feat: add scope to skip-if-no-match / skip-if-match; move github-token and github-app to top-level on:; add shared/activation-app.md

.github/workflows/breaking-change-checker.md

@@ -34,6 +34,7 @@ safe-outputs:
     run-failure: "🔬 Analysis interrupted! [{workflow_name}]({run_url}) {status}. Compatibility status unknown..."
 timeout-minutes: 10
 imports:
+  - shared/activation-app.md
   - shared/reporting.md
 features:
   copilot-requests: true

.github/workflows/code-scanning-fixer.md

@@ -9,6 +9,8 @@ permissions:
   pull-requests: read
   security-events: read
 engine: copilot
+imports:
+  - shared/activation-app.md
 tools:
   github:
     github-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/code-simplifier.md

@@ -13,6 +13,7 @@ permissions:
 tracker-id: code-simplifier
 
 imports:
+  - shared/activation-app.md
   - shared/reporting.md
 
 safe-outputs:

.github/workflows/daily-file-diet.md

@@ -16,6 +16,7 @@ tracker-id: daily-file-diet
 engine: copilot
 
 imports:
+  - shared/activation-app.md
   - shared/reporting.md
   - shared/safe-output-app.md
   - shared/mcp/serena-go.md

.github/workflows/daily-rendering-scripts-verifier.md

@@ -45,6 +45,7 @@ safe-outputs:
 timeout-minutes: 30
 
 imports:
+  - shared/activation-app.md
   - shared/reporting.md
 ---
 

.github/workflows/daily-safe-output-optimizer.md

@@ -35,6 +35,7 @@ timeout-minutes: 30
 strict: true
 
 imports:
+  - shared/activation-app.md
   - shared/jqschema.md
   - shared/reporting.md
 ---

.github/workflows/daily-testify-uber-super-expert.md

@@ -15,6 +15,7 @@ tracker-id: daily-testify-uber-super-expert
 engine: copilot
 
 imports:
+  - shared/activation-app.md
   - shared/reporting.md
   - shared/safe-output-app.md
   - shared/mcp/serena-go.md

.github/workflows/dead-code-remover.md

@@ -9,6 +9,8 @@ permissions:
   pull-requests: read
   issues: read
 engine: copilot
+imports:
+  - shared/activation-app.md
 network:
   allowed:
     - defaults

.github/workflows/issue-monster.md

@@ -18,6 +18,9 @@ engine:
   id: copilot
   model: gpt-5.1-codex-mini
 
+imports:
+  - shared/activation-app.md
+
 timeout-minutes: 30
 
 tools:

.github/workflows/shared/activation-app.md

@@ -0,0 +1,62 @@
+---
+#on:
+#  github-app:
+#    app-id: ${{ vars.APP_ID }}
+#    private-key: ${{ secrets.APP_PRIVATE_KEY }}
+---
+
+<!--
+# Shared Activation GitHub App Configuration
+
+This shared workflow provides repository-level GitHub App configuration for the activation job,
+including pre-activation skip-if search checks, reactions, and status comments.
+
+## Configuration Variables
+
+This shared workflow expects:
+- **Repository Variable**: `APP_ID` - The GitHub App ID
+- **Repository Secret**: `APP_PRIVATE_KEY` - The GitHub App private key
+
+## Usage
+
+Import this configuration in your workflows to enable GitHub App authentication for
+skip-if search queries and other activation-job operations:
+
+```yaml
+imports:
+  - shared/activation-app.md
+on:
+  schedule: daily
+  skip-if-match:
+    query: "org:myorg label:in-progress is:issue is:open"
+    scope: none
+```
+
+The configuration will be automatically inherited by importing workflows (first-wins strategy).
+
+## Benefits
+
+- **Cross-Org Search**: Combine with `scope: none` in skip-if-match / skip-if-no-match to search
+  across an organization instead of only the current repository
+- **Centralized Configuration**: Single source of truth for app credentials — update once,
+  all importing workflows benefit automatically
+- **Unified Token**: A single short-lived installation token is minted and shared across all
+  skip-if search steps, reactions, and status comments in the activation job
+- **Repository-Scoped**: Uses repository-specific variables and secrets
+
+## How It Works
+
+When this shared workflow is imported:
+1. The `on.github-app` configuration is extracted and merged into the importing workflow
+2. A single `pre-activation-app-token` step is emitted in the pre-activation job
+3. All skip-if search steps (skip-if-match and skip-if-no-match) receive this token
+4. The token is also used for reactions and status comments when configured
+
+## Token Precedence
+
+1. App token from `on.github-app` (this configuration) — **Highest priority for activation job**
+2. Custom token from `on.github-token`
+3. Default `GITHUB_TOKEN`
+
+`github-app` and `github-token` are mutually exclusive at the top-level `on:` section.
+-->

.github/workflows/slide-deck-maintainer.md

@@ -19,6 +19,8 @@ concurrency:
   job-discriminator: ${{ inputs.focus || github.run_id }}
 tracker-id: slide-deck-maintainer
 engine: copilot
+imports:
+  - shared/activation-app.md
 timeout-minutes: 45
 tools:
   cache-memory: true