From 314ff8b43182423b84c50b1670b0e10f858f2d98 Mon Sep 17 00:00:00 2001
From: Nikita Pivkin <nikita.pivkin@smartforce.io>
Date: Wed, 13 May 2026 18:43:43 +0600
Subject: [PATCH] ci: migrate from PAT to GitHub App token (#565)

* ci: migrate from PAT to GitHub App token

* chore: remove unnecessary declaration of permissions
---
 .github/workflows/bump-trivy.yaml | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/bump-trivy.yaml b/.github/workflows/bump-trivy.yaml
index af10aca..a274573 100644
--- a/.github/workflows/bump-trivy.yaml
+++ b/.github/workflows/bump-trivy.yaml
@@ -10,11 +10,11 @@ on:
 
 run-name: Bump trivy to v${{ inputs.trivy_version }}
 
+permissions: {}
+
 jobs:
   bump:
     runs-on: ubuntu-2404-2core
-    permissions:
-      contents: read # for actions/checkout
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -42,9 +42,19 @@ jobs:
           BATS_LIB_PATH: ${{ steps.setup-bats.outputs.lib-path }}
         run: make test
 
+      # Use a GitHub App token because GITHUB_TOKEN does not trigger CI on PRs created by workflows
+      - name: Generate token
+        id: app-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        with:
+          client-id: ${{ secrets.REPO_TRIVY_ACTION_WRITE_GH_APP_CLIENT_ID }}
+          private-key: ${{ secrets.REPO_TRIVY_ACTION_WRITE_GH_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: ${{ github.event.repository.name }}
+
       - name: Create PR
         env:
-          GH_TOKEN: ${{ secrets.TRIVY_ACTION_DEPLOY_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
           TRIVY_VERSION: ${{ inputs.trivy_version }}
           REPO: ${{ github.repository }}
           BASE_BRANCH: ${{ github.event.repository.default_branch }}