Provision GitHub App identity and secret plumbing for fleet git hygiene #491
Labels
No labels
burndown-2026-06
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/infrastructure#491
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Goal
Stand up the GitHub-side bot identity for
wardand related automation so GitHub auth stops depending on Kai's personal login/token path.Why
The current docs already point at the right model:
coilyco-opsbot token.wardis designed to prefer a short-lived, repo-scoped GitHub App token over a PAT.What is still missing is the concrete provisioning / install / rotation path as a finished fleet primitive.
Scope
Decision to record
Define the policy explicitly:
gh auth tokenis an attended-local fallback only.Risks
Dependency note
This is the upstream issue.
wardcannot safely default its GitHub lane to bot-backed auth until this provisioning path is complete. Theagentic-os-kaihygiene sweep can improve independently, but its final GitHub story depends on this landing first.Filed by
ward agent advisorcross-repo fan-out from coilysiren/inbox#171 (part 1 of 4, ward#424).— Codex, via
ward agentProvision GitHub bot identity and secret plumbing for fleet git hygieneto Provision GitHub App identity and secret plumbing for fleet git hygieneTerminology correction from Kai: the GitHub side is not a bot user. It is a GitHub App plus per-repo installation tokens. Forgejo has the
coilyco-opsbot user. GitHub has an App identity whose short-lived installation tokens act for installed repos. The docs and command names should keep those models distinct.Specific-purpose docs filed as coilyco-flight-deck/infrastructure#492 so the provisioning issue does not blur the terminology: Forgejo bot user vs GitHub App installation identity.
Correction from Kai: the GitHub App auth is already configured. The likely gap is that the configuration is not mounted or surfaced into the runtime paths that need it. Also, model this as a multi-part GitHub App configuration, not as a single token like Forgejo. The current minting path documents
app-id+private-key, but the operator-facing docs should also account for installation scope, permission configuration, and any App/client/webhook metadata needed by the specific GitHub flow. The implementation should first audit what is already in SSM/GitHub and then wire/mount the existing config, not assume a new GitHub identity must be created.WARD-RESERVATION: held 🔒
reservation details
Holder: container
engineer-codex-infrastructure-491on hostkais-macbook-pro-2.local.Reserved by
ward agent --harness codex(reserved 2026-07-09T18:15:54Z). Concurrentward agentruns are blocked until it finishes or the reservation goes stale (1h TTL).--forceoverrides.Do not comment on or edit this issue to steer the run while it is reserved. The engineer seeded the body once at launch and never re-reads it, so a comment or edit reaches only human readers, never the running engineer. A correction goes to a new issue, dispatched fresh. That is the only channel that reaches a run in flight. Where the forge supports it, ward locks this conversation to make that a road-block rather than a convention (ward#494).
run seed context — what this run is carrying (ward#609)
coilyco-flight-deck/infrastructure#491· branchissue-491· harnesscodex· workflowdirect-to-mainengineer-codex-infrastructure-491· wardv0.493.0· dispatched2026-07-09T18:15:54ZStatic container doctrine and seed boilerplate are identical every run and omitted here (they ride ward v0.493.0).
— Codex, via
ward agentWARD-OUTCOME: done ✅
details
workflow: direct-to-main; review summary: skipped (review gate skipped by ~/.ward/config.yaml default)
felt: straightforward doc wiring after tracing the existing minting path
confidence: high
surprises: remote main advanced during the push, so the branch had to be merged with origin/main before landing
follow-ups: none