From ee365d88cd2c8892eb5642d85f87c30b16fcb92f Mon Sep 17 00:00:00 2001
From: "Enny J. Frick" <enny.frick@conductorone.com>
Date: Thu, 30 Apr 2026 16:41:03 +0100
Subject: [PATCH] [OPS-1301] Use baton-ci app token in capabilities.yaml

Replace the long-lived RELENG_GITHUB_TOKEN PAT with a short-lived
baton-ci app token scoped to the current repo. Mirrors the OPS-1300
templated workflow pattern; needed before the temp org-admin
mitigation can safely be removed.

Linear: https://linear.app/ductone/issue/OPS-1301

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/capabilities.yaml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/capabilities.yaml b/.github/workflows/capabilities.yaml
index d2fe5116..3086c407 100644
--- a/.github/workflows/capabilities.yaml
+++ b/.github/workflows/capabilities.yaml
@@ -10,10 +10,19 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Mint baton-ci app token
+        id: ci-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.BATON_CI_CLIENT_ID }}
+          private-key: ${{ secrets.BATON_CI_SECRET_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: ${{ github.event.repository.name }}
+
       - name: Checkout code
         uses: actions/checkout@v4
         with:
-          token: ${{ secrets.RELENG_GITHUB_TOKEN }}
+          token: ${{ steps.ci-token.outputs.token }}
 
       - name: Setup Go
         uses: actions/setup-go@v5