From bb9e380d22d9b1a925c204fa5f96427a39167cf9 Mon Sep 17 00:00:00 2001
From: Drew Minnear <dminnear@redhat.com>
Date: Thu, 9 Apr 2026 16:34:50 -0400
Subject: [PATCH] use gh app to fetch token for docs pr creation

---
 .github/workflows/update-metadata.yaml | 34 +++++++++++++++++---------
 TESTPLAN.md                            |  2 +-
 pattern-metadata.yaml                  |  4 +--
 3 files changed, 25 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/update-metadata.yaml b/.github/workflows/update-metadata.yaml
index 9f4fc598..270b0eb3 100644
--- a/.github/workflows/update-metadata.yaml
+++ b/.github/workflows/update-metadata.yaml
@@ -1,7 +1,3 @@
-# This job requires a secret called DOCS_TOKEN which should be a PAT token
-# that has the permissions described in:
-# validatedpatterns/docs/.github/workflows/metadata-docs.yml@main
----
 name: Update docs pattern metadata
 on:
   workflow_dispatch:
@@ -12,15 +8,29 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
+  get-token:
+    runs-on: ubuntu-latest
+    permissions: {}
+    outputs:
+      generated_token: ${{ steps.app-token.outputs.token }}
+    steps:
+      - name: Generate Token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        id: app-token
+        with:
+          app-id: ${{ vars.METADATA_SYNC_APP_ID }}
+          private-key: ${{ secrets.METADATA_SYNC_PRIVATE_KEY }}
+
   update-metadata:
+    needs: get-token
     uses: validatedpatterns/docs/.github/workflows/metadata-docs.yml@main # zizmor: ignore[unpinned-uses]
-    permissions: # Workflow-level permissions
-      contents: read  # Required for "read-all"
-      packages: write # Allows writing to packages
-      id-token: write # Allows creating OpenID Connect (OIDC) tokens
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     secrets:
-      DOCS_TOKEN: ${{ secrets.DOCS_TOKEN }}
-    # For testing you can point to a different branch in the docs repository
-    # with:
-    #  DOCS_BRANCH: "main"
+      DOCS_TOKEN: ${{ needs.get-token.outputs.generated_token }}
diff --git a/TESTPLAN.md b/TESTPLAN.md
index c38d235b..8d8a185f 100644
--- a/TESTPLAN.md
+++ b/TESTPLAN.md
@@ -1,6 +1,6 @@
 # TravelOps Test Plan
 
-[GitHub Repository](https://github.com/validatedpatterns-sandbox/travelops)
+[GitHub Repository](https://github.com/validatedpatterns/travelops)
 
 ## PreRequisites
 
diff --git a/pattern-metadata.yaml b/pattern-metadata.yaml
index 012a892e..8c74e751 100644
--- a/pattern-metadata.yaml
+++ b/pattern-metadata.yaml
@@ -5,9 +5,9 @@ name: travelops
 description: A pattern deploying a demo travel-booking stack on OpenShift with Service Mesh (Istio), mTLS, distributed tracing, and observability
 pattern_version: "1.0"
 display_name: TravelOps
-repo_url: https://github.com/validatedpatterns-sandbox/travelops
+repo_url: https://github.com/validatedpatterns/travelops
 docs_repo_url: https://github.com/validatedpatterns/docs
-issues_url: https://github.com/validatedpatterns-sandbox/travelops/issues
+issues_url: https://github.com/validatedpatterns/travelops/issues
 docs_url: https://validatedpatterns.io/patterns/travelops/
 ci_url: https://validatedpatterns.io/ci/?pattern=travelops
 # can be sandbox, tested or maintained