From c8020e1522ec4fbef805346c167124e4c1cae6ed Mon Sep 17 00:00:00 2001
From: Robert DeLanghe <1240090+bdelanghe@users.noreply.github.com>
Date: Sun, 21 Jun 2026 23:09:10 -0400
Subject: [PATCH] ci: fail open front-desk-add when the Front Desk App is unset

---
 .github/workflows/front-desk-add.yml | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/front-desk-add.yml b/.github/workflows/front-desk-add.yml
index 1293b29..ebb60a0 100644
--- a/.github/workflows/front-desk-add.yml
+++ b/.github/workflows/front-desk-add.yml
@@ -7,12 +7,12 @@
 # Auth = the Front Desk *door*: the same signed GitHub App, granted only
 #   Organization Projects: read+write  (+ repo Issues/PRs: read).
 # Configure ONCE as ORG-level var + secret so every repo shares them:
-#   - org variable  FRONT_DESK_APP_ID
+#   - org variable  FRONT_DESK_CLIENT_ID        (the App's Client ID, Iv23…)
 #   - org secret    FRONT_DESK_APP_PRIVATE_KEY
 # (See docs/handoffs/gh-project-room.md → "The door".)
 #
 # Until those are set, the job FAILS OPEN: the credentialed steps are gated on
-# FRONT_DESK_APP_ID and skipped, so the `add` check passes instead of dying on
+# FRONT_DESK_CLIENT_ID and skipped, so the `add` check passes instead of dying on
 # every PR org-wide (the bug in docs/handoffs/front-desk-app-credentials.md).
 # The central sweep (front-desk-sync.yml) is the backstop until the org-level
 # var + secret land.
@@ -33,23 +33,23 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # Fail OPEN when the Front Desk App isn't configured yet: an unset
-      # org var FRONT_DESK_APP_ID means the token mint (and thus the whole
+      # org var FRONT_DESK_CLIENT_ID means the token mint (and thus the whole
       # job) would fail on every PR. Skip the credentialed steps and let the
       # job pass — the central sweep (gh-project-room) is the backstop until
       # the org-level var + secret are set.
       - name: Front Desk App not configured — skipping
-        if: ${{ vars.FRONT_DESK_APP_ID == '' }}
-        run: echo "FRONT_DESK_APP_ID unset; relying on the central sweep. See docs/handoffs/gh-project-room.md."
+        if: ${{ vars.FRONT_DESK_CLIENT_ID == '' }}
+        run: echo "FRONT_DESK_CLIENT_ID unset; relying on the central sweep. See docs/handoffs/gh-project-room.md."
       - name: Mint Front Desk token from the GitHub App
         id: app-token
-        if: ${{ vars.FRONT_DESK_APP_ID != '' }}
-        uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2
+        if: ${{ vars.FRONT_DESK_CLIENT_ID != '' }}
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         with:
-          app-id: ${{ vars.FRONT_DESK_APP_ID }}
+          client-id: ${{ vars.FRONT_DESK_CLIENT_ID }}
           private-key: ${{ secrets.FRONT_DESK_APP_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
       - name: Add to Front Desk
-        if: ${{ vars.FRONT_DESK_APP_ID != '' }}
+        if: ${{ vars.FRONT_DESK_CLIENT_ID != '' }}
         uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
         with:
           project-url: https://github.com/orgs/bounded-systems/projects/2