From c13bf13f7d00012c0d555455c558a79c1cf2b947 Mon Sep 17 00:00:00 2001
From: Gregory Giguashvili <ggiguash@redhat.com>
Date: Sat, 4 Apr 2026 09:11:06 +0300
Subject: [PATCH 1/2] Switch to using app_id and key for Claude GitHub commands

---
 ...ft-microshift-claude-ci-doctor-commands.sh | 34 ++++++++++++++++---
 ...shift-microshift-claude-ci-doctor-ref.yaml | 10 +++---
 2 files changed, 35 insertions(+), 9 deletions(-)

diff --git a/ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-commands.sh b/ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-commands.sh
index 1978838a2523c..e71329cfa4545 100644
--- a/ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-commands.sh
+++ b/ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-commands.sh
@@ -9,6 +9,31 @@ mkdir -p "${WORKDIR}"
 CLAUDE_HOME="/home/claude/.claude"
 mkdir -p "${CLAUDE_HOME}"
 
+generate_github_token() {
+    local -r app_ver="2.0.8"
+    local -r app_sha="867d9ebf7dd18e67e2599f0f890f3f41b8673e88c4394a32a05476024c41ea0f"
+    local -r app_exe="/tmp/gh-token-${app_ver}"
+
+    # Install a GitHub CLI extension to generate tokens for GitHub Apps
+    curl -sSL https://github.com/Link-/gh-token/releases/download/v${app_ver}/linux-amd64 -o "${app_exe}"
+    if ! echo "${app_sha}  ${app_exe}" | sha256sum -c -; then
+        echo "ERROR: Failed to verify GitHub CLI extension checksum"
+        exit 1
+    fi
+    chmod +x "${app_exe}"
+
+    # Generate a GitHub token for the GitHub App
+    GITHUB_TOKEN="$("${app_exe}" generate --app-id "$(< "${GITHUB_APP_ID_PATH}")" --key "${GITHUB_KEY_PATH}" | jq -r '.token')"
+    if [ -z "${GITHUB_TOKEN}" ]; then
+        echo "ERROR: Failed to generate GitHub token"
+        exit 1
+    fi
+    rm -f "${app_exe}"
+
+    export GITHUB_TOKEN
+    echo "GitHub token generated."
+}
+
 load_secrets() {
     # Disable command tracing to prevent leaking credentials in logs
     # and restore it after the secrets are loaded
@@ -16,12 +41,11 @@ load_secrets() {
     set +x
 
     echo "Loading secrets..."
-    if [ -f "${GITHUB_TOKEN_PATH}" ]; then
-        GITHUB_TOKEN=$(cat "${GITHUB_TOKEN_PATH}")
-        export GITHUB_TOKEN
-        echo "GitHub token loaded."
+    if [ -f "${GITHUB_APP_ID_PATH}" ] && [ -f "${GITHUB_KEY_PATH}" ]; then
+        generate_github_token
+        echo "GitHub token configured from GitHub App credentials."
     else
-        echo "WARNING: GitHub token not found at ${GITHUB_TOKEN_PATH}. GitHub operations will not be available."
+        echo "WARNING: GitHub App credentials not found at ${GITHUB_APP_ID_PATH} and ${GITHUB_KEY_PATH}. GitHub operations will not be available."
     fi
 
     if [ -f "${JIRA_API_TOKEN_PATH}" ]; then
diff --git a/ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-ref.yaml b/ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-ref.yaml
index 25e3b81cde606..78b7ff5e5dd53 100644
--- a/ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-ref.yaml
+++ b/ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-ref.yaml
@@ -10,8 +10,8 @@ ref:
     name: sa-claude-openshift-ci
     mount_path: /var/run/claude-code-service-account
   - namespace: test-credentials
-    name: claude-payload-agent-github-token
-    mount_path: /var/run/github-token
+    name: pr-creds
+    mount_path: /var/run/pr-creds
   - namespace: test-credentials
     name: microshift-dev-access-keys
     mount_path: /var/run/microshift-dev-access-keys
@@ -26,8 +26,10 @@ ref:
     default: "/var/run/claude-code-service-account/token"
   - name: CLAUDE_MODEL
     default: "claude-opus-4-6[1m]"
-  - name: GITHUB_TOKEN_PATH
-    default: "/var/run/github-token/token"
+  - name: GITHUB_APP_ID_PATH
+    default: "/var/run/pr-creds/app_id"
+  - name: GITHUB_KEY_PATH
+    default: "/var/run/pr-creds/key.pem"
   - name: JIRA_API_TOKEN_PATH
     default: "/var/run/microshift-dev-access-keys/jira_token"
   - name: JIRA_USERNAME_PATH

From 4a4f5dd5db46ceaecefc55d06b6c4126fe460ecd Mon Sep 17 00:00:00 2001
From: Gregory Giguashvili <ggiguash@redhat.com>
Date: Sun, 5 Apr 2026 12:39:29 +0300
Subject: [PATCH 2/2] Move generate_github_token function code into
 load_secrets

---
 ...ft-microshift-claude-ci-doctor-commands.sh | 49 +++++++++----------
 1 file changed, 22 insertions(+), 27 deletions(-)

diff --git a/ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-commands.sh b/ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-commands.sh
index e71329cfa4545..9dffe3f350682 100644
--- a/ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-commands.sh
+++ b/ci-operator/step-registry/openshift/microshift/claude/ci-doctor/openshift-microshift-claude-ci-doctor-commands.sh
@@ -9,31 +9,6 @@ mkdir -p "${WORKDIR}"
 CLAUDE_HOME="/home/claude/.claude"
 mkdir -p "${CLAUDE_HOME}"
 
-generate_github_token() {
-    local -r app_ver="2.0.8"
-    local -r app_sha="867d9ebf7dd18e67e2599f0f890f3f41b8673e88c4394a32a05476024c41ea0f"
-    local -r app_exe="/tmp/gh-token-${app_ver}"
-
-    # Install a GitHub CLI extension to generate tokens for GitHub Apps
-    curl -sSL https://github.com/Link-/gh-token/releases/download/v${app_ver}/linux-amd64 -o "${app_exe}"
-    if ! echo "${app_sha}  ${app_exe}" | sha256sum -c -; then
-        echo "ERROR: Failed to verify GitHub CLI extension checksum"
-        exit 1
-    fi
-    chmod +x "${app_exe}"
-
-    # Generate a GitHub token for the GitHub App
-    GITHUB_TOKEN="$("${app_exe}" generate --app-id "$(< "${GITHUB_APP_ID_PATH}")" --key "${GITHUB_KEY_PATH}" | jq -r '.token')"
-    if [ -z "${GITHUB_TOKEN}" ]; then
-        echo "ERROR: Failed to generate GitHub token"
-        exit 1
-    fi
-    rm -f "${app_exe}"
-
-    export GITHUB_TOKEN
-    echo "GitHub token generated."
-}
-
 load_secrets() {
     # Disable command tracing to prevent leaking credentials in logs
     # and restore it after the secrets are loaded
@@ -42,8 +17,28 @@ load_secrets() {
 
     echo "Loading secrets..."
     if [ -f "${GITHUB_APP_ID_PATH}" ] && [ -f "${GITHUB_KEY_PATH}" ]; then
-        generate_github_token
-        echo "GitHub token configured from GitHub App credentials."
+        local -r app_ver="2.0.8"
+        local -r app_sha="867d9ebf7dd18e67e2599f0f890f3f41b8673e88c4394a32a05476024c41ea0f"
+        local -r app_exe="/tmp/gh-token-${app_ver}"
+
+        # Install a GitHub CLI extension to generate tokens for GitHub Apps
+        curl -sSL https://github.com/Link-/gh-token/releases/download/v${app_ver}/linux-amd64 -o "${app_exe}"
+        if ! echo "${app_sha}  ${app_exe}" | sha256sum -c -; then
+            echo "ERROR: Failed to verify GitHub CLI extension checksum"
+            exit 1
+        fi
+        chmod +x "${app_exe}"
+
+        # Generate a GitHub token for the GitHub App
+        GITHUB_TOKEN="$("${app_exe}" generate --app-id "$(< "${GITHUB_APP_ID_PATH}")" --key "${GITHUB_KEY_PATH}" | jq -r '.token')"
+        if [ -z "${GITHUB_TOKEN}" ] || [ "${GITHUB_TOKEN}" = "null" ]; then
+            echo "ERROR: Failed to generate GitHub token"
+            exit 1
+        fi
+        rm -f "${app_exe}"
+
+        export GITHUB_TOKEN
+        echo "GitHub token generated."
     else
         echo "WARNING: GitHub App credentials not found at ${GITHUB_APP_ID_PATH} and ${GITHUB_KEY_PATH}. GitHub operations will not be available."
     fi