feat: add keys for our gha app

derekmisler · derekmisler · commit 0a5ccaa2d01a · 2026-02-04T17:02:17.000-05:00
diff --git a/.github/workflows/nightly-scan.yml b/.github/workflows/nightly-scan.yml
@@ -22,6 +22,8 @@ concurrency:
 jobs:
   scan:
     runs-on: ubuntu-latest
+    env:
+      HAS_APP_SECRETS: ${{ secrets.CAGENT_REVIEWER_APP_ID != '' }}
 
     steps:
       - name: Checkout repository
@@ -40,16 +42,26 @@ jobs:
           restore-keys: |
             scanner-memory-${{ github.repository }}-
 
+      - name: Generate GitHub App token
+        if: env.HAS_APP_SECRETS == 'true'
+        id: app-token
+        continue-on-error: true
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
+        with:
+          app_id: ${{ secrets.CAGENT_REVIEWER_APP_ID }}
+          private_key: ${{ secrets.CAGENT_REVIEWER_APP_PRIVATE_KEY }}
+
       - name: Run nightly scan
         uses: docker/cagent-action@latest
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
         with:
           agent: ${{ github.workspace }}/.github/agents/nightly-scanner.yaml
           prompt: ${{ inputs.dry-run && 'DRY RUN MODE: Do not create any issues. Just report what you would create.' || '' }}
           anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
           openai-api-key: ${{ secrets.OPENAI_API_KEY }}
           google-api-key: ${{ secrets.GEMINI_API_KEY }}
+          github-token: ${{ steps.app-token.outputs.token || github.token }}
           timeout: 1200
 
       - name: Save scanner memory
