Future: fully automate scoped token / GitHub App credential provisioning during repo bootstrap

[jdfalk]

Tracked from bootstrap-repo skill design discussion (2026-04-24).

Context

The new bootstrap-repo skill (see .claude/skills/bootstrap-repo/) creates and configures repos to ghcommon standards but stops short of provisioning the secrets the release workflow needs (CI_APP_ID, CI_APP_PRIVATE_KEY, etc). Today it prints a manual checklist directing the user to setup-ci-app.sh.

Desired end state

Single-command bootstrap that ends with a fully-functional release workflow on first push:

• Skill creates or attaches a scoped GitHub App with the minimum permissions needed by the workflows in the chosen flavor (action / library / service).
• Generates and installs the App's private key as a repo secret.
• Records App installation IDs where workflows expect them.
• Idempotent: re-running on an already-bootstrapped repo is a no-op.

Why deferred

Secret provisioning has higher blast radius than the rest of bootstrap and benefits from settling the skill's other surface area first. Doing it manually via setup-ci-app.sh is acceptable for now.

Acceptance

• bootstrap_repo.sh --with-secrets (or equivalent) succeeds end-to-end on a fresh repo with no manual steps after.
• Documented in docs/standards/ under each flavor's "secrets" section.