feat: fetch GitHub App credentials from AWS Secrets Manager via OIDC

Replace org-secret lookups with OIDC + Secrets Manager in all reusable
consumer-facing workflows. Each affected job now:

1. Assumes the docker-agent-action IAM role via OIDC (id-token: write)
2. Fetches { app_id, private_key, org_membership_token } from the
   docker-agent-action/github-app Secrets Manager secret
3. Passes those values to downstream steps instead of inherited secrets

Affected workflows:
  - review-pr.yml       (auto-review, manual-review, reply-to-feedback jobs)
  - reply-to-feedback.yml (reply job)
  - pr-describe.yml     (generate-description job)
  - security-scan.yml   (security-scan job)
  - self-review-pr.yml  (auto-review, manual-review jobs)

HAS_APP_SECRETS env var changed from dynamic secret check to hardcoded
'true' — credentials are always available via Secrets Manager.

Existing secrets: declarations on workflow_call kept as required: false
for backward compatibility with consumer repos not yet migrated.

TODO_ROLE_ARN must be replaced with the actual IAM role ARN after the
Terraform in docker/infra-terraform is applied.

Assisted-By: docker-agent

refactor: remove HAS_APP_SECRETS — credentials are always available via OIDC

Assisted-By: docker-agent

Author: derekmisler

.github/workflows/pr-describe.yml

@@ -12,14 +12,37 @@ jobs:
     # Only run if comment contains /describe and is on a PR
     if: ${{ (github.event.issue.pull_request && contains(github.event.comment.body, '/describe')) }}
     runs-on: ubuntu-latest
-    env:
-      HAS_APP_SECRETS: ${{ secrets.CAGENT_REVIEWER_APP_ID != '' }}
     permissions:
       contents: read
       pull-requests: write
       issues: write
       checks: write
+      id-token: write
     steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: TODO_ROLE_ARN
+          aws-region: us-east-1
+
+      - name: Fetch GitHub App credentials from Secrets Manager
+        id: app-credentials
+        shell: bash
+        run: |
+          SECRET=$(aws secretsmanager get-secret-value \
+            --secret-id docker-agent-action/github-app \
+            --query SecretString --output text)
+          APP_ID=$(echo "$SECRET" | jq -r .app_id)
+          ORG_TOKEN=$(echo "$SECRET" | jq -r .org_membership_token)
+          PRIVATE_KEY=$(echo "$SECRET" | jq -r .private_key)
+          echo "::add-mask::$APP_ID"
+          echo "::add-mask::$ORG_TOKEN"
+          echo "::add-mask::$PRIVATE_KEY"
+          echo "app-id=$APP_ID" >> $GITHUB_OUTPUT
+          echo "org-membership-token=$ORG_TOKEN" >> $GITHUB_OUTPUT
+          DELIM="$(openssl rand -hex 8)"
+          { echo "private-key<<$DELIM"; echo "$PRIVATE_KEY"; echo "$DELIM"; } >> $GITHUB_OUTPUT
+
       - name: Check out Git repository
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
@@ -48,12 +71,11 @@ jobs:
       # Generate GitHub App token so actions appear as the custom app (optional - falls back to github.token)
       - name: Get GitHub App token
         id: app-token
-        if: env.HAS_APP_SECRETS == 'true'
         continue-on-error: true  # Don't fail workflow if token generation fails
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
         with:
-          app_id: ${{ secrets.CAGENT_REVIEWER_APP_ID }}
-          private_key: ${{ secrets.CAGENT_REVIEWER_APP_PRIVATE_KEY }}
+          app_id: ${{ steps.app-credentials.outputs.app-id }}
+          private_key: ${{ steps.app-credentials.outputs.private-key }}
 
       - name: Validate PR and add reaction
         id: validate_pr

.github/workflows/reply-to-feedback.yml

@@ -19,16 +19,45 @@ permissions:
   pull-requests: write
   issues: write
   actions: read # Required to download artifacts from the triggering run
+  id-token: write
 
 jobs:
   reply:
     # Only run if the triggering workflow succeeded (artifact was uploaded)
     if: github.event.workflow_run.conclusion == 'success'
     runs-on: ubuntu-latest
-    env:
-      HAS_APP_SECRETS: ${{ secrets.CAGENT_REVIEWER_APP_ID != '' }}
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      actions: read
+      id-token: write
 
     steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: TODO_ROLE_ARN
+          aws-region: us-east-1
+
+      - name: Fetch GitHub App credentials from Secrets Manager
+        id: app-credentials
+        shell: bash
+        run: |
+          SECRET=$(aws secretsmanager get-secret-value \
+            --secret-id docker-agent-action/github-app \
+            --query SecretString --output text)
+          APP_ID=$(echo "$SECRET" | jq -r .app_id)
+          ORG_TOKEN=$(echo "$SECRET" | jq -r .org_membership_token)
+          PRIVATE_KEY=$(echo "$SECRET" | jq -r .private_key)
+          echo "::add-mask::$APP_ID"
+          echo "::add-mask::$ORG_TOKEN"
+          echo "::add-mask::$PRIVATE_KEY"
+          echo "app-id=$APP_ID" >> $GITHUB_OUTPUT
+          echo "org-membership-token=$ORG_TOKEN" >> $GITHUB_OUTPUT
+          DELIM="$(openssl rand -hex 8)"
+          { echo "private-key<<$DELIM"; echo "$PRIVATE_KEY"; echo "$DELIM"; } >> $GITHUB_OUTPUT
+
       # ----------------------------------------------------------------
       # Download artifact from the triggering workflow run
       # ----------------------------------------------------------------
@@ -157,7 +186,7 @@ jobs:
         env:
           USERNAME: ${{ steps.meta.outputs.author }}
         with:
-          github-token: ${{ secrets.CAGENT_ORG_MEMBERSHIP_TOKEN }}
+          github-token: ${{ steps.app-credentials.outputs.org-membership-token }}
           script: |
             const org = 'docker';
             const username = process.env.USERNAME;
@@ -301,13 +330,13 @@ jobs:
           ref: refs/pull/${{ steps.meta.outputs.pr_number }}/head
 
       - name: Generate GitHub App token
-        if: steps.meta.outputs.proceed == 'true' && steps.auth.outputs.authorized == 'true' && env.HAS_APP_SECRETS == 'true'
+        if: steps.meta.outputs.proceed == 'true' && steps.auth.outputs.authorized == 'true'
         id: app-token
         continue-on-error: true
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
         with:
-          app_id: ${{ secrets.CAGENT_REVIEWER_APP_ID }}
-          private_key: ${{ secrets.CAGENT_REVIEWER_APP_PRIVATE_KEY }}
+          app_id: ${{ steps.app-credentials.outputs.app-id }}
+          private_key: ${{ steps.app-credentials.outputs.private-key }}
 
       - name: Run reply
         if: steps.meta.outputs.proceed == 'true' && steps.auth.outputs.authorized == 'true' && steps.checkout.outcome == 'success' && steps.thread.outcome == 'success'

.github/workflows/review-pr.yml

@@ -124,12 +124,39 @@ jobs:
         inputs.pr-number != ''
       )
     runs-on: ubuntu-latest
-    env:
-      HAS_APP_SECRETS: ${{ secrets.CAGENT_REVIEWER_APP_ID != '' }}
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      id-token: write
     outputs:
       exit-code: ${{ steps.run-review.outputs.exit-code }}
 
     steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: TODO_ROLE_ARN
+          aws-region: us-east-1
+
+      - name: Fetch GitHub App credentials from Secrets Manager
+        id: app-credentials
+        shell: bash
+        run: |
+          SECRET=$(aws secretsmanager get-secret-value \
+            --secret-id docker-agent-action/github-app \
+            --query SecretString --output text)
+          APP_ID=$(echo "$SECRET" | jq -r .app_id)
+          ORG_TOKEN=$(echo "$SECRET" | jq -r .org_membership_token)
+          PRIVATE_KEY=$(echo "$SECRET" | jq -r .private_key)
+          echo "::add-mask::$APP_ID"
+          echo "::add-mask::$ORG_TOKEN"
+          echo "::add-mask::$PRIVATE_KEY"
+          echo "app-id=$APP_ID" >> $GITHUB_OUTPUT
+          echo "org-membership-token=$ORG_TOKEN" >> $GITHUB_OUTPUT
+          DELIM="$(openssl rand -hex 8)"
+          { echo "private-key<<$DELIM"; echo "$PRIVATE_KEY"; echo "$DELIM"; } >> $GITHUB_OUTPUT
+
       - name: Get PR number
         id: get-pr
         shell: bash
@@ -167,7 +194,7 @@ jobs:
           PR_DRAFT: ${{ steps.pr-info.outputs.draft }}
           PR_AUTHOR: ${{ steps.pr-info.outputs.author }}
         with:
-          github-token: ${{ secrets.CAGENT_ORG_MEMBERSHIP_TOKEN }}
+          github-token: ${{ steps.app-credentials.outputs.org-membership-token }}
           script: |
             const org = '${{ inputs.auto-review-org }}';
 
@@ -216,13 +243,13 @@ jobs:
 
       # Generate GitHub App token for custom app identity (optional - falls back to github.token)
       - name: Generate GitHub App token
-        if: steps.membership.outputs.is_member == 'true' && env.HAS_APP_SECRETS == 'true'
+        if: steps.membership.outputs.is_member == 'true'
         id: app-token
         continue-on-error: true # Don't fail workflow if token generation fails
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
         with:
-          app_id: ${{ secrets.CAGENT_REVIEWER_APP_ID }}
-          private_key: ${{ secrets.CAGENT_REVIEWER_APP_PRIVATE_KEY }}
+          app_id: ${{ steps.app-credentials.outputs.app-id }}
+          private_key: ${{ steps.app-credentials.outputs.private-key }}
 
       - name: Run PR Review
         if: steps.membership.outputs.is_member == 'true'
@@ -254,17 +281,44 @@ jobs:
       startsWith(github.event.comment.body, '/review') &&
       (github.event.comment.user.type != 'Bot' || github.event.comment.user.login == 'docker-agent[bot]')
     runs-on: ubuntu-latest
-    env:
-      HAS_APP_SECRETS: ${{ secrets.CAGENT_REVIEWER_APP_ID != '' }}
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      id-token: write
     outputs:
       exit-code: ${{ steps.run-review.outputs.exit-code }}
 
     steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: TODO_ROLE_ARN
+          aws-region: us-east-1
+
+      - name: Fetch GitHub App credentials from Secrets Manager
+        id: app-credentials
+        shell: bash
+        run: |
+          SECRET=$(aws secretsmanager get-secret-value \
+            --secret-id docker-agent-action/github-app \
+            --query SecretString --output text)
+          APP_ID=$(echo "$SECRET" | jq -r .app_id)
+          ORG_TOKEN=$(echo "$SECRET" | jq -r .org_membership_token)
+          PRIVATE_KEY=$(echo "$SECRET" | jq -r .private_key)
+          echo "::add-mask::$APP_ID"
+          echo "::add-mask::$ORG_TOKEN"
+          echo "::add-mask::$PRIVATE_KEY"
+          echo "app-id=$APP_ID" >> $GITHUB_OUTPUT
+          echo "org-membership-token=$ORG_TOKEN" >> $GITHUB_OUTPUT
+          DELIM="$(openssl rand -hex 8)"
+          { echo "private-key<<$DELIM"; echo "$PRIVATE_KEY"; echo "$DELIM"; } >> $GITHUB_OUTPUT
+
       - name: Check if commenter is org member
         id: membership
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
-          github-token: ${{ secrets.CAGENT_ORG_MEMBERSHIP_TOKEN }}
+          github-token: ${{ steps.app-credentials.outputs.org-membership-token }}
           script: |
             const org = '${{ inputs.auto-review-org }}';
             const username = context.payload.comment.user.login;
@@ -303,13 +357,13 @@ jobs:
       # Generate GitHub App token first so the check run is created under the app's identity
       # (prevents GitHub from nesting it under unrelated pull_request-triggered workflows)
       - name: Generate GitHub App token
-        if: steps.membership.outputs.is_member == 'true' && env.HAS_APP_SECRETS == 'true'
+        if: steps.membership.outputs.is_member == 'true'
         id: app-token
         continue-on-error: true # Don't fail workflow if token generation fails
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
         with:
-          app_id: ${{ secrets.CAGENT_REVIEWER_APP_ID }}
-          private_key: ${{ secrets.CAGENT_REVIEWER_APP_PRIVATE_KEY }}
+          app_id: ${{ steps.app-credentials.outputs.app-id }}
+          private_key: ${{ steps.app-credentials.outputs.private-key }}
 
       - name: Create check run
         if: steps.membership.outputs.is_member == 'true'
@@ -358,7 +412,7 @@ jobs:
           add-prompt-files: ${{ inputs.add-prompt-files }}
           model: ${{ inputs.model }}
           github-token: ${{ steps.app-token.outputs.token || github.token }}
-          trusted-bot-app-id: ${{ secrets.CAGENT_REVIEWER_APP_ID }}
+          trusted-bot-app-id: ${{ steps.app-credentials.outputs.app-id }}
           anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
           openai-api-key: ${{ secrets.OPENAI_API_KEY }}
           google-api-key: ${{ secrets.GOOGLE_API_KEY }}
@@ -455,10 +509,37 @@ jobs:
       github.event.comment.in_reply_to_id &&
       github.event.comment.user.type != 'Bot'
     runs-on: ubuntu-latest
-    env:
-      HAS_APP_SECRETS: ${{ secrets.CAGENT_REVIEWER_APP_ID != '' }}
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      id-token: write
 
     steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: TODO_ROLE_ARN
+          aws-region: us-east-1
+
+      - name: Fetch GitHub App credentials from Secrets Manager
+        id: app-credentials
+        shell: bash
+        run: |
+          SECRET=$(aws secretsmanager get-secret-value \
+            --secret-id docker-agent-action/github-app \
+            --query SecretString --output text)
+          APP_ID=$(echo "$SECRET" | jq -r .app_id)
+          ORG_TOKEN=$(echo "$SECRET" | jq -r .org_membership_token)
+          PRIVATE_KEY=$(echo "$SECRET" | jq -r .private_key)
+          echo "::add-mask::$APP_ID"
+          echo "::add-mask::$ORG_TOKEN"
+          echo "::add-mask::$PRIVATE_KEY"
+          echo "app-id=$APP_ID" >> $GITHUB_OUTPUT
+          echo "org-membership-token=$ORG_TOKEN" >> $GITHUB_OUTPUT
+          DELIM="$(openssl rand -hex 8)"
+          { echo "private-key<<$DELIM"; echo "$PRIVATE_KEY"; echo "$DELIM"; } >> $GITHUB_OUTPUT
+
       - name: Check if reply is to agent comment
         id: check
         shell: bash
@@ -526,7 +607,7 @@ jobs:
         id: auth
         shell: bash
         env:
-          GH_TOKEN: ${{ secrets.CAGENT_ORG_MEMBERSHIP_TOKEN }}
+          GH_TOKEN: ${{ steps.app-credentials.outputs.org-membership-token }}
           ORG: ${{ inputs.auto-review-org }}
           USERNAME: ${{ github.event.comment.user.login }}
         run: |
@@ -682,13 +763,13 @@ jobs:
 
       # Generate GitHub App token for custom app identity (optional - falls back to github.token)
       - name: Generate GitHub App token
-        if: steps.check.outputs.is_agent == 'true' && steps.auth.outputs.authorized == 'true' && env.HAS_APP_SECRETS == 'true'
+        if: steps.check.outputs.is_agent == 'true' && steps.auth.outputs.authorized == 'true'
         id: app-token
         continue-on-error: true
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
         with:
-          app_id: ${{ secrets.CAGENT_REVIEWER_APP_ID }}
-          private_key: ${{ secrets.CAGENT_REVIEWER_APP_PRIVATE_KEY }}
+          app_id: ${{ steps.app-credentials.outputs.app-id }}
+          private_key: ${{ steps.app-credentials.outputs.private-key }}
 
       - name: Run reply
         if: steps.check.outputs.is_agent == 'true' && steps.auth.outputs.authorized == 'true'

.github/workflows/security-scan.yml

@@ -19,12 +19,35 @@ jobs:
   security-scan:
     name: Security Scan with Docker Agent
     runs-on: ubuntu-latest
-    env:
-      HAS_APP_SECRETS: ${{ secrets.CAGENT_REVIEWER_APP_ID != '' }}
     permissions:
       contents: read
       issues: write
+      id-token: write
     steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: TODO_ROLE_ARN
+          aws-region: us-east-1
+
+      - name: Fetch GitHub App credentials from Secrets Manager
+        id: app-credentials
+        shell: bash
+        run: |
+          SECRET=$(aws secretsmanager get-secret-value \
+            --secret-id docker-agent-action/github-app \
+            --query SecretString --output text)
+          APP_ID=$(echo "$SECRET" | jq -r .app_id)
+          ORG_TOKEN=$(echo "$SECRET" | jq -r .org_membership_token)
+          PRIVATE_KEY=$(echo "$SECRET" | jq -r .private_key)
+          echo "::add-mask::$APP_ID"
+          echo "::add-mask::$ORG_TOKEN"
+          echo "::add-mask::$PRIVATE_KEY"
+          echo "app-id=$APP_ID" >> $GITHUB_OUTPUT
+          echo "org-membership-token=$ORG_TOKEN" >> $GITHUB_OUTPUT
+          DELIM="$(openssl rand -hex 8)"
+          { echo "private-key<<$DELIM"; echo "$PRIVATE_KEY"; echo "$DELIM"; } >> $GITHUB_OUTPUT
+
       - name: Check out Git repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -33,12 +56,11 @@ jobs:
       # Generate GitHub App token so issues appear as the custom app (optional - falls back to github.token)
       - name: Get GitHub App token
         id: app-token
-        if: env.HAS_APP_SECRETS == 'true'
         continue-on-error: true  # Don't fail workflow if token generation fails
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
         with:
-          app_id: ${{ secrets.CAGENT_REVIEWER_APP_ID }}
-          private_key: ${{ secrets.CAGENT_REVIEWER_APP_PRIVATE_KEY }}
+          app_id: ${{ steps.app-credentials.outputs.app-id }}
+          private_key: ${{ steps.app-credentials.outputs.private-key }}
 
       - name: Get commits from past week
         id: commits