fix: use app-slug output instead of /app API in dependabot workflow

.github/workflows/ValidatePullRequest.yml

@@ -15,6 +15,7 @@ concurrency:
 
 permissions:
   contents: write
+  pull-requests: read
 
 jobs:
   docs-pr:
@@ -40,9 +41,24 @@ jobs:
             return all_file_count === docs_file_count;
           result-encoding: string
 
+  # Update guest Cargo.lock files for Dependabot PRs.
+  # Dependabot only updates the root Cargo.lock, leaving the guest crate
+  # Cargo.lock files stale. This job updates them before code-checks runs
+  # `cargo fetch --locked` so that the first CI run succeeds.
+  update-guest-locks:
+    if: >-
+      github.event.pull_request.user.login == 'dependabot[bot]' &&
+      github.actor == 'dependabot[bot]'
+    uses: ./.github/workflows/dep_update_guest_locks.yml
+    secrets: inherit
+
   # Build guests once, upload as artifacts for other jobs to download
   build-guests:
-    needs: docs-pr
+    needs: [docs-pr, update-guest-locks]
+    # Required because update-guest-locks is skipped on non-dependabot PRs,
+    # and a skipped dependency transitively skips all downstream jobs.
+    # See: https://github.com/actions/runner/issues/2205
+    if: ${{ !cancelled() && !failure() }}
     strategy:
       fail-fast: true
       matrix:
@@ -55,7 +71,11 @@ jobs:
 
   # Code checks (fmt, clippy, MSRV) - runs in parallel with build-guests
   code-checks:
-    needs: docs-pr
+    needs: [docs-pr, update-guest-locks]
+    # Required because update-guest-locks is skipped on non-dependabot PRs,
+    # and a skipped dependency transitively skips all downstream jobs.
+    # See: https://github.com/actions/runner/issues/2205
+    if: ${{ !cancelled() && !failure() }}
     uses: ./.github/workflows/dep_code_checks.yml
     secrets: inherit
     with:
@@ -66,6 +86,10 @@ jobs:
     needs:
       - docs-pr
       - build-guests
+    # Required because update-guest-locks is skipped on non-dependabot PRs,
+    # and a skipped dependency transitively skips all downstream jobs.
+    # See: https://github.com/actions/runner/issues/2205
+    if: ${{ !cancelled() && !failure() }}
     strategy:
       fail-fast: true
       matrix:
@@ -85,6 +109,10 @@ jobs:
     needs:
       - docs-pr
       - build-guests
+    # Required because update-guest-locks is skipped on non-dependabot PRs,
+    # and a skipped dependency transitively skips all downstream jobs.
+    # See: https://github.com/actions/runner/issues/2205
+    if: ${{ !cancelled() && !failure() }}
     strategy:
       fail-fast: true
       matrix:
@@ -104,6 +132,10 @@ jobs:
     needs:
       - docs-pr
       - build-guests
+    # Required because update-guest-locks is skipped on non-dependabot PRs,
+    # and a skipped dependency transitively skips all downstream jobs.
+    # See: https://github.com/actions/runner/issues/2205
+    if: ${{ !cancelled() && !failure() }}
     strategy:
       fail-fast: true
       matrix:
@@ -120,6 +152,10 @@ jobs:
     needs:
       - docs-pr
       - build-guests
+    # Required because update-guest-locks is skipped on non-dependabot PRs,
+    # and a skipped dependency transitively skips all downstream jobs.
+    # See: https://github.com/actions/runner/issues/2205
+    if: ${{ !cancelled() && !failure() }}
     uses: ./.github/workflows/dep_fuzzing.yml
     with:
       targets: '["fuzz_host_print", "fuzz_guest_call", "fuzz_host_call", "fuzz_guest_estimate_trace_event", "fuzz_guest_trace"]' # Pass as a JSON array
@@ -148,6 +184,7 @@ jobs:
   report-ci-status:
     needs:
       - docs-pr
+      - update-guest-locks
       - build-guests
       - code-checks
       - build-test

.github/workflows/dependabot-update-guest-locks.yml → .github/workflows/dep_update_guest_locks.yml

@@ -1,4 +1,6 @@
-# This workflow automatically updates the Cargo.lock files in guest crates when
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+# This reusable workflow updates the Cargo.lock files in guest crates when
 # Dependabot updates dependencies. Without this, Dependabot PRs only update the
 # root Cargo.lock, leaving the guest crate Cargo.lock files stale.
 #
@@ -7,24 +9,21 @@
 name: Update Guest Cargo.lock for Dependabot PRs
 
 on:
-  pull_request:
-    branches: [main]
-    paths:
-      - 'Cargo.toml'
-      - 'Cargo.lock'
-      - 'src/hyperlight_*/Cargo.toml'
-
-permissions:
-  contents: read       # Required for actions/checkout to clone the repo
-  pull-requests: read  # Required for dependabot/fetch-metadata to read PR info
+  workflow_call:
 
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+  pull-requests: read
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   update-guest-locks:
-    # Only run for Dependabot PRs - check the PR author, not the actor
-    if: github.event.pull_request.user.login == 'dependabot[bot]'
     runs-on: [self-hosted, Linux, X64, "1ES.Pool=hld-kvm-amd"]
     timeout-minutes: 15
     steps:
@@ -109,6 +108,7 @@ jobs:
         if: steps.check-ecosystem.outputs.is_cargo == 'true'
         env:
           GH_TOKEN: ${{ steps.get-app-token.outputs.token }}
+          APP_SLUG: ${{ steps.get-app-token.outputs.app-slug }}
           DEPENDENCY_NAMES: ${{ steps.metadata.outputs.dependency-names }}
           BRANCH: ${{ github.head_ref }}
           REPO: ${{ github.repository }}
@@ -124,7 +124,9 @@ jobs:
           echo "Guest Cargo.lock files have changed, committing via API..."
 
           # Get app identity for DCO sign-off trailer
-          app_slug=$(gh api /app --jq .slug)
+          # Use the app-slug output from create-github-app-token (the /app API
+          # endpoint requires JWT auth, not an installation token).
+          app_slug="${APP_SLUG}"
           app_user_id=$(gh api "/users/${app_slug}[bot]" --jq .id)
 
           # Get current branch HEAD and its tree