From 807be5d704af171c3c2a614a4aa8ff147c6e332b Mon Sep 17 00:00:00 2001
From: Max Ghenis <mghenis@gmail.com>
Date: Fri, 17 Apr 2026 19:46:04 -0400
Subject: [PATCH] Mint GitHub App token in versioning workflow

Replace the expired POLICYENGINE_GITHUB PAT with a short-lived token
minted via actions/create-github-app-token@v1 using org-level APP_ID
and APP_PRIVATE_KEY. Matches the pattern already used by microdf,
policyengine-core, and policyengine-us.

Also pass the app token to EndBug/add-and-commit and disable its
pre-commit fetch so the auto-generated "Update package version"
commit pushes successfully and triggers the downstream PyPI publish.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/versioning.yaml         | 10 +++++++++-
 changelog.d/migrate-to-app-token.fixed.md |  1 +
 2 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 changelog.d/migrate-to-app-token.fixed.md

diff --git a/.github/workflows/versioning.yaml b/.github/workflows/versioning.yaml
index 5df2b1f..d128e17 100644
--- a/.github/workflows/versioning.yaml
+++ b/.github/workflows/versioning.yaml
@@ -16,10 +16,16 @@ jobs:
         if: |
           (!(github.event.head_commit.message == 'Update package version'))
         steps:
+            - name: Generate GitHub App token
+              id: app-token
+              uses: actions/create-github-app-token@v1
+              with:
+                app-id: ${{ secrets.APP_ID }}
+                private-key: ${{ secrets.APP_PRIVATE_KEY }}
             - name: Checkout repo
               uses: actions/checkout@v4
               with:
-                token: ${{ secrets.POLICYENGINE_GITHUB }}
+                token: ${{ steps.app-token.outputs.token }}
                 fetch-depth: 0
             - name: Setup Python
               uses: actions/setup-python@v5
@@ -35,6 +41,8 @@ jobs:
               with:
                 add: "."
                 message: Update package version
+                github_token: ${{ steps.app-token.outputs.token }}
+                fetch: false
     publish-to-pypi:
       name: Publish to PyPI
       if: (github.event.head_commit.message == 'Update package version')
diff --git a/changelog.d/migrate-to-app-token.fixed.md b/changelog.d/migrate-to-app-token.fixed.md
new file mode 100644
index 0000000..2f5807c
--- /dev/null
+++ b/changelog.d/migrate-to-app-token.fixed.md
@@ -0,0 +1 @@
+Migrated versioning workflow from expired `POLICYENGINE_GITHUB` PAT to a short-lived GitHub App token, matching the pattern used by `policyengine-us`, `policyengine-core`, and `microdf`.