Enable Secure Cross-Repository Writes to eclipse-score/bazel-registry Using GitHub App Token with Org-Wide Secrets

Summary

Enable automation to write to the bazel-registry repository in the eclipse-score organization from other repositories (via workflows) using a GitHub App token

Steps to reproduce

Set up a GitHub Action workflow in a repository (e.g., tooling) that needs to publish to eclipse-score/bazel-registry.

Configure the workflow to authenticate using a GitHub App with appropriate permissions and access.

What is the current bug behavior?

No secure mechanism is currently in place to allow cross-repository writes to eclipse-score/bazel-registry using a GitHub App token.

• A GitHub App (e.g., bazel-registry-repo-publisher) should be created and installed in the eclipse-score organization.

• The app should be granted access to the target repositories and have:

  • Write permission on contents

  • Pull request permission

• Two organization-level secrets should be configured:

  • GH_APP_ID – the numeric ID of the GitHub App

  • GH_APP_PRIVATE_KEY – the contents of the generated .pem key

What is the expected correct behavior?

• Use a GitHub App (e.g., bazel-registry-repo-publisher) installed in the eclipse-score org and on target repositories.

• Generate short-lived GitHub App tokens in the workflow.

• Use those tokens to push commits or open PRs in eclipse-score/bazel-registry.

Relevant logs and/or screenshots

(Add a link to or paste any relevant logs - please use code blocks (```) to format console output, logs, and code, as it's very hard to read otherwise.)

Priority

• Urgent
• High
• Medium
• Low

Severity

• Blocker
• Major
• Normal
• Low

Impact

This is necessary to support secure and automated updates to the bazel-registry from other repositories within eclipse-score (e.g., triggered on release events). It enables decoupled and safe continuous delivery workflows.