Repo sync

.github/workflows/changelog-agent.yml

@@ -45,11 +45,20 @@ jobs:
       )
     runs-on: ubuntu-latest
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        with:
+          app-id: ${{ secrets.DOCS_BOT_APP_ID }}
+          private-key: ${{ secrets.DOCS_BOT_APP_PRIVATE_KEY }}
+          owner: github
+          repositories: docs-internal,docs-content
+
       - name: Resolve PR data
         id: resolve_pr
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
-          github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             let pr;
             if (context.eventName === 'workflow_dispatch') {
@@ -77,7 +86,7 @@ jobs:
         id: check_team
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
-          github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             const author = '${{ steps.resolve_pr.outputs.pr_author }}';
 
@@ -115,7 +124,7 @@ jobs:
         env:
           PR_BODY: ${{ steps.resolve_pr.outputs.pr_body }}
         with:
-          github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             const body = process.env.PR_BODY || '';
 
@@ -150,7 +159,7 @@ jobs:
         id: check_parent
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
-          github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             const issueNumber = parseInt('${{ steps.extract_issue.outputs.issue_number }}', 10);
 
@@ -231,7 +240,7 @@ jobs:
           PR_BODY: ${{ steps.resolve_pr.outputs.pr_body }}
           PR_URL: ${{ steps.resolve_pr.outputs.pr_url }}
         with:
-          github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             const prNumber = parseInt('${{ steps.resolve_pr.outputs.pr_number }}', 10);
             const prAuthor = '${{ steps.resolve_pr.outputs.pr_author }}';
@@ -272,7 +281,7 @@ jobs:
         id: check_existing
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
-          github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             const branchName = `changelog-agent-${{ steps.resolve_pr.outputs.pr_number }}`;
             const { data: pulls } = await github.rest.pulls.list({
@@ -295,7 +304,7 @@ jobs:
         id: read_examples
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
-          github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             // Fetch changelog-internal.md from docs-content
             const { data } = await github.rest.repos.getContent({
@@ -420,7 +429,10 @@ jobs:
         uses: actions/ai-inference@17ff458cb182449bbb2e43701fcd98f6af8f6570 # v2.1.0
         with:
           provider: copilot
-          model: gpt-4.1
+          # No model is pinned: actions/ai-inference forwards --model to the
+          # Copilot CLI only when it differs from its GitHub Models default, so
+          # omitting it lets the CLI pick its own current default (latest Sonnet)
+          # and avoids breaking when a pinned slug (e.g. gpt-4.1) is retired.
           prompt-file: prompt.txt
           system-prompt-file: system-prompt.txt
           max-completion-tokens: 1000
@@ -462,7 +474,7 @@ jobs:
           PARENT_AUTHOR: ${{ steps.check_parent.outputs.parent_author }}
           PARENT_ASSIGNEES: ${{ steps.check_parent.outputs.parent_assignees }}
         with:
-          github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             const branchName = `changelog-agent-${{ steps.resolve_pr.outputs.pr_number }}`;
             const filePath = 'docs-content-docs/docs-content-workflows/changelog-internal.md';
@@ -623,7 +635,7 @@ jobs:
           PARENT_AUTHOR: ${{ steps.check_parent.outputs.parent_author }}
           PARENT_ASSIGNEES: ${{ steps.check_parent.outputs.parent_assignees }}
         with:
-          github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             const author = process.env.PR_AUTHOR;
             const changelogPrUrl = process.env.CHANGELOG_PR_URL;
@@ -718,7 +730,7 @@ jobs:
         if: steps.create_pr.outputs.changelog_pr_url != '' && inputs.dry_run != true
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
-          github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             const changelogPrUrl = '${{ steps.create_pr.outputs.changelog_pr_url }}';
             await github.rest.issues.createComment({

.github/workflows/count-translation-corruptions.yml

@@ -23,20 +23,29 @@ jobs:
     if: github.repository == 'github/docs-internal'
     runs-on: ubuntu-latest
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        with:
+          app-id: ${{ secrets.DOCS_BOT_APP_ID }}
+          private-key: ${{ secrets.DOCS_BOT_APP_PRIVATE_KEY }}
+          owner: github
+          repositories: docs-internal,docs-internal.es-es,docs-internal.ja-jp,docs-internal.pt-br,docs-internal.zh-cn,docs-internal.ru-ru,docs-internal.fr-fr,docs-internal.ko-kr,docs-internal.de-de
+
       - name: Checkout English repo
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # Using a PAT is necessary so that the new commit will trigger the
           # CI in the PR. (Events from GITHUB_TOKEN don't trigger new workflows.)
-          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          token: ${{ steps.app-token.outputs.token }}
 
       # It's important because translations are often a bit behind.
       # So if a translation is a bit behind, it might still be referencing
       # an asset even though none of the English content does.
       - name: Clone all translations
         uses: ./.github/actions/clone-translations
         with:
-          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/index-autocomplete-search.yml

@@ -27,12 +27,21 @@ jobs:
 
       - uses: ./.github/actions/node-npm-setup
 
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        with:
+          app-id: ${{ secrets.DOCS_BOT_APP_ID }}
+          private-key: ${{ secrets.DOCS_BOT_APP_PRIVATE_KEY }}
+          owner: github
+          repositories: docs-internal,docs-internal-data
+
       - uses: ./.github/actions/setup-elasticsearch
         if: ${{ github.event_name == 'pull_request' }}
 
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
-          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          token: ${{ steps.app-token.outputs.token }}
           repository: github/docs-internal-data
           path: docs-internal-data
 
@@ -53,4 +62,4 @@ jobs:
       - uses: ./.github/actions/create-workflow-failure-issue
         if: ${{ failure() && github.event_name == 'schedule' }}
         with:
-          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          token: ${{ steps.app-token.outputs.token }}

.github/workflows/index-general-search-pr.yml

@@ -39,12 +39,21 @@ jobs:
       - name: Check out repo
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        with:
+          app-id: ${{ secrets.DOCS_BOT_APP_ID }}
+          private-key: ${{ secrets.DOCS_BOT_APP_PRIVATE_KEY }}
+          owner: github
+          repositories: docs-internal-data
+
       - name: Clone docs-internal-data
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           repository: github/docs-internal-data
           # This works because user `docs-bot` has read access to that private repo.
-          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          token: ${{ steps.app-token.outputs.token }}
           path: docs-internal-data
 
       - uses: ./.github/actions/setup-elasticsearch

.github/workflows/orphaned-features-check.yml

@@ -25,27 +25,36 @@ jobs:
     if: ${{ github.repository == 'github/docs-internal' }}
     runs-on: ubuntu-latest
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        with:
+          app-id: ${{ secrets.DOCS_BOT_APP_ID }}
+          private-key: ${{ secrets.DOCS_BOT_APP_PRIVATE_KEY }}
+          owner: github
+          repositories: docs-internal,docs-internal.es-es,docs-internal.ja-jp,docs-internal.pt-br,docs-internal.zh-cn,docs-internal.ru-ru,docs-internal.fr-fr,docs-internal.ko-kr,docs-internal.de-de
+
       - name: Checkout English repo
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # Using a PAT is necessary so that the new commit will trigger the
           # CI in the PR. (Events from GITHUB_TOKEN don't trigger new workflows.)
-          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          token: ${{ steps.app-token.outputs.token }}
 
       # It's important because translations are often a bit behind.
       # So if a translation is a bit behind, it might still be referencing
       # a feature even though none of the English content does.
       - name: Clone all translations
         uses: ./.github/actions/clone-translations
         with:
-          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - uses: ./.github/actions/node-npm-setup
 
       - name: Check for orphaned features
         env:
           # Needed for gh
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           DRY_RUN: ${{ github.event_name == 'pull_request'}}
         run: |
           set -e
@@ -109,4 +118,4 @@ jobs:
       - uses: ./.github/actions/create-workflow-failure-issue
         if: ${{ failure() && github.event_name == 'schedule' }}
         with:
-          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          token: ${{ steps.app-token.outputs.token }}

.github/workflows/orphaned-files-check.yml

@@ -29,27 +29,36 @@ jobs:
     if: ${{ github.repository == 'github/docs-internal' }}
     runs-on: ubuntu-latest
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        with:
+          app-id: ${{ secrets.DOCS_BOT_APP_ID }}
+          private-key: ${{ secrets.DOCS_BOT_APP_PRIVATE_KEY }}
+          owner: github
+          repositories: docs-internal,docs-internal.es-es,docs-internal.ja-jp,docs-internal.pt-br,docs-internal.zh-cn,docs-internal.ru-ru,docs-internal.fr-fr,docs-internal.ko-kr,docs-internal.de-de
+
       - name: Checkout English repo
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # Using a PAT is necessary so that the new commit will trigger the
           # CI in the PR. (Events from GITHUB_TOKEN don't trigger new workflows.)
-          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          token: ${{ steps.app-token.outputs.token }}
 
       # It's important because translations are often a bit behind.
       # So if a translation is a bit behind, it might still be referencing
       # an asset even though none of the English content does.
       - name: Clone all translations
         uses: ./.github/actions/clone-translations
         with:
-          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - uses: ./.github/actions/node-npm-setup
 
       - name: Check for orphaned assets and reusables
         env:
           # Needed for gh
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           DRY_RUN: ${{ github.event_name == 'pull_request'}}
         run: |
           set -e
@@ -117,4 +126,4 @@ jobs:
       - uses: ./.github/actions/create-workflow-failure-issue
         if: ${{ failure() && github.event_name == 'schedule' }}
         with:
-          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          token: ${{ steps.app-token.outputs.token }}

.github/workflows/reviewers-content-systems.yml

@@ -32,13 +32,21 @@ jobs:
     runs-on: ubuntu-latest
     env:
       PR: ${{ github.event.pull_request.html_url }}
-      GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        with:
+          app-id: ${{ secrets.DOCS_BOT_APP_ID }}
+          private-key: ${{ secrets.DOCS_BOT_APP_PRIVATE_KEY }}
+
       - name: Add content systems as a reviewer
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
         uses: ./.github/actions/retry-command
         with:
           command: gh pr edit $PR --add-reviewer github/docs-content-systems --add-label reviewers-content-systems

.github/workflows/reviewers-dependabot.yml

@@ -33,13 +33,21 @@ jobs:
     runs-on: ubuntu-latest
     env:
       PR: ${{ github.event.pull_request.html_url }}
-      GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        with:
+          app-id: ${{ secrets.DOCS_BOT_APP_ID }}
+          private-key: ${{ secrets.DOCS_BOT_APP_PRIVATE_KEY }}
+
       - name: Add dependabot as a reviewer
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
         uses: ./.github/actions/retry-command
         with:
           command: gh pr edit $PR --add-reviewer github/dependabot-updates-reviewers --add-label reviewers-dependabot

.github/workflows/reviewers-docs-engineering.yml

@@ -45,18 +45,26 @@ jobs:
     runs-on: ubuntu-latest
     env:
       PR: ${{ github.event.pull_request.html_url }}
-      GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        with:
+          app-id: ${{ secrets.DOCS_BOT_APP_ID }}
+          private-key: ${{ secrets.DOCS_BOT_APP_PRIVATE_KEY }}
+
       # Detect PRs that only changed package-lock.json (no engineering source files).
       # These are usually cross-platform `npm install` churn from contributors
       # editing content. We comment with reset instructions instead of pulling in
       # docs-engineering for review.
       - name: Detect lockfile-only churn
         id: detect
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           changed=$(gh pr diff "$PR" --name-only)
           echo "Changed files:"
@@ -71,6 +79,8 @@ jobs:
 
       - name: Comment and label lockfile-only PRs
         if: steps.detect.outputs.lockfile_only == 'true'
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           cat > /tmp/lockfile-churn-body.md <<'EOF'
           _Posted by Copilot on behalf of docs-engineering._
@@ -90,6 +100,8 @@ jobs:
 
       - name: Add docs engineering as a reviewer
         if: steps.detect.outputs.lockfile_only != 'true'
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
         uses: ./.github/actions/retry-command
         with:
           command: gh pr edit $PR --add-reviewer github/docs-engineering --add-label reviewers-docs-engineering