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }}
       - name: Checkout Airbyte Platform Internal
         uses: actions/checkout@v4
         with:
           repository: airbytehq/airbyte-platform-internal
-          token: ${{ secrets.GH_PAT_MAINTENANCE_OCTAVIA }}
+          token: ${{ steps.get-app-token.outputs.token }}
       - name: Update Builder's CDK version to ${{ env.VERSION }}
         # PyPI servers aren't immediately updated so we may need to retry a few times.
         uses: nick-fields/retry@v3
@@ -386,7 +394,7 @@ jobs:
         id: create-pull-request
         uses: peter-evans/create-pull-request@v7
         with:
-          token: ${{ secrets.GH_PAT_MAINTENANCE_OCTAVIA }}
+          token: ${{ steps.get-app-token.outputs.token }}
           commit-message: "chore: update CDK version following release"
           title: "chore: update CDK version following release"
           body: This is an automatically generated PR triggered by a CDK release
diff --git a/.github/workflows/slash_command_dispatch.yml b/.github/workflows/slash_command_dispatch.yml
@@ -8,14 +8,22 @@ jobs:
   slashCommandDispatch:
     runs-on: ubuntu-24.04
     steps:
+      - name: Authenticate as GitHub App
+        uses: actions/create-github-app-token@v2
+        id: get-app-token
+        with:
+          owner: "airbytehq"
+          repositories: "airbyte-python-cdk"
+          app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }}
+          private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }}
       - name: Slash Command Dispatch
         id: dispatch
         # TODO: Revert to `peter-evans/slash-command-dispatch@v4` after PR merges:
         # - https://github.com/peter-evans/slash-command-dispatch/pull/372/files
         uses: aaronsteers/slash-command-dispatch@aj/fix/add-dispatched-bool-output
         with:
           repository: ${{ github.repository }}
-          token: ${{ secrets.GH_PAT_MAINTENANCE_OCTAVIA }}
+          token: ${{ steps.get-app-token.outputs.token }}
           dispatch-type: workflow
           issue-type: both
 
