fix(ci): pass App token to checkout so bot pushes trigger downstream workflows

[amikofalvy]

Summary

• Fixes auto-format.yml and ci.yml not triggering downstream CI workflows when they push bot commits (formatting fixes, OpenAPI snapshot updates)
• Root cause: actions/checkout sets http.extraheader with the GITHUB_TOKEN, which overrides URL-embedded credentials — so the manual git remote set-url with the App token was silently ignored
• Same root cause fixed for release.yml in d85f7ca (persist-credentials: false), but auto-format and CI were never updated

What changed

Both workflows now generate the App token before checkout and pass it to checkout's token: input, so the extraheader is set with the App identity from the start. This eliminates the need for manual git remote set-url overrides in the push steps.

Fix history

Commit	What it did	Why it wasn't enough
b204079	Added App token + git remote set-url to auto-format + CI	extraheader from checkout overrides URL credentials
3debd2e	Same remote set-url approach for release.yml	Same problem
d85f7ca	Fixed release.yml with persist-credentials: false	Only fixed release.yml — auto-format + CI were left broken
This PR	Generate App token before checkout, pass to token:	Fixes auto-format + CI with a cleaner approach

Test plan

• Push a formatting change to a PR branch → verify auto-format commit triggers CI
• Push an OpenAPI-affecting change to a PR → verify snapshot commit triggers CI
• Verify fork PRs still work (app token skipped, falls back to GITHUB_TOKEN/github.token)

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agents-api	Ready	Preview, Comment	Apr 7, 2026 5:40am
agents-docs	Ready	Preview, Comment	Apr 7, 2026 5:40am
agents-manage-ui	Ready	Preview, Comment	Apr 7, 2026 5:40am

[changeset-bot]

⚠️ No Changeset found

Latest commit: 1454ffe

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pullfrog]

TL;DR — Moves the GitHub App token generation step before actions/checkout in both CI workflows so that git's http.extraheader is configured with the App identity from the start. This eliminates the need to manually rewrite the remote URL before pushing and ensures bot commits reliably trigger downstream workflows.

Key changes

• Move App token generation before checkout in auto-format.yml — the token is now available when actions/checkout configures git, removing the post-checkout git remote set-url hack
• Move App token generation before checkout in ci.yml — same pattern applied to the CI workflow's OpenAPI snapshot commit-and-push step
• Pass App token to actions/checkout via token: — both workflows now use ${{ steps.app-token.outputs.token || ... }} as the checkout token, so git is pre-authenticated as the App
• Remove manual git remote set-url blocks — no longer needed since checkout already configures the correct credentials

_{Summary ｜ 2 files ｜ 1 commit ｜ base: main ← worktree-fix-autoformat-app-token}

App token moved before checkout to authenticate git automatically

Before: The App token was generated after checkout, so actions/checkout configured git with the default GITHUB_TOKEN. A manual git remote set-url call was required before each push to swap in the App token — and if the token step was skipped or failed, pushes silently used GITHUB_TOKEN, whose commits GitHub ignores for workflow triggering.
After: The App token is generated before checkout and passed via the token: input. actions/checkout configures http.extraheader with the App identity automatically, so all subsequent git operations (including pushes) use the App token without any manual URL rewriting.

Why does token ordering matter with actions/checkout?

actions/checkout sets a http.extraheader git config that embeds the provided token for all HTTPS operations against the repo. When the default GITHUB_TOKEN is used, GitHub treats resulting commits as "bot" commits and skips triggering workflows to prevent infinite loops. By passing an App-generated token instead, the commits are attributed to the App identity, which GitHub does allow to trigger downstream workflows.

.github/workflows/auto-format.yml · .github/workflows/ci.yml

  ^{｜ View workflow run ｜ Triggered by Pullfrog ｜ Using Claude Opus ｜ 𝕏}

[pullfrog]

Clean, well-motivated fix. The root cause diagnosis is correct — actions/checkout sets http.extraheader, which takes precedence over URL-embedded credentials from git remote set-url. Moving token generation before checkout is the right approach. One minor nit on token fallback consistency.

  ^{｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

[pullfrog]

Nit: This falls back to secrets.GITHUB_TOKEN, while ci.yml:71 uses github.token. They're functionally equivalent, but github.token is the modern idiom and avoids the impression that it's a user-managed secret. Consider aligning both files to github.token for consistency.

Suggested change

	token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
	token: ${{ steps.app-token.outputs.token || github.token }}

[pullfrog]

The auto-format workflow also triggers on push to main (line 6-8). On push events, steps.pr-check is skipped entirely, so steps.pr-check.outputs.skip is empty — which passes this != 'true' condition. That means App token generation runs on push-to-main too, which seems intentional (the workflow pushes formatting commits on main as well). Just flagging for visibility — no change needed.

[pullfrog]

Approved. The fix correctly addresses the extraheader precedence issue.

  ^{｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

[claude]

PR Review Summary

(0) Total Issues | Risk: Low

---

💭 Consider (1) 💭

Inline Comments:

• 💭 Consider: ci.yml:71 Inconsistent token reference (github.token vs secrets.GITHUB_TOKEN in auto-format.yml)

---

🧹 While You're Here (1) 🧹

🧹 1) release.yml:36 Different approach for same problem

Issue: release.yml uses persist-credentials: false + post-checkout token generation, while this PR establishes a cleaner pattern of pre-checkout token generation with token: input.

Why: Two valid patterns for the same problem increases cognitive load during maintenance. The new approach in this PR is cleaner and more straightforward.

Fix: Consider a follow-up PR to update release.yml to use the same token: input approach for consistency across all workflows.

Refs:

• release.yml:36

---

✅ APPROVE

Summary: This PR correctly fixes the root cause of bot commits not triggering downstream CI workflows. The solution — generating the GitHub App token before checkout and passing it to checkout's token: input — is cleaner than the previous git remote set-url workaround that was silently overridden by the http.extraheader set by actions/checkout.

The implementation is sound:

• ✅ Security: Actions are SHA-pinned, permissions properly scoped
• ✅ Fork handling: Fallback tokens ensure fork PRs still work (app token skipped, falls back gracefully)
• ✅ Root cause addressed: Checkout now uses App token identity from the start, so pushes trigger downstream workflows

The only suggestions are cosmetic consistency improvements. Ship it! 🚀

---

Discarded (0)

None.

Reviewers (1)

Reviewer	Returned	Main Findings	Consider	While You're Here	Inline Comments	Pending Recs	Discarded
pr-review-devops	3	0	1	1	1	0	0
Total	3	0	1	1	1	0	0

[claude]

💭 Consider: Inconsistent token reference naming

Issue: This uses github.token while auto-format.yml:67 uses secrets.GITHUB_TOKEN as the fallback. Both reference the same token, but inconsistent naming could cause confusion.

Why: Cosmetic inconsistency; doesn't affect functionality but reduces maintainability.

Fix:

Suggested change

	token: ${{ steps.app-token.outputs.token || github.token }}
	token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}

Refs:

• auto-format.yml:67 — uses secrets.GITHUB_TOKEN

[github-actions]

Preview URLs

Use these stable preview aliases for testing this PR:

• UI: https://pr-3045-ui.preview.inkeep.com
• API: https://pr-3045-api.preview.inkeep.com
• API health: https://pr-3045-api.preview.inkeep.com/health

These point to the same Vercel preview deployment as the bot comment, but they stay stable and easier to find.

Raw Vercel deployment URLs

• UI deployment: https://agents-manage-19oeym6sf.preview.inkeep.com
• API deployment: https://agents-7zgcsgutl.preview.inkeep.com