From 7969a52a28c461c259ead767d7f41d2a4bf78111 Mon Sep 17 00:00:00 2001 From: John McCall Date: Wed, 15 Jul 2026 14:48:12 -0400 Subject: [PATCH 1/4] Fix app-id deprecation warning in check-linked-issue action Pass appId via client-id input; create-github-app-token deprecated app-id. GitHub accepts numeric App ID as JWT issuer, so no behavior change. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Signed-off-by: John McCall --- .github/actions/check-linked-issue/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/check-linked-issue/action.yml b/.github/actions/check-linked-issue/action.yml index e5d616c..ad05ebd 100644 --- a/.github/actions/check-linked-issue/action.yml +++ b/.github/actions/check-linked-issue/action.yml @@ -50,7 +50,7 @@ runs: if: ${{ inputs.privateKey != '' }} uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 # zizmor: ignore[github-app,ref-version-mismatch] -- intentional: org-wide reusable workflow; dedicated GH App limits risk in lieu of per-repo scoping with: - app-id: ${{ inputs.appId }} + client-id: ${{ inputs.appId }} # accepts app ID or client ID; app-id input is deprecated private-key: ${{ inputs.privateKey }} owner: ${{ github.repository_owner }} # zizmor: ignore[github-app] -- intentional: org-wide reusable workflow; dedicated GH App limits risk in lieu of per-repo scoping From 67f319fb4a1f855c09be7f65269753066489961f Mon Sep 17 00:00:00 2001 From: John McCall Date: Wed, 15 Jul 2026 14:52:13 -0400 Subject: [PATCH 2/4] Add clientId input, deprecate appId in check-linked-issue clientId takes precedence; appId kept as fallback for existing callers. deprecationMessage warns only when callers explicitly pass appId. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Signed-off-by: John McCall --- .github/actions/check-linked-issue/README.md | 4 +++- .github/actions/check-linked-issue/action.yml | 9 ++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/actions/check-linked-issue/README.md b/.github/actions/check-linked-issue/README.md index df2beaf..93fbbdf 100644 --- a/.github/actions/check-linked-issue/README.md +++ b/.github/actions/check-linked-issue/README.md @@ -112,7 +112,9 @@ permissions: - `privateKey` (**required**): Private key for the `overture-check-linked-issue` GitHub App, used to generate an installation token for cross-repo GraphQL reads. Pass `${{ secrets.CHECK_LINKED_ISSUE_APP_PEM }}`. The value must include the full PEM block with a trailing newline. -- `appId` (optional): GitHub App ID. Defaults to `2932845` (the [Overture Check Linked Issues app](https://github.com/organizations/OvertureMaps/settings/apps/overture-check-linked-issue)) and does not normally need to be overridden. +- `clientId` (optional): GitHub App client ID. Takes precedence over `appId` when set. Does not normally need to be overridden. + +- `appId` (optional, **deprecated** — use `clientId`): GitHub App ID. Defaults to `2932845` (the [Overture Check Linked Issues app](https://github.com/organizations/OvertureMaps/settings/apps/overture-check-linked-issue)) and does not normally need to be overridden. - `minimumLinkedIssues` (optional): Minimum number of linked issues required for the PR. Default is `1`. Set this input to require more than one linked issue: diff --git a/.github/actions/check-linked-issue/action.yml b/.github/actions/check-linked-issue/action.yml index ad05ebd..8d3d1e7 100644 --- a/.github/actions/check-linked-issue/action.yml +++ b/.github/actions/check-linked-issue/action.yml @@ -10,10 +10,17 @@ inputs: description: Minimum number of linked issues required required: false default: 1 + clientId: + description: > + GitHub App client ID used to generate an installation token for + cross-repo linked issue reads. Takes precedence over appId. + required: false + default: "" appId: description: GitHub App ID used to generate an installation token for cross-repo linked issue reads required: false default: "2932845" #https://github.com/organizations/OvertureMaps/settings/apps/overture-check-linked-issue + deprecationMessage: Use 'clientId' instead. privateKey: description: > GitHub App private key used to generate an installation token. @@ -50,7 +57,7 @@ runs: if: ${{ inputs.privateKey != '' }} uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 # zizmor: ignore[github-app,ref-version-mismatch] -- intentional: org-wide reusable workflow; dedicated GH App limits risk in lieu of per-repo scoping with: - client-id: ${{ inputs.appId }} # accepts app ID or client ID; app-id input is deprecated + client-id: ${{ inputs.clientId || inputs.appId }} # accepts client ID or numeric app ID private-key: ${{ inputs.privateKey }} owner: ${{ github.repository_owner }} # zizmor: ignore[github-app] -- intentional: org-wide reusable workflow; dedicated GH App limits risk in lieu of per-repo scoping From 7d7f46a59eb85577445a352aea666a8fc4d28d6d Mon Sep 17 00:00:00 2001 From: John McCall Date: Wed, 15 Jul 2026 14:52:52 -0400 Subject: [PATCH 3/4] Replace appId input with clientId in check-linked-issue Numeric App ID still works as the value; GitHub accepts either as JWT issuer. Default unchanged (2932845). Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Signed-off-by: John McCall --- .github/actions/check-linked-issue/README.md | 4 +--- .github/actions/check-linked-issue/action.yml | 10 +++------- 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/.github/actions/check-linked-issue/README.md b/.github/actions/check-linked-issue/README.md index 93fbbdf..e0967e1 100644 --- a/.github/actions/check-linked-issue/README.md +++ b/.github/actions/check-linked-issue/README.md @@ -112,9 +112,7 @@ permissions: - `privateKey` (**required**): Private key for the `overture-check-linked-issue` GitHub App, used to generate an installation token for cross-repo GraphQL reads. Pass `${{ secrets.CHECK_LINKED_ISSUE_APP_PEM }}`. The value must include the full PEM block with a trailing newline. -- `clientId` (optional): GitHub App client ID. Takes precedence over `appId` when set. Does not normally need to be overridden. - -- `appId` (optional, **deprecated** — use `clientId`): GitHub App ID. Defaults to `2932845` (the [Overture Check Linked Issues app](https://github.com/organizations/OvertureMaps/settings/apps/overture-check-linked-issue)) and does not normally need to be overridden. +- `clientId` (optional): GitHub App client ID. Defaults to `2932845`, the App ID of the [Overture Check Linked Issues app](https://github.com/organizations/OvertureMaps/settings/apps/overture-check-linked-issue) — GitHub accepts the numeric App ID here too. Does not normally need to be overridden. - `minimumLinkedIssues` (optional): Minimum number of linked issues required for the PR. Default is `1`. Set this input to require more than one linked issue: diff --git a/.github/actions/check-linked-issue/action.yml b/.github/actions/check-linked-issue/action.yml index 8d3d1e7..3679430 100644 --- a/.github/actions/check-linked-issue/action.yml +++ b/.github/actions/check-linked-issue/action.yml @@ -13,14 +13,10 @@ inputs: clientId: description: > GitHub App client ID used to generate an installation token for - cross-repo linked issue reads. Takes precedence over appId. - required: false - default: "" - appId: - description: GitHub App ID used to generate an installation token for cross-repo linked issue reads + cross-repo linked issue reads. The numeric App ID also works here, + as GitHub accepts either as the JWT issuer. required: false default: "2932845" #https://github.com/organizations/OvertureMaps/settings/apps/overture-check-linked-issue - deprecationMessage: Use 'clientId' instead. privateKey: description: > GitHub App private key used to generate an installation token. @@ -57,7 +53,7 @@ runs: if: ${{ inputs.privateKey != '' }} uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 # zizmor: ignore[github-app,ref-version-mismatch] -- intentional: org-wide reusable workflow; dedicated GH App limits risk in lieu of per-repo scoping with: - client-id: ${{ inputs.clientId || inputs.appId }} # accepts client ID or numeric app ID + client-id: ${{ inputs.clientId }} private-key: ${{ inputs.privateKey }} owner: ${{ github.repository_owner }} # zizmor: ignore[github-app] -- intentional: org-wide reusable workflow; dedicated GH App limits risk in lieu of per-repo scoping From 0efbc556c3b8dbc8598742efd88cd33ea9ac3924 Mon Sep 17 00:00:00 2001 From: John McCall Date: Wed, 15 Jul 2026 14:53:58 -0400 Subject: [PATCH 4/4] Use real client ID as clientId default Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Signed-off-by: John McCall --- .github/actions/check-linked-issue/README.md | 2 +- .github/actions/check-linked-issue/action.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/check-linked-issue/README.md b/.github/actions/check-linked-issue/README.md index e0967e1..0ef07f9 100644 --- a/.github/actions/check-linked-issue/README.md +++ b/.github/actions/check-linked-issue/README.md @@ -112,7 +112,7 @@ permissions: - `privateKey` (**required**): Private key for the `overture-check-linked-issue` GitHub App, used to generate an installation token for cross-repo GraphQL reads. Pass `${{ secrets.CHECK_LINKED_ISSUE_APP_PEM }}`. The value must include the full PEM block with a trailing newline. -- `clientId` (optional): GitHub App client ID. Defaults to `2932845`, the App ID of the [Overture Check Linked Issues app](https://github.com/organizations/OvertureMaps/settings/apps/overture-check-linked-issue) — GitHub accepts the numeric App ID here too. Does not normally need to be overridden. +- `clientId` (optional): GitHub App client ID. Defaults to `Iv23liJL38m6IaQFoD60`, the client ID of the [Overture Check Linked Issues app](https://github.com/organizations/OvertureMaps/settings/apps/overture-check-linked-issue) — GitHub accepts the numeric App ID here too. Does not normally need to be overridden. - `minimumLinkedIssues` (optional): Minimum number of linked issues required for the PR. Default is `1`. Set this input to require more than one linked issue: diff --git a/.github/actions/check-linked-issue/action.yml b/.github/actions/check-linked-issue/action.yml index 3679430..0787219 100644 --- a/.github/actions/check-linked-issue/action.yml +++ b/.github/actions/check-linked-issue/action.yml @@ -16,7 +16,7 @@ inputs: cross-repo linked issue reads. The numeric App ID also works here, as GitHub accepts either as the JWT issuer. required: false - default: "2932845" #https://github.com/organizations/OvertureMaps/settings/apps/overture-check-linked-issue + default: "Iv23liJL38m6IaQFoD60" #https://github.com/organizations/OvertureMaps/settings/apps/overture-check-linked-issue privateKey: description: > GitHub App private key used to generate an installation token.