Hive Hive
Sign in
Projects
Domains
Forage
Specs
Drops

fix(tuist-ops): use GitHub App tokens for previews

GitHub issue · Closed

Metadata
Source
tuist/tuist #11457
Updated
Jun 24, 2026
Domains
Atlas
Details

Resolves N/A

What changed

This changes preview workflow calls in tuist-ops to use a GitHub App installation token instead of the long-lived GITHUB_ACTIONS_TOKEN value.

The new TuistOps.GitHub.AppToken module:

  • reads the GitHub App identifier, installation identifier, and private key from the runtime environment
  • signs an app token and exchanges it for a short-lived installation token
  • caches the installation token until shortly before its GitHub expiry
  • accepts private keys stored with real newlines or escaped newlines

The preview GitHub Actions client now asks that module for its bearer token before dispatching or polling preview workflow runs. The Helm chart now maps github_app_id, github_app_installation_id, and github_app_private_key from the existing TUIST_OPS_BOT 1Password item.

Why

Preview requests were failing while publishing progress back to Slack because the existing token authenticated as the shared tuistit user and hit GitHub’s user-level rate limit. Re-minting the same kind of token did not help, because the limit follows the authenticated user rather than the string value of the token.

Root cause

tuist-ops used one long-lived personal token for preview workflow dispatch and run polling. That made preview provisioning share rate-limit capacity with every other use of the same GitHub user.

Approach

A GitHub App installation token is the standard fit here because it is scoped to the installed app and repository permissions, it is short lived, and it avoids coupling preview operations to a human or shared bot user’s rate-limit bucket.

The implementation keeps the current GitHub Actions workflow boundary intact. tuist-ops still does not carry workload-cluster credentials. It only dispatches and reads the existing preview-deploy.yml workflow.

Impact

New preview requests need the TUIST_OPS_BOT 1Password item to contain the GitHub App fields before deployment. Once deployed, preview workflow calls should use the app installation’s quota and permissions instead of the tuistit user’s quota.

Validation

  • cd tuist-ops && mix test
  • cd tuist-ops && mix credo --strict lib/tuist_ops/github/app_token.ex lib/tuist_ops/previews/github_actions_client.ex
  • helm template tuist-ops infra/helm/tuist-ops -f infra/helm/tuist-ops/values-managed-production.yaml --set image.tag=sha-test
  • git diff --check

How to test locally

Run the validation commands above. To exercise the live path, configure the GitHub App fields in TUIST_OPS_BOT, deploy tuist-ops, and request a preview from Slack.

Comments

No GitHub comments yet.