403 in the check-run api call when passing a Github app token

[renkeven]

Describe the bug

A default Github App creates the initial check-run when the workflow is first triggered. If you pass in your own Github App token (my tf modules are in different repos under a private org), gh api check-run does not let you patch the check summary and title resulting in a 403

The error you see is:
gh: Invalid app_id 15368 - check run can only be modified by the GitHub App that created it. (HTTP 403)

if allow the default ${{ github.token }} to be used with gh api create-run, then this would be fine

To Reproduce

on:
  pull_request:
    branches:
      - "main"

jobs:
  provision:
    runs-on: ubuntu-latest

    permissions:
      actions: read        # Required to identify workflow run.
      checks: write        # Required to add status summary.
      contents: read       # Required to checkout repository.
      id-token: "write"    # Required to authenticate with Workload Identity Federation.
      pull-requests: write # Required to add PR comment.

    steps:
      - uses: actions/checkout@v5

      - uses: hashicorp/setup-terraform@v3
        with:
          terraform_wrapper: false

      - uses: actions/create-github-app-token@v1
        name: Generate Github app token
        id: app-token
        with:
          app-id: ${{ vars.APP_ID }}
          private-key: ${{ secrets.APP_PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}

      # Run plan by default, or apply on merge.
      - uses: OP5dev/TF-via-PR
        with:
          working-directory: terraform/hello
          command: 'plan'
          arg-lock: false
          plan-encrypt: "test123"
          token: ${{ steps.app-token.outputs.token }}

Expected behavior

Expect the check status to be updated

Additional context

[rdhar]

Hey @renkeven, thanks for raising this issue and corresponding PR: love to see it!

Using a GitHub App for plan/apply is a new use-case to me, so I'm trying to understand how your PR #539 resolves the issue.

if allow the default ${{ github.token }} to be used with gh api create-run, then this would be fine

As it happens, the default value for token is ${{ github.token }}, as seen here.

And that input value is also stored as GH_TOKEN environment variable for use by the workflow, as seen here.

So I'm assuming the GitHub app token you're creating has contents: read permission to those other tf-module repositories, but does not have checks: write permission to the repo where the workflow is being run?

[renkeven]

Hi @rdhar,

Super stoked to see that this action covers essentially everything I needed 😄

Sorry if I was not so clear, happy to clarify further as needed: The provision job (as in the example above) would have a check-run created by the default Github App (id=15368). However in the TF-via-PR action, because I had passed in a different token (from my org's Github App), the token/GH_TOKEN is overwritten by the new token. Because of this, we cannot updatethe provision check-run. The error suggests that the check-run cannot be updated by any other app than the one that has created it, i.e. the default Github App (id=15368) whose token is ${{ github.token }}.

I have configured the github app to cover the permissions needed for the action (same as the listed in the example; actions read, checks write, etc)

[rdhar]

Super stoked to see that this action covers essentially everything I needed 😄

Happy to hear that and, it goes without saying, feel free to raise any feedback or suggestions: I'm all ears!

because I had passed in a different token (from my org's Github App), the token/GH_TOKEN is overwritten by the new token. Because of this, we cannot updatethe provision check-run.

Gotcha, this is a new use-case to me, but you've clarified the problem for me. Just to check, have you tried/tested your PR branch to confirm it actually resolves the issue (i.e., passed uses: blunomy/tf-via-pr@explicit-token-check-run into your workflow)?

If so, I'll aim to get a patch release out by the end of the week, thanks to your contribution. 🙌

[renkeven]

Yes, I've been using the action from our fork for now 😃

[rdhar]

Thanks once again for raising this fix and sharing background for the issue.

On a tangentially related note, your screenshot has also revealed another bug: the datetime is missing from the "By @renkeven at 2026-02-09T12:34:56Z (view log)." Uncertain as to why given that pull_request event trigger is supported by default.