Epic: adopt shared GitHub agent apps and token mints (ADR 0029)

[ifireball]

What is missing

ADR 0029 — central token mint and shared apps for a secretless .fullsend sets direction for a central token mint and shared per-role GitHub Apps so adopting orgs can move off bespoke per-org apps and org-level dispatch PATs for the baseline path. The implementation and operations work to stand up shared app registrations paired with a mint, across internal (Red Hat) and public community profiles, is not tracked as a single outcome.

What should happen

There is a clear breakdown of deliverables for:

• Red Hat–internal shared apps and a mint that exposes them to approved internal workloads.
• Public community–use shared apps and the mint / hosting choices that pair with them.

Child issues track each slice; this epic is complete when those tracks are defined, built to the agreed bar, and wired into how orgs enroll and trust a deployment profile.

Context

• ADR 0029 (proposed): shared baseline vs self-managed; deployment profiles; OIDC-bound minting.
• Related mint modeling work: Expand token mint ADR for per-repo security model #728 (per-repo / expanded mint security model).
• Existing install and dispatch assumptions (e.g. ADR 0007, 0008, 0026) change when mint-held keys and workflow_call paths land; this epic is the shared-apps + mint rollout side of that.

[github-actions]

fullsend triage is working on this — view logs

[fullsend-ai-triage]

This issue describes an epic for new functionality — implementing the shared GitHub Apps and central token mint architecture outlined in ADR 0029. Since this tracks desired new behavior rather than a defect in existing functionality, it will be labeled as a feature request for prioritization.

A few notes from triage:

• ADR 0029 is still in "Proposed" status. Implementation work tracked here may want to wait for (or drive) acceptance of that ADR before committing to specific deliverables.
• Related open issues already exist: Expand token mint ADR for per-repo security model #728 (per-repo mint security model expansion), Shared Red Hat–internal GitHub Apps and token mint #913 (Red Hat-internal shared apps and mint), SPIKE: community token mint on GCP vs Cloudflare port #915 (community mint spike), and several mint-related operational issues (mint: add clock skew tolerance to OIDC token expiry check #738, mint: findInstallation only checks repos[0], may miss per-repo installation gaps #737, OIDC mint: defense-in-depth follow-ups from PR #503 review #741, FULLSEND_MINT_URL org variable not visible to newly enrolled repos #860, E2E tests broken: OIDC mint requires real GCP project with WIF and Secret Manager #817, WIF attribute condition rejects OIDC tokens from non-.fullsend repos, causing STS 400 #910).
• The epic structure (parent with child issues per slice) is clear and well-organized.

Consider linking child issues explicitly via task lists or sub-issue references so progress is trackable from this epic.