From d2073bb83317abe8859f17c7dc07a4424e943814 Mon Sep 17 00:00:00 2001
From: Robert DeLanghe <1240090+bdelanghe@users.noreply.github.com>
Date: Mon, 29 Jun 2026 12:45:14 -0400
Subject: [PATCH] feat(fleet-status): mint the prx-forge bucket; pin synoptic
 v2.2.8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Use the existing prx-forge bucket app via the OIDC broker (per the GitHub-apps-
architecture ADR) instead of a bespoke app — it grants contents/issues/PRs/checks
+ metadata, which covers the board's push-back and (via the v2.2.8 Checks-API CI
read) the CI column, with no actions:read and no new app. Bump synoptic to v2.2.8.

BLOCKED until the broker's GH_APPS carries a 'forge' entry (prx-forge appId 4169313
/ installation 143190928; PEM as a Worker secret) — Cloudflare/infra action.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/fleet-status.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/fleet-status.yml b/.github/workflows/fleet-status.yml
index 7350e95..3fde889 100644
--- a/.github/workflows/fleet-status.yml
+++ b/.github/workflows/fleet-status.yml
@@ -39,12 +39,16 @@ jobs:
         if: ${{ vars.FRONT_DESK_BROKER_URL != '' }}
         uses: bounded-systems/.github/.github/actions/broker-gh-token@4a77867f40419ea5b38f3a3be7c481fa7e0eab84 # broker-gh-token (prx-26bq)
         with:
-          app: front-desk   # swap for a dedicated fleet app if you provision one
+          # prx-forge bucket (the write bucket: contents/issues/PRs/checks + metadata,
+          # per docs/prx/github-apps-architecture.md) — reused, not a new app. The board
+          # reads CI via the Checks API (checks:read), so this bucket covers it without
+          # actions:read. Requires the broker's GH_APPS to carry a "forge" entry.
+          app: forge
           broker-url: ${{ vars.FRONT_DESK_BROKER_URL }}
 
       - name: Fleet status board
         if: ${{ steps.app-token.outputs.token != '' }}
-        uses: bdelanghe/synoptic-github@c4334ffa0b1dbb88f51e34d25ef115f0b47ce7df # v2.2.6
+        uses: bdelanghe/synoptic-github@4128373fbf7ee807ad9f080d210770072b7de3b6 # v2.2.8 (CI via Checks API)
         with:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           mode: status