Skip to content

fix(installer): use organization mutation token#20

Merged
OgeonX-Ai merged 2 commits into
mainfrom
codex/use-org-installer-token
Jul 13, 2026
Merged

fix(installer): use organization mutation token#20
OgeonX-Ai merged 2 commits into
mainfrom
codex/use-org-installer-token

Conversation

@OgeonX-Ai

Copy link
Copy Markdown
Contributor

Summary

Align the organization installer with the existing least-privilege cross-repository token contract.

Changes

  • Use ORG_AUTOPILOT_TOKEN for cross-repository installer mutations.
  • Fail before discovery when the required secret is unavailable.

Why

The repository-scoped GITHUB_TOKEN cannot create issues or pull requests in sibling repositories, causing the installer to fail at the first mutation.

Validation

  • python3 tests/validate_workflows.py
  • tests/contract-tests.ps1 via native PowerShell
  • git diff --check

Risks

The repository secret must be provisioned as a GitHub App installation token or fine-grained token with Contents, Issues, and Pull requests write access only to opted-in repositories.

Related

Fixes the authentication boundary exposed by run 29076774066.

Reviewer notes

Review the installer environment binding and fail-fast guard.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6b357c8e60

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

env:
ORG: ${{ vars.ORG }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_TOKEN: ${{ secrets.ORG_AUTOPILOT_TOKEN }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Grant workflow write to the installer token

When ORG_AUTOPILOT_TOKEN is provisioned with the stated least-privilege set of Contents/Issues/Pull requests write, opt-in installs still fail: this job later copies autopilot-create-issue.yml into .github/workflows/ and pushes that branch, and GitHub documents that classic tokens need the workflow scope while fine-grained/App tokens need Workflows(write) to modify files in .github/workflows (https://docs.github.com/en/rest/repos/contents#create-or-update-file-contents). Please include or validate that permission in this token contract, otherwise the new token can pass the fail-fast check but fail at the install push.

Useful? React with 👍 / 👎.

@OgeonX-Ai OgeonX-Ai merged commit 63d4b84 into main Jul 13, 2026
4 checks passed
@OgeonX-Ai OgeonX-Ai deleted the codex/use-org-installer-token branch July 13, 2026 06:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant