From c1b3f1fde7408eff78c472d7f98c340d096cfa3b Mon Sep 17 00:00:00 2001
From: Rafael Garcia <raf@kernel.sh>
Date: Mon, 9 Feb 2026 18:27:01 -0500
Subject: [PATCH 1/2] fix: use kernel-internal GitHub App token in workflows

- Add app token generation step using actions/create-github-app-token@v1
- Replace GITHUB_TOKEN/GH_PAT references with app token
- Update git identity to kernel-internal[bot]
- Add token to checkout action for fix-ci workflow

This aligns with the kernel repo's pattern of using the kernel-internal
GitHub App for automated commits and releases.
---
 .github/workflows/fix-ci.yaml  | 18 +++++++++++++-----
 .github/workflows/release.yaml |  9 ++++++++-
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/fix-ci.yaml b/.github/workflows/fix-ci.yaml
index fe08902..7090ae1 100644
--- a/.github/workflows/fix-ci.yaml
+++ b/.github/workflows/fix-ci.yaml
@@ -13,14 +13,22 @@ permissions:
 jobs:
   attempt-fix:
     if: >-
-      ${{ github.event.workflow_run.conclusion == 'failure' && 
+      ${{ github.event.workflow_run.conclusion == 'failure' &&
           github.event.workflow_run.event == 'pull_request' &&
           github.event.workflow_run.name != 'Fix CI Failures' }}
     runs-on: ubuntu-latest
     steps:
+      - name: Generate app token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.ADMIN_APP_ID }}
+          private-key: ${{ secrets.ADMIN_APP_PRIVATE_KEY }}
+
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
+          token: ${{ steps.app-token.outputs.token }}
           fetch-depth: 0
 
       - name: Install Cursor CLI
@@ -30,8 +38,8 @@ jobs:
 
       - name: Configure git identity
         run: |
-          git config user.name "Cursor Agent"
-          git config user.email "cursor-agent@onkernel.com"
+          git config user.name "kernel-internal[bot]"
+          git config user.email "260533166+kernel-internal[bot]@users.noreply.github.com"
 
       - name: Setup Go
         uses: actions/setup-go@v5
@@ -41,7 +49,7 @@ jobs:
       - name: Fix CI failure
         env:
           CURSOR_API_KEY: ${{ secrets.CURSOR_API_KEY }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
           BRANCH_PREFIX: ci-fix
         run: |
           cursor-agent -p "You are operating in a GitHub Actions runner for the Kernel CLI repository.
@@ -79,7 +87,7 @@ jobs:
              - Example format:
                \"🔧 CI Fix Available
                I've pushed a fix for the CI failure.
-               
+
                👉 Click here to create a PR with the fix\"
              - Do NOT include any git merge instructions or manual merge commands
              - Only include the compare link (e.g., https://github.com/.../compare/...)
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 8898eae..676b7e9 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -13,6 +13,13 @@ jobs:
   release:
     runs-on: ubuntu-latest
     steps:
+      - name: Generate app token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.ADMIN_APP_ID }}
+          private-key: ${{ secrets.ADMIN_APP_PRIVATE_KEY }}
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
@@ -43,5 +50,5 @@ jobs:
           version: '~> v2'
           args: release --clean
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}

From 92b320a99a55a846e17ab1485536b5fedd08cd4a Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Mon, 9 Feb 2026 23:59:55 +0000
Subject: [PATCH 2/2] fix: grant app token cross-repo access for homebrew tap

The actions/create-github-app-token action scopes tokens to the current
repository by default. Since .goreleaser.yaml pushes a homebrew formula
to kernel/homebrew-tap, the token needs explicit access to that repo.

Add 'repositories: cli,homebrew-tap' to ensure the generated token can
access both the current repo (for releases) and the homebrew-tap repo
(for formula updates).

Applied via @cursor push command
---
 .github/workflows/release.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 676b7e9..b4158c9 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -19,6 +19,7 @@ jobs:
         with:
           app-id: ${{ secrets.ADMIN_APP_ID }}
           private-key: ${{ secrets.ADMIN_APP_PRIVATE_KEY }}
+          repositories: cli,homebrew-tap
 
       - name: Checkout
         uses: actions/checkout@v4