citusdata · BarkinKctp · Mar 2, 2026 · Mar 14, 2026 · Mar 14, 2026 · Mar 14, 2026
diff --git a/.github/workflows/build-citus-community-nightlies.yml b/.github/workflows/build-citus-community-nightlies.yml
@@ -6,7 +6,6 @@ env:
   PACKAGE_CLOUD_API_TOKEN: ${{ secrets.PACKAGE_CLOUD_API_TOKEN }}
   PACKAGING_PASSPHRASE: ${{ secrets.PACKAGING_PASSPHRASE }}
   PACKAGING_SECRET_KEY: ${{ secrets.PACKAGING_SECRET_KEY }}
-  GH_TOKEN: ${{ secrets.GH_TOKEN }}
   DOCKERHUB_USER_NAME: ${{ secrets.DOCKERHUB_USER_NAME }}
   DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
 on:
@@ -25,6 +24,7 @@ jobs:
   build_package:
     name: Build package
     runs-on: ubuntu-latest
+
     strategy:
       fail-fast: false
       matrix:
@@ -37,18 +37,36 @@ jobs:
           - ubuntu/noble
 
     steps:
+
+      - name: Create GitHub App token
+        id: app
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_KEY }}
+          owner: ${{ github.repository_owner }}
+
+      - name: Set GH_TOKEN for all steps
+        run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV
+
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
+        with:
+          token: ${{ steps.app.outputs.token }}
+
+      - name: Configure git with x-access-token
+        run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/"
 
+
       # This step is to fetch the images unanonymously to have higher bandwidth
       - name: Login to Docker Hub
         uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_USER_NAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
-      - name: Clone tools branch
-        run: git clone -b v0.8.35 --depth=1  https://github.com/citusdata/tools.git tools
+      - name: Clone tools repo for test
+        run: git clone -b brk-test --depth=1 https://github.com/citusdata/tools.git tools
 
       - name: Clone build branch
         run: git clone -b "${MAIN_BRANCH}" --depth=1  https://github.com/citusdata/packaging.git packaging

diff --git a/.github/workflows/build-package-test.yml b/.github/workflows/build-package-test.yml
@@ -1,7 +1,6 @@
 name: Build package for test images
 
 env:
-  GH_TOKEN: "${{ secrets.GH_TOKEN }}"
   PACKAGING_SECRET_KEY: "${{ secrets.PACKAGING_SECRET_KEY }}"
   PACKAGE_ENCRYPTION_KEY: "${{ secrets.PACKAGE_ENCRYPTION_KEY }}"
   PACKAGING_PASSPHRASE: "${{ secrets.PACKAGING_PASSPHRASE }}"
@@ -26,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6
       - name: Update and check dockerfiles
         run: |
           ./update_dockerfiles
@@ -57,8 +56,25 @@ jobs:
           - TARGET_PLATFORM: ubuntu,noble
           - TARGET_PLATFORM: pgxn
     steps:
+
+      - name: Create GitHub App token
+        id: app
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_KEY }}
+          owner: ${{ github.repository_owner }}
+
+      - name: Set GH_TOKEN for all steps
+        run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV
+
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6
+        with:
+          token: ${{ steps.app.outputs.token }}
+
+      - name: Configure git with x-access-token
+        run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/"
 
       - name: Install package dependencies
         run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources
@@ -75,6 +91,7 @@ jobs:
           TARGET_PLATFORM: ${{ matrix.TARGET_PLATFORM }}
           POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }}
 
+
       - name: Clone tools repo for test
         run: git clone -b v0.8.35 --depth=1  https://github.com/citusdata/tools.git tools
 
@@ -91,4 +108,4 @@ jobs:
           ./ci/push_images
         env:
           TARGET_PLATFORM: ${{ matrix.TARGET_PLATFORM }}
-          POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }}
+          POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }}
diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml
@@ -1,7 +1,6 @@
 name: Build Package
 
 env:
-  GH_TOKEN: "${{ secrets.GH_TOKEN }}"
   PACKAGING_SECRET_KEY: "${{ secrets.PACKAGING_SECRET_KEY }}"
   PACKAGE_ENCRYPTION_KEY: "${{ secrets.PACKAGE_ENCRYPTION_KEY }}"
   PACKAGING_PASSPHRASE: "${{ secrets.PACKAGING_PASSPHRASE }}"
@@ -26,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6
       - name: Update and check dockerfiles
         run: |
           ./update_dockerfiles
@@ -57,8 +56,24 @@ jobs:
           - TARGET_PLATFORM: ubuntu,noble
           - TARGET_PLATFORM: pgxn
     steps:
+      - name: Create GitHub App token
+        id: app
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_KEY }}
+          owner: ${{ github.repository_owner }}
+
+      - name: Set GH_TOKEN for all steps
+        run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV
+
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6
+        with:
+          token: ${{ steps.app.outputs.token }}
+
+      - name: Configure git with x-access-token
+        run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/"
 
       - name: Install package dependencies
         run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources

diff --git a/.github/workflows/build-pgazure-nightlies.yml b/.github/workflows/build-pgazure-nightlies.yml
@@ -6,7 +6,6 @@ env:
   PACKAGE_CLOUD_API_TOKEN: ${{ secrets.PACKAGE_CLOUD_API_TOKEN }}
   PACKAGING_PASSPHRASE: ${{ secrets.PACKAGING_PASSPHRASE }}
   PACKAGING_SECRET_KEY: ${{ secrets.PACKAGING_SECRET_KEY }}
-  GH_TOKEN: ${{ secrets.GH_TOKEN }}
   DOCKERHUB_USER_NAME: ${{ secrets.DOCKERHUB_USER_NAME }}
   DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
 on:
@@ -38,8 +37,24 @@ jobs:
           - ubuntu/focal
 
     steps:
+      - name: Create GitHub App token
+        id: app
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_KEY }}
+          owner: ${{ github.repository_owner }}
+
+      - name: Set GH_TOKEN for all steps
+        run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV
+
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6
+        with:
+          token: ${{ steps.app.outputs.token }}
+
+      - name: Configure git with x-access-token
+        run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/"
 
       # This step is to fetch the images unanonymously to have higher bandwidth
       - name: Login to Docker Hub
@@ -49,7 +64,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
       - name: Clone tools branch
-        run: git clone -b v0.8.35 --depth=1  https://github.com/citusdata/tools.git tools
+        run: git clone -b brk-test --depth=1  https://github.com/citusdata/tools.git tools
 
       - name: Clone build branch
         run: git clone -b "${MAIN_BRANCH}" --depth=1  https://github.com/citusdata/packaging.git packaging

diff --git a/.github/workflows/image-health-check.yml b/.github/workflows/image-health-check.yml
@@ -1,7 +1,6 @@
 name: Image Health Check
 
 env:
-  GH_TOKEN: "${{ secrets.GH_TOKEN }}"
   PACKAGING_SECRET_KEY: "${{ secrets.PACKAGING_SECRET_KEY }}"
   PACKAGE_ENCRYPTION_KEY: "${{ secrets.PACKAGE_ENCRYPTION_KEY }}"
   PACKAGING_PASSPHRASE: "${{ secrets.PACKAGING_PASSPHRASE }}"
@@ -27,8 +26,10 @@ jobs:
     name: Check if docker files are compliant with templates
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v2
+
+      - name: Check out repository
+        uses: actions/checkout@v6
+
       - name: Update and check dockerfiles
         run: |
           ./update_dockerfiles
@@ -59,8 +60,25 @@ jobs:
           - TARGET_PLATFORM: ubuntu,noble
           - TARGET_PLATFORM: pgxn
     steps:
+
+      - name: Create GitHub App token
+        id: app
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_KEY }}
+          owner: ${{ github.repository_owner }}
+
+      - name: Set GH_TOKEN for all steps
+        run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV
+
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6
+        with:
+          token: ${{ steps.app.outputs.token }}
+
+      - name: Configure git with x-access-token
+        run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/"
 
       - name: Install package dependencies
         run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources

diff --git a/.github/workflows/update-pgxn-version.yml b/.github/workflows/update-pgxn-version.yml
@@ -2,7 +2,6 @@ name: Update Version on PGXN Config Files
 
 env:
   PROJECT_VERSION: ${{ github.event.inputs.project_version }}
-  GH_TOKEN: ${{ secrets.GH_TOKEN }}
 
 on:
   workflow_dispatch:
@@ -16,7 +15,25 @@ jobs:
     name: Update pgxn configuration
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+
+      - name: Create Github App Token
+        id: app
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_KEY }}
+          owner: ${{ github.repository_owner }}
+
+      - name: Set GH_TOKEN for all steps
+        run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV
+
+      - name: Check out repository
+        uses: actions/checkout@v6
+        with:
+          token: ${{ steps.app.outputs.token }}
+
+      - name: Configure git with x-access-token
+        run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/"
 
       - name: Install dependencies
         run: sudo apt install libcurl4-openssl-dev libssl-dev

diff --git a/.github/workflows/update_package_properties.yml b/.github/workflows/update_package_properties.yml
@@ -18,8 +18,9 @@ jobs:
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+
+      - name: Checkout repository
+        uses: actions/checkout@v6
 
       # Runs a single command using the runners shell
       - name: Clone Tools branch

diff --git a/build_packages b/build_packages
@@ -17,6 +17,8 @@ fi
 project=$1
 buildtype=$2
 
+git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/"
+
 name=$(git config --get user.name)
 email=$(git config --get user.email)
 packager="${name} <${email}>"

diff --git a/scripts/fetch_and_build_deb b/scripts/fetch_and_build_deb
@@ -88,7 +88,15 @@ if [ -z "${pkglatest}" ]; then
     exit $noinput
 fi
 
+if [[ "$GITHUB_TOKEN" == ..* ]]; then
+    echo "TOKEN FORMAT: appears to be a JWT (app-level token)."
+else
+    echo "TOKEN FORMAT: not a JWT (installation token or PAT)."
+fi
+
+
 echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc
+git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/"
 
 export NAME
 NAME=$(determine_name)

diff --git a/scripts/fetch_and_build_pgxn b/scripts/fetch_and_build_pgxn
@@ -51,6 +51,7 @@ if [ -z "${pkglatest}" ]; then
 fi
 
 echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc
+git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/"
 
 cp -R /buildfiles/META.json "${builddir}"
 repopath="citusdata/${hubproj}"

diff --git a/scripts/fetch_and_build_rpm b/scripts/fetch_and_build_rpm
@@ -82,6 +82,7 @@ if [ -z "${pkglatest}" ]; then
 fi
 
 echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc
+git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/"
 
 name=$(determine_name)
 email=$(determine_email)