OrchestKit Release Bot — token-flow explorer fix/scorecard-alerts

PR #1426 Scorecard alerts closed 11 App ID 3440696 Bot user ID 277719826 App settings orchestkit-release-bot

Runtime token flow — release.yml


  


  
Rotation runbook — 5 steps, ~5 minutes

  

    
    
      
  1. 
        Generate new key.
        
    Open the App settings. Scroll to Private keysGenerate a private key. New .pem downloads.
    
        
    open https://github.com/settings/apps/orchestkit-release-bot
    
      
    2. 
      
  2. 
        Update the 1Password backup.
        
    Item UUID is stable: ickhsiw7etwfuym4i4poldeyxi in the HQ-Dev vault. Replace the file attachment with the new .pem.
    
        
    op item edit ickhsiw7etwfuym4i4poldeyxi --vault HQ-Dev
    
      
    3. 
      
  3. 
        Push new key to GitHub Actions secret.
        
    Adjust the .pem filename in the command below. The file is read from stdin so its contents never appear in shell history or tool output.
    
        
    gh secret set RELEASE_BOT_PRIVATE_KEY --repo yonatangross/orchestkit < ~/Downloads/orchestkit-release-bot.*.private-key.pem
    
      
    4. 
      
  4. 
        Revoke the old key.
        
    Back on the App settings page → Private keys section → delete the old fingerprint. Do this AFTER step 3, so a rollback is possible if the new key fails to mint.
    
        
    open https://github.com/settings/apps/orchestkit-release-bot
    
      
    5. 
      
  5. 
        Delete the local .pem.
        
    Key is now in two protected stores (GitHub secret + 1Password). A disk copy is a leak vector.
    
        
    rm ~/Downloads/orchestkit-release-bot.*.private-key.pem
    
      
    6.