Skip to content

Use ethyca-cross-repo GitHub App instead of TALOS_READ_TOKEN#7775

Open
daveqnet wants to merge 5 commits intomainfrom
use-cross-repo-app
Open

Use ethyca-cross-repo GitHub App instead of TALOS_READ_TOKEN#7775
daveqnet wants to merge 5 commits intomainfrom
use-cross-repo-app

Conversation

@daveqnet
Copy link
Copy Markdown
Contributor

@daveqnet daveqnet commented Mar 27, 2026

Ticket N/A

Description Of Changes

Replaces the TALOS_READ_TOKEN PAT with a short-lived token from the ethyca-cross-repo GitHub App for checking out the private ethyca/talos repo in the Claude Code Review workflow.

The app is installed on ethyca/talos with contents:read and mints tokens via actions/create-github-app-token@v2. This is part of an org-wide move from PATs to GitHub App tokens for cross-repo access.

After merge: Delete the TALOS_READ_TOKEN repo secret from fides once all consumers are migrated.

Code Changes

  • Added actions/create-github-app-token@v2 step to .github/workflows/claude-code-review.yml
  • Replaced secrets.TALOS_READ_TOKEN with steps.cross-repo-token.outputs.token
  • Updated header comments to reflect new secrets/vars

Steps to Confirm

  1. Open a test PR or re-run the Claude Code Review workflow to verify talos checkout succeeds with the new token

Pre-Merge Checklist

  • Issue requirements met
  • All CI pipelines succeeded
  • CHANGELOG.md updated
    • Updates unreleased work already in Changelog, no new entry necessary
  • UX feedback:
    • No UX review needed
  • Followup issues:
    • No followup issues
  • Database migrations:
    • No migrations
  • Documentation:
    • No documentation updates required

@daveqnet
Use ethyca-cross-repo GitHub App instead of TALOS_READ_TOKEN
4083c63 
Replace the PAT-based TALOS_READ_TOKEN with a short-lived token
minted by the ethyca-cross-repo GitHub App. The app is installed
on talos and scoped to contents:read.
@vercel
Copy link
Copy Markdown
Contributor

vercel bot commented Mar 27, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
fides-plus-nightly Ready Ready Preview, Comment Mar 31, 2026 3:25pm
1 Skipped Deployment
Project Deployment Actions Updated (UTC)
fides-privacy-center Ignored Ignored Mar 31, 2026 3:25pm

Request Review

daveqnet added 4 commits March 27, 2026 16:08
@daveqnet
Pin create-github-app-token to commit SHA
42c1830
@daveqnet
Add changelog entry
9cdbfea
@daveqnet
Scope cross-repo token to ethyca/talos
0a2a488
@daveqnet
Merge main into use-cross-repo-app
4bf518d 
Resolve conflict in claude-code-review.yml: keep ANTHROPIC_API_KEY
from main, replace TALOS_READ_TOKEN with cross-repo app credentials
from this branch.
@daveqnet daveqnet requested a review from adamsachs March 31, 2026 15:21
@daveqnet daveqnet self-assigned this Mar 31, 2026
adamsachs
adamsachs approved these changes Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@adamsachs adamsachs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adamsachs adamsachs adamsachs approved these changes

Assignees

@daveqnet daveqnet

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@daveqnet @adamsachs