From c783c46b2a38a3e99b0e33e8fe61223a90c219a9 Mon Sep 17 00:00:00 2001
From: jae beller <jae@fly.io>
Date: Fri, 10 Apr 2026 13:18:18 -0400
Subject: [PATCH] Use GitHub App token for CLI docs workflow

---
 .github/workflows/update-cli-docs.yml | 68 ++++++++++++++++++++++-----
 1 file changed, 55 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/update-cli-docs.yml b/.github/workflows/update-cli-docs.yml
index 8c4d651..06d762f 100644
--- a/.github/workflows/update-cli-docs.yml
+++ b/.github/workflows/update-cli-docs.yml
@@ -6,12 +6,14 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 env:
   BRANCH: actions/update-cli-docs
 
+concurrency:
+  group: ${{ github.workflow }}
+
 jobs:
   update-cli-docs:
     name: Update CLI Docs
@@ -21,7 +23,6 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: main
-          token: ${{ secrets.GITHUB_TOKEN }}
 
       - uses: pnpm/action-setup@v4
         with:
@@ -61,22 +62,63 @@ jobs:
               git diff src/content/docs/cli/commands.mdx
           fi
 
-      - name: Commit and push to automated branch
+      - name: Generate app token
         if: steps.changes.outputs.changed == 'true'
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-
-          git checkout -B "$BRANCH"
-          git add src/content/docs/cli/commands.mdx
-          git commit -m "Update auto-generated CLI documentation ($(date -u +%Y-%m-%d))"
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        id: app-token
+        with:
+          app-id: ${{ vars.SPRITES_BOT_APP_ID }}
+          private-key: ${{ secrets.SPRITES_BOT_PRIVATE_KEY }}
+          permission-contents: write
+          permission-pull-requests: write
 
-          git push origin "$BRANCH" --force
+      - name: Commit to automated branch
+        if: steps.changes.outputs.changed == 'true'
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          # Since we're authed as a bot user, create the commit using the
+          # GraphQL API.
+          HEAD_OID="$(git rev-parse HEAD)"
+
+          gh api graphql \
+            -F expectedHeadOid="$HEAD_OID" \
+            -f query='mutation($expectedHeadOid: GitObjectID!) {
+              updateRefs(input: {
+                repositoryId: "${{ github.event.repository.node_id }}",
+                refUpdates: [{
+                  afterOid: $expectedHeadOid,
+                  force: true,
+                  name: "refs/heads/${{ env.BRANCH }}"
+                }]
+              }) { clientMutationId }
+            }'
+
+          gh api graphql \
+            -F headline="Update auto-generated CLI documentation ($(date -u +%Y-%m-%d))" \
+            -F expectedHeadOid="$(git rev-parse HEAD)" \
+            -F additions[][path]=src/content/docs/cli/commands.mdx \
+            -F additions[][contents]="$(base64 -w 0 src/content/docs/cli/commands.mdx)" \
+            -f query='mutation(
+              $headline: String!,
+              $expectedHeadOid: GitObjectID!,
+              $additions: [FileAddition!]!
+            ) {
+              createCommitOnBranch(input: {
+                branch: {
+                  repositoryNameWithOwner: "${{ github.repository }}",
+                  branchName: "${{ env.BRANCH }}"
+                },
+                expectedHeadOid: $expectedHeadOid,
+                fileChanges: { additions: $additions },
+                message: { headline: $headline }
+              }) { commit { url } }
+            }'
 
       - name: Open or update PR
         if: steps.changes.outputs.changed == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           cat > /tmp/pr-body.md << EOF
           Built from $(sprite --version) on $(date -u +%Y-%m-%d)