chore: replace maintenance PATs with octavia-bot GitHub App authentication

[aaronsteers]

chore: replace maintenance PATs with octavia-bot GitHub App authentication

Summary

Replaces Personal Access Token (PAT) authentication with octavia-bot GitHub App authentication across 5 workflow files. This change standardizes authentication for PR automation workflows and removes dependency on individual maintenance PATs (GH_PAT_MAINTENANCE_OCTAVIA, GH_PAT_APPROVINGTON_OCTAVIA).

Workflows updated:

• autofix-command.yml - Auto-fix lint/format issues on PRs
• poetry-lock-command.yml - Update poetry.lock files
• slash_command_dispatch.yml - Handle slash commands (/autofix, /test, etc.)
• poe-command.yml - Run poe tasks via slash commands
• publish.yml - CDK publishing and Connector Builder updates

Pattern applied: Add GitHub App token generation step using actions/create-github-app-token@v2, then replace PAT usage with ${{ steps.get-app-token.outputs.token }}.

Review & Testing Checklist for Human

• Verify octavia-bot app permissions - Ensure the GitHub App has all required permissions for PR operations, repository access, and cross-repo operations (especially for publish.yml accessing airbyte-platform-internal)
• Test slash command workflows - Try /autofix, /poetry-lock, and other slash commands on a test PR to ensure they still work correctly
• Test publishing workflow - Verify the CDK publishing process and automatic PR creation to Connector Builder still functions
• Check workflow attribution - Ensure commits/PRs created by these workflows are properly attributed to octavia-bot rather than failing due to auth issues
• Monitor for rate limiting - Watch for any GitHub API rate limiting issues since we're switching from PATs to App authentication

Notes

This is part of a broader initiative to replace maintenance PATs across all Airbyte repositories with standardized GitHub App authentication for better security and maintainability.

Link to Devin run: https://app.devin.ai/sessions/a0a8897f6d5b4046bf1ebf8866cf1f4e
Requested by: @aaronsteers

Summary by CodeRabbit

• Chores

  • CI workflows switched from personal access tokens to GitHub App authentication for repository checkout, command dispatch, and PR creation across autofix, slash command, poetry-lock, publish, and related workflows; workflows now obtain and use an app token.
  • Publish workflow now targets the internal repository for automated PRs using the app token.

• Refactor

  • Standardized authentication flow across workflows for consistent token handling.

[devin-ai-integration]

Original prompt from AJ Steers

Received message in Slack channel #ask-devin-ai:

@Devin - find all instances where the maintenance pat is being used in GitHub workflows across the repos you have checked out. We want to replace all or most with the GitHub App "octavia-bot' which you should find working examples of. Let me review the proposed replacements before you start

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[github-actions]

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

Testing This CDK Version

You can test this version of the CDK using the following:

# Run the CLI from this branch:
uvx 'git+https://github.com/airbytehq/airbyte-python-cdk.git@devin/1725479526-replace-maintenance-pats#egg=airbyte-python-cdk[dev]' --help

# Update a connector to use the CDK from this branch ref:
cd airbyte-integrations/connectors/source-example
poe use-cdk-branch devin/1725479526-replace-maintenance-pats

Helpful Resources

• CDK API Reference

PR Slash Commands

Airbyte Maintainers can execute the following slash commands on your PR:

• /autofix - Fixes most formatting and linting issues
• /poetry-lock - Updates poetry.lock file
• /test - Runs connector tests with the updated CDK
• /poe build - Regenerate git-committed build artifacts, such as the pydantic models which are generated from the manifest JSON schema in YAML.
• /poe <command> - Runs any poe command in the CDK environment

📝 Edit this welcome message.

[Copilot]

Pull Request Overview

This PR replaces Personal Access Token (PAT) authentication with octavia-bot GitHub App authentication across 5 workflow files to standardize authentication for PR automation workflows and remove dependency on individual maintenance PATs.

• Add GitHub App token generation step using actions/create-github-app-token@v2 to each workflow
• Replace PAT usage (GH_PAT_MAINTENANCE_OCTAVIA, GH_PAT_APPROVINGTON_OCTAVIA) with GitHub App tokens
• Ensure proper repository access configuration for cross-repo operations

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/slash_command_dispatch.yml	Adds GitHub App authentication for slash command processing
.github/workflows/publish.yml	Updates CDK publishing workflow to use GitHub App for cross-repo access to airbyte-platform-internal
.github/workflows/poetry-lock-command.yml	Replaces PAT with GitHub App token for poetry lock updates
.github/workflows/poe-command.yml	Updates poe task execution to use GitHub App authentication
.github/workflows/autofix-command.yml	Switches autofix workflow from PAT to GitHub App token

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

Replaces Personal Access Token usage with a GitHub App token across multiple GitHub Actions workflows by adding an "Authenticate as GitHub App" step (actions/create-github-app-token@v2) and wiring its output token into checkout, dispatch, command processing, and PR creation steps.

Changes

Cohort / File(s)	Summary of changes
Command workflows: add GitHub App auth and use token .github/workflows/autofix-command.yml, .../poe-command.yml, .../poetry-lock-command.yml, .../slash_command_dispatch.yml	Added "Authenticate as GitHub App" step (id: get-app-token) using actions/create-github-app-token@v2 (owner: airbytehq, repositories: airbyte-python-cdk); replaced PAT secret usages with ${{ steps.get-app-token.outputs.token }} for checkout/dispatch/command steps.
Publish workflow: app auth for internal repo operations .github/workflows/publish.yml	Added GitHub App auth step scoped to airbyte-platform-internal; replaced GH_PAT_MAINTENANCE_OCTAVIA with ${{ steps.get-app-token.outputs.token }} for checkout and peter-evans/create-pull-request token input; set target repository to airbytehq/airbyte-platform-internal.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Runner as GitHub Actions Runner
  participant AppAuth as actions/create-github-app-token
  participant GitHub as GitHub API
  participant Repo as Target Repo

  Runner->>AppAuth: Request app token (app-id, private-key, owner, repo)
  AppAuth-->>Runner: Installation token
  Runner->>GitHub: Use token for checkout / dispatch / command steps
  GitHub-->>Runner: Operation result
  Note over Runner,GitHub: Pattern applied in autofix, poe, poetry-lock, dispatch workflows

Loading

sequenceDiagram
  autonumber
  actor Runner as GitHub Actions Runner (publish.yml)
  participant AppAuth as actions/create-github-app-token
  participant GH as GitHub API
  participant Internal as airbyte-platform-internal

  Runner->>AppAuth: Get app token (scoped to internal repos)
  AppAuth-->>Runner: Token
  Runner->>GH: Checkout `airbyte-platform-internal` with app token
  GH-->>Runner: Repo contents
  Runner->>GH: Create Pull Request (app token)
  GH-->>Runner: PR created/updated
  Note over Runner,GH: PAT replaced by app token for both steps

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• ci: add /poe slash command for CDK PRs and Issues #505 — Modifies overlapping workflows (including poe-command.yml) and is likely related to these auth workflow changes.

Suggested labels

security

Suggested reviewers

• ChristoGrab
• dbgold17
• aaronsteers

Would you like me to also suggest adding a job-level permission block (e.g., contents: write) where the app token is used for PR creation, wdyt?

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between ebe6522 and 4cbe1f4.

📒 Files selected for processing (1)

• .github/workflows/publish.yml (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/publish.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: SDM Docker Image Build
• GitHub Check: Manifest Server Docker Image Build
• GitHub Check: Pytest (Fast)
• GitHub Check: Analyze (python)

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch devin/1725479526-replace-maintenance-pats

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/poetry-lock-command.yml (1)

124-129: Push back to contributor forks likely fails without credentials

The remote is added without auth; pushes to forks usually 403 unless the URL embeds a token. Also, the App token won’t have access to contributor forks. Could we push using the workflow GITHUB_TOKEN (with contents: write) instead, wdyt?

-  git remote add contributor https://github.com/${{ steps.pr-info.outputs.repo }}.git
-  git push contributor HEAD:${{ steps.pr-info.outputs.branch }}
+  git remote add contributor https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ steps.pr-info.outputs.repo }}.git
+  git push contributor HEAD:${{ steps.pr-info.outputs.branch }}

Also add minimal permissions at top so GITHUB_TOKEN can push:

 name: On-Demand Poetry Lock
+permissions:
+  contents: write
+  pull-requests: write

Would you like me to open a follow-up to validate this path on a forked PR?

.github/workflows/autofix-command.yml (1)

143-148: Same fork-push auth gap here

As with poetry-lock, pushing to contributor without credentials will likely fail, and the App token won’t have fork access. Shall we switch the remote to embed GITHUB_TOKEN and ensure permissions, wdyt?

-  git remote add contributor https://github.com/${{ steps.pr-info.outputs.repo }}.git
-  git push contributor HEAD:${{ steps.pr-info.outputs.branch }}
+  git remote add contributor https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ steps.pr-info.outputs.repo }}.git
+  git push contributor HEAD:${{ steps.pr-info.outputs.branch }}

And add minimal permissions at top:

 name: On-Demand AutoFix
+permissions:
+  contents: write
+  pull-requests: write

Optionally, set persist-credentials: false on the checkout as in the other workflow.

🧹 Nitpick comments (4)

.github/workflows/poe-command.yml (1)

23-30: Switch to GitHub App token looks good

App auth is wired correctly and the token is plumbed into the processor step. Nice. Would you like to pin actions/create-github-app-token to a commit SHA for supply-chain hardening, wdyt?

-uses: actions/create-github-app-token@v2
+uses: actions/create-github-app-token@c1a1b7b8c8a9f6e2c2f5dbe0f0b9d8ad1b2e3f45  # v2 SHA

Also applies to: 36-36

.github/workflows/poetry-lock-command.yml (1)

27-34: Good move to App token; consider not persisting credentials

Checkout doesn’t need to persist the App token to git config. Shall we set persist-credentials: false for least privilege, wdyt?

 - uses: actions/checkout@v4
   with:
     # Important that this is set so that CI checks are triggered again
     # Without this we would be forever waiting on required checks to pass
     token: ${{ steps.get-app-token.outputs.token }}
+    persist-credentials: false

Also applies to: 40-40

.github/workflows/publish.yml (2)

369-374: Consider not persisting checkout credentials

Since create-pull-request handles auth via its own token input, do we want to set persist-credentials: false on checkout for least privilege, wdyt?

 - uses: actions/checkout@v4
   with:
     repository: airbytehq/airbyte-platform-internal
     token: ${{ steps.get-app-token.outputs.token }}
+    persist-credentials: false

---

361-368: Pin actions to commit SHAs

For defense-in-depth, shall we pin actions/create-github-app-token and other third-party actions to commit SHAs, wdyt?

-uses: actions/create-github-app-token@v2
+uses: actions/create-github-app-token@<commit-sha>

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between dd52cfe and dbd2695.

📒 Files selected for processing (5)

• .github/workflows/autofix-command.yml (1 hunks)
• .github/workflows/poe-command.yml (1 hunks)
• .github/workflows/poetry-lock-command.yml (1 hunks)
• .github/workflows/publish.yml (2 hunks)
• .github/workflows/slash_command_dispatch.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Manifest Server Docker Image Build
• GitHub Check: SDM Docker Image Build
• GitHub Check: Pytest (Fast)
• GitHub Check: Analyze (python)

🔇 Additional comments (4)

.github/workflows/slash_command_dispatch.yml (2)

11-18: App token step is correct

Owner/repo scoping and secrets look correct for generating the app token. Nice consistency with other workflows.

---

11-18: Pin the forked action to a commit SHA

Given this uses a fork/branch of slash-command-dispatch, shall we pin to a commit SHA and keep the TODO to revert to upstream once merged, wdyt?

-uses: aaronsteers/slash-command-dispatch@aj/fix/add-dispatched-bool-output
+uses: aaronsteers/slash-command-dispatch@<commit-sha>

Likely an incorrect or invalid review comment.

.github/workflows/autofix-command.yml (1)

30-37: App token addition and wiring look solid

Auth step and checkout token replacement are consistent with the PR’s objective. Nice.

Also applies to: 43-43

.github/workflows/publish.yml (1)

361-368: App token for airbyte-platform-internal is correctly scoped

Token generation, checkout, and PR creation are all correctly switched to the App token. Looks good.

Also applies to: 373-373, 394-398

[github-actions]

PyTest Results (Fast)

3 752 tests  ±0   3 740 ✅ ±0   6m 25s ⏱️ +2s
    1 suites ±0      12 💤 ±0 
    1 files   ±0       0 ❌ ±0 

Results for commit 4cbe1f4. ± Comparison against base commit dd52cfe.

♻️ This comment has been updated with latest results.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/publish.yml (1)

370-374: Minor hardening: avoid persisting checkout credentials?

To reduce credential bleed between steps, would you add persist-credentials: false on checkout and let create-pull-request inject its own token, wdyt?

       - name: Checkout Airbyte Platform Internal
         uses: actions/checkout@v4
         with:
           repository: airbytehq/airbyte-platform-internal
+          persist-credentials: false
           token: ${{ steps.get-app-token.outputs.token }}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 7d1888d and ebe6522.

📒 Files selected for processing (1)

• .github/workflows/publish.yml (2 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/publish.yml

398-398: input "repository" is not defined in action "peter-evans/create-pull-request@v7". available inputs are "add-paths", "assignees", "author", "base", "body", "body-path", "branch", "branch-suffix", "branch-token", "commit-message", "committer", "delete-branch", "draft", "labels", "maintainer-can-modify", "milestone", "path", "push-to-fork", "reviewers", "sign-commits", "signoff", "team-reviewers", "title", "token"

(action)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: SDM Docker Image Build
• GitHub Check: Manifest Server Docker Image Build
• GitHub Check: Pytest (Fast)

🔇 Additional comments (1)

.github/workflows/publish.yml (1)

361-368: App token step looks correct; please confirm repo perms.

Token scoping to airbyte-platform-internal is good. Can you double-check the Octavia app has at least contents:write and pull_requests:write on that repo so PR creation/push won’t 403, wdyt?

[pedroslopez]

Looks good to me!