From dc32acd0d8697a5d35fd826ce5dd39e0537ff7c4 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <peter@steipete.me>
Date: Sun, 3 May 2026 18:00:00 +0100
Subject: [PATCH] ci: post Mantis QA comments as GitHub App (#76825)

---
 .../mantis-discord-status-reactions.yml       | 25 ++++++++++++++++---
 docs/concepts/mantis.md                       |  7 ++++++
 2 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/mantis-discord-status-reactions.yml b/.github/workflows/mantis-discord-status-reactions.yml
index f06de7e8238..96a84141924 100644
--- a/.github/workflows/mantis-discord-status-reactions.yml
+++ b/.github/workflows/mantis-discord-status-reactions.yml
@@ -33,6 +33,7 @@ env:
   PNPM_VERSION: "10.33.0"
   OPENCLAW_BUILD_PRIVATE_QA: "1"
   OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
+  HAS_MANTIS_GITHUB_APP: ${{ secrets.MANTIS_GITHUB_APP_ID != '' && secrets.MANTIS_GITHUB_APP_PRIVATE_KEY != '' }}
 
 jobs:
   authorize_actor:
@@ -266,10 +267,23 @@ jobs:
           retention-days: 14
           if-no-files-found: warn
 
+      - name: Create Mantis GitHub App token
+        id: mantis_app_token
+        if: ${{ always() && inputs.pr_number != '' && env.HAS_MANTIS_GITHUB_APP == 'true' }}
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.MANTIS_GITHUB_APP_ID }}
+          private-key: ${{ secrets.MANTIS_GITHUB_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: ${{ github.event.repository.name }}
+          permission-contents: write
+          permission-issues: write
+          permission-pull-requests: write
+
       - name: Comment PR with inline QA screenshots
         if: ${{ always() && inputs.pr_number != '' && steps.run_mantis.outputs.output_dir != '' }}
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.mantis_app_token.outputs.token || github.token }}
           TARGET_PR: ${{ inputs.pr_number }}
           ARTIFACT_URL: ${{ steps.upload_artifact.outputs.artifact-url }}
           BASELINE_SHA: ${{ needs.validate_refs.outputs.baseline_revision }}
@@ -359,8 +373,13 @@ jobs:
           if [[ -n "$comment_id" ]]; then
             comment_payload="$(mktemp)"
             jq -n --rawfile body "$comment_file" '{ body: $body }' > "$comment_payload"
-            gh api --method PATCH "repos/${GITHUB_REPOSITORY}/issues/comments/${comment_id}" --input "$comment_payload" >/dev/null
-            echo "Updated Mantis QA screenshot comment on PR #${TARGET_PR}."
+            if gh api --method PATCH "repos/${GITHUB_REPOSITORY}/issues/comments/${comment_id}" --input "$comment_payload" >/dev/null; then
+              echo "Updated Mantis QA screenshot comment on PR #${TARGET_PR}."
+            else
+              echo "::warning::Could not update existing Mantis QA screenshot comment ${comment_id}; creating a new one."
+              gh pr comment "$TARGET_PR" --body-file "$comment_file"
+              echo "Created Mantis QA screenshot comment on PR #${TARGET_PR}."
+            fi
           else
             gh pr comment "$TARGET_PR" --body-file "$comment_file"
             echo "Created Mantis QA screenshot comment on PR #${TARGET_PR}."
diff --git a/docs/concepts/mantis.md b/docs/concepts/mantis.md
index 50d61266e74..f184377d043 100644
--- a/docs/concepts/mantis.md
+++ b/docs/concepts/mantis.md
@@ -352,6 +352,13 @@ comment on that bug or fix PR with inline before/after screenshots. Do not post
 the primary proof only on a generic QA automation PR. Raw logs, observed
 messages, and other bulky evidence stay in the Actions artifact.
 
+Production workflows should post those comments with the Mantis GitHub App, not
+with `github-actions[bot]`. Store the app id and private key as
+`MANTIS_GITHUB_APP_ID` and `MANTIS_GITHUB_APP_PRIVATE_KEY` GitHub Actions
+secrets. If those secrets are missing, the workflow may fall back to
+`github-actions[bot]` for local bring-up, but that is not the desired long-term
+identity.
+
 The PR comment should be short and visual:
 
 ```md