Skip to content

ci(front-desk-add): mint via the OIDC broker, not a repo App key (prx-26bq)#18

Merged
bdelanghe merged 1 commit into
mainfrom
ci/front-desk-add-via-broker
Jun 29, 2026
Merged

ci(front-desk-add): mint via the OIDC broker, not a repo App key (prx-26bq)#18
bdelanghe merged 1 commit into
mainfrom
ci/front-desk-add-via-broker

Conversation

@bdelanghe

@bdelanghe bdelanghe commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Part of the front-desk-add fan-out repoint (prx-26bq), proven via the site pilot (bounded-systems/site#93): mint through the cf-token-broker instead of a repo-held App key. Opening this PR self-tests the add check on the new broker path. front-desk-sync is already cut over and verified.

🤖 Generated with Claude Code

@bdelanghe @claude
ci(front-desk-add): mint via the OIDC broker, not a repo App key (prx…
0fda9af 
…-26bq)

Repoint the per-repo Front Desk add off create-github-app-token +
FRONT_DESK_APP_PRIVATE_KEY onto the cf-token-broker via the public
bounded-systems/.github broker-gh-token action (OIDC, app=front-desk).
The App key leaves this repo's runner — it lives only in the broker,
ending the per-PR mint that hammers the front-desk App installation rate
limit. Fail-open on vars.FRONT_DESK_BROKER_URL; best-effort
(continue-on-error) so it never red-flags a PR. Proven via the site
pilot (bounded-systems/site#93).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@bdelanghe bdelanghe merged commit 9e9005a into main Jun 29, 2026
3 checks passed
@bdelanghe bdelanghe deleted the ci/front-desk-add-via-broker branch June 29, 2026 02:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bdelanghe