From 789d1616fac976f15e44eae364442fc47cad381e Mon Sep 17 00:00:00 2001 From: Rafael Garcia Date: Mon, 9 Feb 2026 18:27:55 -0500 Subject: [PATCH 1/2] fix: use kernel-internal app token in update-cli-coverage workflow --- .github/workflows/update-cli-coverage.yml | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/.github/workflows/update-cli-coverage.yml b/.github/workflows/update-cli-coverage.yml index 604d4fe..9faef53 100644 --- a/.github/workflows/update-cli-coverage.yml +++ b/.github/workflows/update-cli-coverage.yml @@ -20,11 +20,18 @@ jobs: update-cli-coverage: runs-on: ubuntu-latest steps: + - name: Generate app token + id: app-token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ secrets.ADMIN_APP_ID }} + private-key: ${{ secrets.ADMIN_APP_PRIVATE_KEY }} + - name: Get PR info for manual dispatch id: pr-info if: github.event_name == 'workflow_dispatch' env: - GH_TOKEN: ${{ secrets.GH_TOKEN }} + GH_TOKEN: ${{ steps.app-token.outputs.token }} run: | if [ -n "${{ inputs.pr_number }}" ]; then # Use provided PR number @@ -71,8 +78,8 @@ jobs: - name: Configure git identity run: | - git config --global user.name "Cursor Agent" - git config --global user.email "cursor-agent@kernel.sh" + git config --global user.name "kernel-internal[bot]" + git config --global user.email "260533166+kernel-internal[bot]@users.noreply.github.com" - name: Setup Go uses: actions/setup-go@v6 @@ -81,13 +88,13 @@ jobs: - name: Clone API repo env: - GH_TOKEN: ${{ secrets.GH_TOKEN }} + GH_TOKEN: ${{ steps.app-token.outputs.token }} run: | gh repo clone kernel/kernel /tmp/kernel-api -- --depth=1 - name: Clone CLI repo and checkout existing branch env: - GH_TOKEN: ${{ secrets.GH_TOKEN }} + GH_TOKEN: ${{ steps.app-token.outputs.token }} run: | gh repo clone kernel/cli /tmp/kernel-cli cd /tmp/kernel-cli @@ -132,7 +139,7 @@ jobs: - name: Update CLI coverage env: CURSOR_API_KEY: ${{ secrets.CURSOR_API_KEY }} - GH_TOKEN: ${{ secrets.GH_TOKEN }} + GH_TOKEN: ${{ steps.app-token.outputs.token }} BRANCH_PREFIX: cli-coverage-update run: | cursor-agent -p "You are a CLI updater that implements missing CLI commands based on SDK updates. From f717f2daf5ec5e6ca4c1bc5878f37201ed5a06e0 Mon Sep 17 00:00:00 2001 From: Cursor Agent Date: Tue, 10 Feb 2026 00:00:23 +0000 Subject: [PATCH 2/2] Fix app token scope to grant cross-repo access to kernel org repos The actions/create-github-app-token step was generating a token scoped only to the current repository, but the workflow needs to clone and push to kernel/kernel and kernel/cli. Adding 'owner: kernel' grants the token access to all repos the app is installed on in the kernel organization. Applied via @cursor push command --- .github/workflows/update-cli-coverage.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/update-cli-coverage.yml b/.github/workflows/update-cli-coverage.yml index 9faef53..4e097c0 100644 --- a/.github/workflows/update-cli-coverage.yml +++ b/.github/workflows/update-cli-coverage.yml @@ -26,6 +26,7 @@ jobs: with: app-id: ${{ secrets.ADMIN_APP_ID }} private-key: ${{ secrets.ADMIN_APP_PRIVATE_KEY }} + owner: kernel - name: Get PR info for manual dispatch id: pr-info