From 19e860ed56d2d3d8b937cc03b17a9df884991aa4 Mon Sep 17 00:00:00 2001
From: mbruzda <mbruzda@splunk.com>
Date: Tue, 9 Jun 2026 00:34:08 +0200
Subject: [PATCH 1/2] fix(agreements): mint GitHub App installation token
 in-job

The previous calling pattern (see splunk/addonfactory-repository-template
enforce/.github/workflows/agreements.yaml) mints a GitHub App installation
token in a separate `generate-token` job and tries to pass it to
`call-workflow-agreements` via `jobs.<id>.outputs.token`. GitHub Actions
strips secret-classified values from job outputs ("Skip output 'token'
since it may contain secret"), so the downstream job receives an empty
PERSONAL_ACCESS_TOKEN and the contributor-assistant action fails with:

  Please add a personal access token as an environment variable for
  writing signatures in a remote repository/organization ...
  Could not retrieve repository contents. Status: unknown

Example failing run:
https://github.com/splunk/splunk-add-on-for-crowdstrike-fdr/actions/runs/27142130630

This change moves the token mint into the same job that consumes it:
- Adds optional GH_APP_CLIENT_ID / GH_APP_PRIVATE_KEY secrets.
- Generates an installation token scoped to splunk/cla-agreement before
  invoking contributor-assistant/github-action.
- Falls back to the legacy PERSONAL_ACCESS_TOKEN secret when App
  credentials are not supplied, keeping existing callers working.
- GH_TOKEN is now optional and defaults to github.token.

Callers can simplify to:

  jobs:
    call-workflow-agreements:
      uses: splunk/addonfactory-github-workflows/.github/workflows/reusable-agreements.yaml@vX.Y
      secrets:
        GH_APP_CLIENT_ID:   ${{ secrets.GH_APP_CLIENT_ID }}
        GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }}

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .github/workflows/reusable-agreements.yaml | 52 ++++++++++++++++++----
 1 file changed, 44 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/reusable-agreements.yaml b/.github/workflows/reusable-agreements.yaml
index 28a9407..a400671 100644
--- a/.github/workflows/reusable-agreements.yaml
+++ b/.github/workflows/reusable-agreements.yaml
@@ -4,26 +4,53 @@ on:
   workflow_call:
     secrets:
       GH_TOKEN:
-        description: Github token
-        required: true
+        description: "GITHUB_TOKEN of the calling workflow. Optional; defaults to github.token."
+        required: false
       PERSONAL_ACCESS_TOKEN:
-        description: Personal access token
-        required: true
+        description: |
+          Legacy PAT with write access to the remote signatures repository
+          (splunk/cla-agreement). Prefer GH_APP_CLIENT_ID/GH_APP_PRIVATE_KEY
+          which mint a short-lived GitHub App installation token in-job.
+        required: false
+      GH_APP_CLIENT_ID:
+        description: |
+          GitHub App client id. When provided together with GH_APP_PRIVATE_KEY,
+          an installation token scoped to splunk/cla-agreement is generated
+          in-job and used in place of PERSONAL_ACCESS_TOKEN.
+        required: false
+      GH_APP_PRIVATE_KEY:
+        description: "GitHub App private key (PEM)."
+        required: false
+
 permissions:
   actions: read
   contents: read
   pull-requests: write
   statuses: read
+
 jobs:
   ContributorLicenseAgreement:
     runs-on: ubuntu-latest
     steps:
+      # NOTE: the App token MUST be minted in the same job that consumes it.
+      # GitHub Actions strips secret-classified values from `jobs.<id>.outputs`
+      # ("Skip output 'token' since it may contain secret"), so minting it in
+      # a separate job and passing via `needs.*.outputs.token` does not work.
+      - name: Generate GitHub App installation token
+        id: app-token
+        if: ${{ secrets.GH_APP_CLIENT_ID != '' && secrets.GH_APP_PRIVATE_KEY != '' }}
+        uses: actions/create-github-app-token@v3
+        with:
+          client-id: ${{ secrets.GH_APP_CLIENT_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          owner: splunk
+          repositories: cla-agreement
       - name: "CLA Assistant"
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby accept the CLA') || github.event_name == 'pull_request_target'
         uses: contributor-assistant/github-action@v2.6.1
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
-          PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          PERSONAL_ACCESS_TOKEN: ${{ steps.app-token.outputs.token || secrets.PERSONAL_ACCESS_TOKEN }}
         with:
           path-to-signatures: "signatures/version1/cla.json"
           path-to-document: "https://github.com/splunk/cla-agreement/blob/main/CLA.md" # e.g. a CLA or a DCO document
@@ -39,12 +66,21 @@ jobs:
   CodeOfConduct:
     runs-on: ubuntu-latest
     steps:
+      - name: Generate GitHub App installation token
+        id: app-token
+        if: ${{ secrets.GH_APP_CLIENT_ID != '' && secrets.GH_APP_PRIVATE_KEY != '' }}
+        uses: actions/create-github-app-token@v3
+        with:
+          client-id: ${{ secrets.GH_APP_CLIENT_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          owner: splunk
+          repositories: cla-agreement
       - name: "COC Assistant"
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the Code of Conduct and I hereby accept the Terms') || github.event_name == 'pull_request_target'
         uses: contributor-assistant/github-action@v2.6.1
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
-          PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          PERSONAL_ACCESS_TOKEN: ${{ steps.app-token.outputs.token || secrets.PERSONAL_ACCESS_TOKEN }}
         with:
           path-to-signatures: "signatures/version1/coc.json"
           path-to-document: "https://github.com/splunk/cla-agreement/blob/main/CODE_OF_CONDUCT.md" # e.g. a COC or a DCO document

From 277e0e0f1aa663c4db2d39bb06b0dbbfe5e5d8a1 Mon Sep 17 00:00:00 2001
From: mbruzda <mbruzda@splunk.com>
Date: Tue, 9 Jun 2026 00:37:33 +0200
Subject: [PATCH 2/2] fix(agreements): bridge secrets to step if via job env

GitHub Actions does not allow the `secrets` context inside step-level
`if:` expressions (only github, needs, vars, env, inputs are allowed),
which caused the reusable workflow to fail validation in the caller
with a 0-second workflow file error.

Move the App-creds presence check to job-level `env.HAS_APP_CREDS`
(secrets context IS allowed in job env), then condition the
create-github-app-token step on `env.HAS_APP_CREDS == 'true'`.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .github/workflows/reusable-agreements.yaml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/reusable-agreements.yaml b/.github/workflows/reusable-agreements.yaml
index a400671..fb715a1 100644
--- a/.github/workflows/reusable-agreements.yaml
+++ b/.github/workflows/reusable-agreements.yaml
@@ -31,6 +31,9 @@ permissions:
 jobs:
   ContributorLicenseAgreement:
     runs-on: ubuntu-latest
+    # `secrets` context is not allowed in step `if:` conditions; bridge via env.
+    env:
+      HAS_APP_CREDS: ${{ (secrets.GH_APP_CLIENT_ID != '' && secrets.GH_APP_PRIVATE_KEY != '') && 'true' || 'false' }}
     steps:
       # NOTE: the App token MUST be minted in the same job that consumes it.
       # GitHub Actions strips secret-classified values from `jobs.<id>.outputs`
@@ -38,7 +41,7 @@ jobs:
       # a separate job and passing via `needs.*.outputs.token` does not work.
       - name: Generate GitHub App installation token
         id: app-token
-        if: ${{ secrets.GH_APP_CLIENT_ID != '' && secrets.GH_APP_PRIVATE_KEY != '' }}
+        if: env.HAS_APP_CREDS == 'true'
         uses: actions/create-github-app-token@v3
         with:
           client-id: ${{ secrets.GH_APP_CLIENT_ID }}
@@ -65,10 +68,12 @@ jobs:
           custom-allsigned-prcomment: "****CLA Assistant Lite bot**** All contributors have signed the CLA  ✍️ ✅"
   CodeOfConduct:
     runs-on: ubuntu-latest
+    env:
+      HAS_APP_CREDS: ${{ (secrets.GH_APP_CLIENT_ID != '' && secrets.GH_APP_PRIVATE_KEY != '') && 'true' || 'false' }}
     steps:
       - name: Generate GitHub App installation token
         id: app-token
-        if: ${{ secrets.GH_APP_CLIENT_ID != '' && secrets.GH_APP_PRIVATE_KEY != '' }}
+        if: env.HAS_APP_CREDS == 'true'
         uses: actions/create-github-app-token@v3
         with:
           client-id: ${{ secrets.GH_APP_CLIENT_ID }}
@@ -76,7 +81,7 @@ jobs:
           owner: splunk
           repositories: cla-agreement
       - name: "COC Assistant"
-        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the Code of Conduct and I hereby accept the Terms') || github.event_name == 'pull_request_target'
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the Code of Conduct and I hereby accept the Terms')  || github.event_name == 'pull_request_target'
         uses: contributor-assistant/github-action@v2.6.1
         env:
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN || github.token }}