From 0e624bcbd4addbf87ff25fad9a499ada83109e87 Mon Sep 17 00:00:00 2001
From: Ibrahim Halatci <ihalatci@microsoft.com>
Date: Sat, 27 Jun 2026 21:25:56 +0300
Subject: [PATCH] Docker Phase 4: GH_TOKEN -> GitHub App token
 (update_version.yml)

Mint a GitHub App token in update_version.yml and export it to the job
environment (GH_TOKEN/GITHUB_TOKEN) so the update_docker --pipeline PR
creation runs under the citusdata GitHub App instead of the org PAT.

Top-level GH_TOKEN secret is intentionally retained for zero-downtime
(removed only in Phase 6). The 4 publish workflows use DockerHub creds
only and need no change. Matches the proven pattern in
citusdata/packaging update-pgxn-version.yml.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/update_version.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/.github/workflows/update_version.yml b/.github/workflows/update_version.yml
index 21a7a92..0049470 100644
--- a/.github/workflows/update_version.yml
+++ b/.github/workflows/update_version.yml
@@ -27,6 +27,19 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v6
 
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_KEY }}
+          owner: citusdata
+
+      - name: Export App token to environment
+        run: |
+          echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV"
+          echo "GITHUB_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV"
+
       - name: Install package dependencies
         run: sudo apt-get update && sudo apt install libcurl4-openssl-dev libssl-dev python3-testresources