From 9a680d94dc6af51f6cb1f0dad774d7c665e12c3e Mon Sep 17 00:00:00 2001
From: Bryan Thompson <bthompson@anthropic.com>
Date: Mon, 13 Apr 2026 13:11:08 -0500
Subject: [PATCH] Use GitHub App token for PR creation

The anthropics org disables "Allow GitHub Actions to create and approve
pull requests", so GITHUB_TOKEN cannot call gh pr create. Split the
workflow: GITHUB_TOKEN pushes the branch, then the same GitHub App
used by -internal's bump workflow (app-id 2812036) creates the PR.

Prerequisite: app must be installed on this repo and the PEM secret
(CLAUDE_DIRECTORY_BOT_PRIVATE_KEY) must exist in repo settings.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/bump-plugin-shas.yml | 37 +++++++++++++++++++-------
 1 file changed, 28 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/bump-plugin-shas.yml b/.github/workflows/bump-plugin-shas.yml
index 0ca7832..4fb5d6e 100644
--- a/.github/workflows/bump-plugin-shas.yml
+++ b/.github/workflows/bump-plugin-shas.yml
@@ -88,27 +88,46 @@ jobs:
           bun .github/scripts/validate-marketplace.ts .claude-plugin/marketplace.json
           bun .github/scripts/check-marketplace-sorted.ts
 
-      - name: Create pull request
+      - name: Push bump branch
         if: steps.existing.outputs.count == '0' && steps.discover.outputs.count != '0' && inputs.dry_run != true
-        env:
-          GH_TOKEN: ${{ github.token }}
+        id: push
         run: |
           branch="auto/bump-shas-$(date +%Y%m%d)"
-          count="${{ steps.discover.outputs.count }}"
-          names="${{ steps.discover.outputs.bumped_names }}"
+          echo "branch=$branch" >> "$GITHUB_OUTPUT"
 
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git checkout -b "$branch"
           git add .claude-plugin/marketplace.json
-          git commit -m "Bump SHA pins for $count plugin(s)
+          git commit -m "Bump SHA pins for ${{ steps.discover.outputs.count }} plugin(s)
 
-          Plugins: $names"
+          Plugins: ${{ steps.discover.outputs.bumped_names }}"
           git push -u origin "$branch"
 
+      # GITHUB_TOKEN cannot create PRs (org policy: "Allow GitHub Actions to
+      # create and approve pull requests" is disabled). Use the same GitHub App
+      # that -internal's bump workflow uses.
+      #
+      # Prerequisite: app 2812036 must be installed on this repo. The PEM
+      # secret must exist in this repo's settings (shared with -internal).
+      - name: Generate bot token
+        if: steps.push.outcome == 'success'
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: 2812036
+          private-key: ${{ secrets.CLAUDE_DIRECTORY_BOT_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: ${{ github.event.repository.name }}
+
+      - name: Create pull request
+        if: steps.push.outcome == 'success'
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
           gh pr create \
             --base main \
-            --head "$branch" \
-            --title "Bump SHA pins ($count plugins)" \
+            --head "${{ steps.push.outputs.branch }}" \
+            --title "Bump SHA pins (${{ steps.discover.outputs.count }} plugins)" \
             --body-file /tmp/bump-pr-body.md \
             --label sha-bump