From 0df3cd51fd482415d6522ae7cf39538c3eb7ea00 Mon Sep 17 00:00:00 2001
From: Linwei Shang <linwei.shang@dfinity.org>
Date: Tue, 12 May 2026 19:13:54 -0400
Subject: [PATCH 1/3] chore(ci): use GitHub App token to create Rust toolchain
 update PR

PRs opened with GITHUB_TOKEN do not trigger CI checks. Switch to the
org-level GitHub App token so that CI runs on the auto-created PR.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/update-rust-toolchain.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/update-rust-toolchain.yml b/.github/workflows/update-rust-toolchain.yml
index 83596f6..086c301 100644
--- a/.github/workflows/update-rust-toolchain.yml
+++ b/.github/workflows/update-rust-toolchain.yml
@@ -40,10 +40,18 @@ jobs:
         if: steps.check.outputs.needs_update == 'true'
         run: sed -i 's/^channel = ".*"/channel = "${{ steps.check.outputs.latest }}"/' rust-toolchain.toml
 
+      - name: Create GitHub App Token
+        if: steps.check.outputs.needs_update == 'true'
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
+        id: app-token
+        with:
+          app-id: ${{ vars.PR_AUTOMATION_BOT_PUBLIC_APP_ID }}
+          private-key: ${{ secrets.PR_AUTOMATION_BOT_PUBLIC_PRIVATE_KEY }}
+
       - name: Open pull request
         if: steps.check.outputs.needs_update == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           BRANCH="chore/update-rust-toolchain"
           TITLE="chore(toolchain): update Rust to ${{ steps.check.outputs.latest }}"

From bd656e149f265baf8097f4724662022451e71e9b Mon Sep 17 00:00:00 2001
From: Linwei Shang <linwei.shang@dfinity.org>
Date: Wed, 13 May 2026 09:18:26 -0400
Subject: [PATCH 2/3] chore(ci): align Rust toolchain update workflow with
 developer-docs practice

- Switch to client-id + PR_AUTOMATION_BOT_PUBLIC_CLIENT_ID (from app-id)
- Bump create-github-app-token to v3.1.1
- Use pr-automation-bot-public[bot] as git committer identity
- Drop explicit permissions block (app token handles it)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/update-rust-toolchain.yml | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/update-rust-toolchain.yml b/.github/workflows/update-rust-toolchain.yml
index 086c301..4958467 100644
--- a/.github/workflows/update-rust-toolchain.yml
+++ b/.github/workflows/update-rust-toolchain.yml
@@ -8,9 +8,6 @@ on:
 jobs:
   update-toolchain:
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
@@ -42,10 +39,10 @@ jobs:
 
       - name: Create GitHub App Token
         if: steps.check.outputs.needs_update == 'true'
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         id: app-token
         with:
-          app-id: ${{ vars.PR_AUTOMATION_BOT_PUBLIC_APP_ID }}
+          client-id: ${{ vars.PR_AUTOMATION_BOT_PUBLIC_CLIENT_ID }}
           private-key: ${{ secrets.PR_AUTOMATION_BOT_PUBLIC_PRIVATE_KEY }}
 
       - name: Open pull request
@@ -57,8 +54,8 @@ jobs:
           TITLE="chore(toolchain): update Rust to ${{ steps.check.outputs.latest }}"
           BODY="Updates pinned Rust toolchain from \`${{ steps.check.outputs.current }}\` to \`${{ steps.check.outputs.latest }}\`."
 
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git config user.name "pr-automation-bot-public[bot]"
+          git config user.email "pr-automation-bot-public[bot]@users.noreply.github.com"
           git checkout -b "$BRANCH"
           git add rust-toolchain.toml
           git commit -m "$TITLE"

From bf76617830235448eac7ea4f4bbd757141bbb7ac Mon Sep 17 00:00:00 2001
From: Linwei Shang <github@lwshang.com>
Date: Wed, 13 May 2026 10:10:37 -0400
Subject: [PATCH 3/3] Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/update-rust-toolchain.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/update-rust-toolchain.yml b/.github/workflows/update-rust-toolchain.yml
index 4958467..7476211 100644
--- a/.github/workflows/update-rust-toolchain.yml
+++ b/.github/workflows/update-rust-toolchain.yml
@@ -8,6 +8,8 @@ on:
 jobs:
   update-toolchain:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2