chore: replace CDK_REPO_TOKEN PAT with GitHub App token

[aidandaly24]

Summary

• Replace secrets.CDK_REPO_TOKEN (a fine-grained PAT) in e2e-tests.yml and e2e-tests-full.yml with a short-lived GitHub App token
• Uses actions/create-github-app-token@v1 with the agentcore-devx-automation app (ID: 3637953)

Secrets to Delete After Verification

• CDK_REPO_TOKEN

Test plan

• Ensure APP_ID variable and APP_PRIVATE_KEY secret are set on this repo
• Merge PR
• Trigger E2E tests and confirm CDK repo clone succeeds
• Delete old CDK_REPO_TOKEN secret

[agentcore-cli-automation]

Nice switch from a long-lived PAT to a short-lived GitHub App token — the approach is sound and matches the pattern already used in ci-failure-issue.yml / agent-restricted.yml. I flagged one issue that I believe will cause the E2E tests to fail on first run; see the inline comment.

[agentcore-cli-automation]

Token will be scoped to the wrong repository — CDK clone will fail

actions/create-github-app-token has this default behavior (from its action.yml):

repositories: Comma or newline-separated list of repositories to grant the token access to (defaults to current repository if owner is unset)

Because neither owner nor repositories is set here, the generated token is scoped to aws/agentcore-cli only. The subsequent step then tries to clone a different repo (${{ secrets.CDK_REPO_NAME }}) using that token:

git clone --depth 1 "https://x-access-token:${CDK_REPO_TOKEN}@github.com/${CDK_REPO}.git" /tmp/cdk-repo

That clone will fail with 404 / auth error because the installation token has no access to the CDK repo, regardless of whether the agentcore-devx-automation App is installed on it. The existing usages (agent-restricted.yml, ci-failure-issue.yml) only act on the current repo, so they don't expose this issue.

Fix options:

1. Explicitly scope to the CDK repo. Store the CDK repo name as a vars.CDK_REPO_NAME (or split the existing org/repo secret — the repositories input wants just the repo name, not org/repo) and pass:

   - uses: actions/create-github-app-token@v1
     with:
       app-id: ${{ vars.APP_ID }}
       private-key: ${{ secrets.APP_PRIVATE_KEY }}
       owner: <cdk-repo-owner>           # e.g. ${{ github.repository_owner }} if same org
       repositories: <cdk-repo-name>      # just the repo name, no owner prefix

2. Scope to both repos if you'd rather keep a single token generation step that could be reused:

   with:
     app-id: ${{ vars.APP_ID }}
     private-key: ${{ secrets.APP_PRIVATE_KEY }}
     owner: ${{ github.repository_owner }}
     repositories: |
       ${{ github.event.repository.name }}
       <cdk-repo-name>

Either way, please also verify the agentcore-devx-automation App is installed on the CDK repo with at least contents: read, and update the test plan to cover this before deleting CDK_REPO_TOKEN.

[github-actions]

Package Tarball

aws-agentcore-0.13.1.tgz

How to install

npm install https://github.com/aws/agentcore-cli/releases/download/pr-1201-tarball/aws-agentcore-0.13.1.tgz

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	43.34%	9083 / 20955
🔵	Statements	42.61%	9646 / 22633
🔵	Functions	40.11%	1569 / 3911
🔵	Branches	40.18%	5862 / 14587

Generated in workflow #2745 for commit 00e53f6 by the Vitest Coverage Report Action