[BRE-1670] replace PAT tokens with app token

[AmyLGalles]

🎟️ Tracking

BRE-1670

📔 Objective

Updating github workflows that use PAT to use bot token or GITHUB_TOKEN instead.

In some cases, the PAT token was being used for simple repo actions that didn't require further authentication, such as reading from or cloning a public repository.

For signing commits to other repos, actions/checkout native signing is available

📸 Screenshots

[github-actions]

Checkmarx One – Scan Summary & Details – 87999298-6996-44c1-96c2-87d034ea5721

---

Fixed Issues (3)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 145
	CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 97
	CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 173

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.75%. Comparing base (d9aef5c) to head (0fa6634).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7434   +/-   ##
=======================================
  Coverage   58.75%   58.75%           
=======================================
  Files        2071     2071           
  Lines       91252    91252           
  Branches     8130     8130           
=======================================
  Hits        53611    53611           
  Misses      35726    35726           
  Partials     1915     1915           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[AmyLGalles]

@claude review this

[claude]

Claude finished @AmyLGalles's task in 1m 45s —— View job

---

Code Review: BRE-1670 Replace PAT tokens with app token

• Gather context and read changed files
• Review _move_edd_db_scripts.yml
• Review cleanup-rc-branch.yml
• Post review findings

---

Overall this is a clean and well-structured PR. The migration from PAT to GitHub App tokens follows a good pattern. A few observations:

_move_edd_db_scripts.yml

Positive changes:

• Removing Azure login / PAT retrieval from the setup job is correct — checking out a public repo for read-only access doesn't need a special token. Nice simplification.
• Splitting secret retrieval into two steps (Slack from bitwarden-ci, app creds from gh-org-bitwarden) is clean.
• Replacing manual GPG signing + git commit/push with bitwarden/gh-actions/api-commit@main is a good consolidation — fewer secrets to manage and a consistent signing approach.
• Pushing the branch immediately after creation (lines 100-101) before moving files is necessary for the API-based commit to work, since the branch must exist on the remote. Good call.
• Typo fix ommited → omitted — nice catch.

One question to verify:

• ⚠️ api-commit action behavior (lines 165-171): The workflow modifies files locally via shell commands (mv, rsync, sed, rm) and then delegates the commit to bitwarden/gh-actions/api-commit@main. This action presumably detects local working tree changes and commits them via the GitHub API. Since this is the first use of api-commit in this repo, it would be good to confirm it handles the full set of changes (file moves, deletions, content modifications) correctly — especially the rm -rf of src/Sql/dbo_finalization/* contents.

cleanup-rc-branch.yml

Positive changes:

• Straightforward swap from PAT to app token — minimal and correct.

Pre-existing observation (not introduced by this PR):

• ℹ️ persist-credentials: false + git push (lines 46, 68): The checkout uses persist-credentials: false, but the "Delete RC branch" step runs git push origin --delete. With persist-credentials: false, git credentials are cleaned up after checkout, which would normally prevent authenticated push operations. This was the same before this PR, so it's pre-existing and presumably working — but worth keeping in mind if this workflow ever breaks.

Summary

Looks good to me. The token migration is clean and the workflow logic is preserved. The only thing I'd want to validate is that api-commit handles the full range of file operations (moves + deletions + content edits) that the EDD script workflow performs.

---

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud