Summary
Move our automated cross-repo commits and PRs (translation-sync, content-sync, activity-report posting, and similar scheduled automation) off a personal token and onto the existing quantecon-services machine account, using its own dedicated fine-grained PAT (an org secret).
Why
- Attribution accuracy. Today these run under a personal token, so they show up as
@mmcky. In the May 2026 activity report that's ~18 translation-sync PRs + ~12 content-sync PRs + maintenance PRs all attributed to a person, which makes it hard to separate human work from automation in our reports. A dedicated bot account fixes this at the source.
- Bus factor / security. Automation shouldn't depend on one maintainer's personal PAT. A machine account gives least-privilege, centrally-rotatable credentials that don't break (or leak personal scope) when an individual's token changes.
- Downstream CI. PRs opened by the default
GITHUB_TOKEN don't trigger pull_request workflows; a dedicated account's PAT does — so bot-opened PRs (e.g. the new monthly activity report PR) actually get CI.
Good news
quantecon-services is already a registered GitHub user (created 2016, display name "QuantEcon"). So this is provisioning + wiring, not account creation.
Proposed steps
- Generate a fine-grained PAT on
quantecon-services, scoped only to the repos automation writes to, with Contents + Pull requests + Issues = read/write. Set an expiry and a rotation reminder.
- Add
quantecon-services to a team with write access to the target repos (and branch-protection bypass where automation pushes directly).
- Store the PAT as an org-level Actions secret (e.g.
QUANTECON_SERVICES_PAT) so repos share one credential.
- Migrate the workflows that currently use a personal token to
secrets.QUANTECON_SERVICES_PAT:
QuantEcon/action-translation consumers (translation-sync into *.fa / *.zh-cn)- content-sync workflows (e.g.
lecture-dp ← lecture-python-advanced.myst / lecture-python.myst)
- activity-report posting (
QuantEcon/action-activity-report weekly + monthly)
- any other scheduled automation that pushes/opens PRs
- Revoke the personal PAT once everything is migrated and verified.
Alternative to weigh: a GitHub App
A GitHub App (short-lived installation tokens, no PAT expiry, per-repo install, fine scopes) is the sturdier long-term option and avoids PAT rotation entirely. This issue proposes the PAT path as the simplest first step, but flagging the App as the more robust alternative if we'd rather not manage a long-lived token.
Open questions
- Fine-grained PAT vs GitHub App?
- Org-level secret vs per-repo secrets?
- Does adding
quantecon-services as an org member consume a paid seat?
Context: surfaced while reviewing the May 2026 monthly activity report (QuantEcon/action-activity-report), where automated PRs dominate and are all attributed to a single maintainer.
Summary
Move our automated cross-repo commits and PRs (translation-sync, content-sync, activity-report posting, and similar scheduled automation) off a personal token and onto the existing
quantecon-servicesmachine account, using its own dedicated fine-grained PAT (an org secret).Why
@mmcky. In the May 2026 activity report that's ~18 translation-sync PRs + ~12 content-sync PRs + maintenance PRs all attributed to a person, which makes it hard to separate human work from automation in our reports. A dedicated bot account fixes this at the source.GITHUB_TOKENdon't triggerpull_requestworkflows; a dedicated account's PAT does — so bot-opened PRs (e.g. the new monthly activity report PR) actually get CI.Good news
quantecon-servicesis already a registered GitHub user (created 2016, display name "QuantEcon"). So this is provisioning + wiring, not account creation.Proposed steps
quantecon-services, scoped only to the repos automation writes to, with Contents + Pull requests + Issues = read/write. Set an expiry and a rotation reminder.quantecon-servicesto a team with write access to the target repos (and branch-protection bypass where automation pushes directly).QUANTECON_SERVICES_PAT) so repos share one credential.secrets.QUANTECON_SERVICES_PAT:QuantEcon/action-translationconsumers (translation-sync into*.fa/*.zh-cn)lecture-dp←lecture-python-advanced.myst/lecture-python.myst)QuantEcon/action-activity-reportweekly + monthly)Alternative to weigh: a GitHub App
A GitHub App (short-lived installation tokens, no PAT expiry, per-repo install, fine scopes) is the sturdier long-term option and avoids PAT rotation entirely. This issue proposes the PAT path as the simplest first step, but flagging the App as the more robust alternative if we'd rather not manage a long-lived token.
Open questions
quantecon-servicesas an org member consume a paid seat?Context: surfaced while reviewing the May 2026 monthly activity report (
QuantEcon/action-activity-report), where automated PRs dominate and are all attributed to a single maintainer.