Use App for Integration Test Check Runs (#4563)

rauchy · web-flow · commit 8c7ec3ba78cf · 2026-03-17T11:24:39.000Z
The "mark as pending" job in the integration test workflow has been
broken since late January. The nightly run fails with:

```
gh: Invalid app_id `15368` - check run can only be modified by the GitHub App that created it. (HTTP 403)
```

The "Auto-approve for merge group" and "Skip integration tests" steps in
`push.yml` create "Integration Tests" checks using
`actions/github-script`, which runs under the built-in `GITHUB_TOKEN` —
the `github-actions` app (ID 15368). When that same commit lands on main
and triggers the nightly, the `update-check` action in eng-dev-ecosystem
tries to update that check using the `DECO_TEST_APPROVAL` app token.
GitHub's Checks API rejects this because only the app that created a
check can modify it.

This PR generates a `DECO_TEST_APPROVAL` token for both steps and passes
it via `github-token` to `actions/github-script`, so checks are created
by the same app that later updates them.

---------

Co-authored-by: Omer Lachish &lt;rauchy@users.noreply.github.com&gt;
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -394,6 +394,19 @@ jobs:
           owner: ${{ secrets.ORG_NAME }}
           repositories: ${{ secrets.REPO_NAME }}
 
+      - name: Generate GitHub App Token (check runs)
+        if: >-
+          (github.event_name == 'merge_group') ||
+          (github.event_name == 'pull_request' && !contains(fromJSON(needs.testmask.outputs.targets), 'test'))
+        id: generate-check-token
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        with:
+          app-id: ${{ secrets.DECO_TEST_APPROVAL_APP_ID }}
+          private-key: ${{ secrets.DECO_TEST_APPROVAL_PRIVATE_KEY }}
+          # DECO_TEST_APPROVAL is installed on the databricks org (not databricks-eng).
+          owner: databricks
+          repositories: cli
+
       # Trigger integration tests if the primary "test" target is triggered by this change.
       - name: Trigger integration tests (pull request)
         if: ${{ github.event_name == 'pull_request' && (contains(fromJSON(needs.testmask.outputs.targets), 'test') || contains(fromJSON(needs.testmask.outputs.targets), 'test-exp-ssh')) }}
@@ -411,6 +424,7 @@ jobs:
         if: ${{ github.event_name == 'pull_request' && !contains(fromJSON(needs.testmask.outputs.targets), 'test') && !contains(fromJSON(needs.testmask.outputs.targets), 'test-exp-ssh') }}
         uses: actions/github-script@v8
         with:
+          github-token: ${{ steps.generate-check-token.outputs.token }}
           script: |
             await github.rest.checks.create({
               owner: context.repo.owner,
@@ -431,6 +445,7 @@ jobs:
         if: ${{ github.event_name == 'merge_group' }}
         uses: actions/github-script@v8
         with:
+          github-token: ${{ steps.generate-check-token.outputs.token }}
           script: |
             await github.rest.checks.create({
               owner: context.repo.owner,
