From 3c771f1ee562d4004d1d513edddbbf8943b4bba5 Mon Sep 17 00:00:00 2001
From: Linwei Shang <linwei.shang@dfinity.org>
Date: Tue, 19 May 2026 15:26:44 -0400
Subject: [PATCH] ci: use dedicated PAT for cross-repo workflow dispatch

PR_AUTOMATION_BOT_PUBLIC lacks `actions: write` on
icp-cli-network-launcher, so the previous `gh workflow run` step failed
with HTTP 403. Switch to a fine-grained PAT scoped only to that repo,
and document the rotation steps inline.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../workflows/promote-network-launcher.yml    | 21 ++++++++++---------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/promote-network-launcher.yml b/.github/workflows/promote-network-launcher.yml
index 549c5760..692c2a12 100644
--- a/.github/workflows/promote-network-launcher.yml
+++ b/.github/workflows/promote-network-launcher.yml
@@ -22,18 +22,19 @@ jobs:
           fi
           echo "tag=v${VERSION#v}" >> "$GITHUB_OUTPUT"
 
-      - name: Create GitHub App Token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
-        id: app-token
-        with:
-          client-id: ${{ vars.PR_AUTOMATION_BOT_PUBLIC_CLIENT_ID }}
-          private-key: ${{ secrets.PR_AUTOMATION_BOT_PUBLIC_PRIVATE_KEY }}
-          owner: dfinity
-          repositories: icp-cli-network-launcher
-
       - name: Dispatch promote-release workflow
+        # Rotating NETWORK_LAUNCHER_DISPATCH_PAT (fine-grained PAT, max 1y expiry).
+        # This PAT only dispatches INTO dfinity/icp-cli-network-launcher; the
+        # reverse direction uses a separate PAT stored in that repo.
+        #   1. github.com -> Settings -> Developer settings -> Personal access tokens
+        #      -> Fine-grained tokens -> Generate new token.
+        #   2. Resource owner: dfinity. Repository access: only
+        #      dfinity/icp-cli-network-launcher.
+        #   3. Repository permissions: Actions = Read and write
+        #      (Metadata: Read is auto-added).
+        #   4. Update the NETWORK_LAUNCHER_DISPATCH_PAT secret in dfinity/icp-cli.
         env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          GH_TOKEN: ${{ secrets.NETWORK_LAUNCHER_DISPATCH_PAT }}
         run: |
           gh workflow run promote-release.yml \
             --repo dfinity/icp-cli-network-launcher \