From 09b2bcb4a4956f47fe72fb0a0cb552ee1b407a27 Mon Sep 17 00:00:00 2001
From: home-lab <home-lab@homelab>
Date: Thu, 18 Jun 2026 13:16:21 +0200
Subject: [PATCH] chore(ci): use GitHub App token for stack sync workflows

---
 .github/workflows/nightly-stack-sync.yml  | 10 +++++++++-
 .github/workflows/renovate-stack-sync.yml |  9 +++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/nightly-stack-sync.yml b/.github/workflows/nightly-stack-sync.yml
index bc3afb5..3487bc5 100644
--- a/.github/workflows/nightly-stack-sync.yml
+++ b/.github/workflows/nightly-stack-sync.yml
@@ -15,11 +15,19 @@ jobs:
     name: Regenerate stacks and open PR if drifted
     runs-on: ubuntu-latest
     steps:
+      - name: Generate app token
+        uses: actions/create-github-app-token@v2
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - name: Checkout dev branch
         uses: actions/checkout@v6
         with:
           ref: dev
           fetch-depth: 0
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Set up Python
         uses: actions/setup-python@v6
@@ -60,7 +68,7 @@ jobs:
         if: steps.drift.outputs.drifted == 'true'
         uses: peter-evans/create-pull-request@v8
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
           signoff: true
           delete-branch: true
           commit-message: "chore(stacks): nightly regeneration from compose sources"
diff --git a/.github/workflows/renovate-stack-sync.yml b/.github/workflows/renovate-stack-sync.yml
index 664b7a8..98cbbdd 100644
--- a/.github/workflows/renovate-stack-sync.yml
+++ b/.github/workflows/renovate-stack-sync.yml
@@ -13,11 +13,19 @@ jobs:
     if: github.actor == 'renovate[bot]' && github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     steps:
+      - name: Generate app token
+        uses: actions/create-github-app-token@v2
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - name: Checkout Renovate branch
         uses: actions/checkout@v6
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 0
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Set up Python
         uses: actions/setup-python@v6
@@ -33,5 +41,6 @@ jobs:
       - name: Commit regenerated stacks when drift exists
         uses: stefanzweifel/git-auto-commit-action@v7
         with:
+          token: ${{ steps.app-token.outputs.token }}
           commit_message: "chore(stacks): sync generated stacks for renovate update"
           file_pattern: stacks/*.yml
\ No newline at end of file