Commit 2026-03-10 14:28 1f8cbfe8

ci: Move GitHub apps private keys to Azure Key Vault and mint tokens Key Vault signing (#36150) This PR migrates most GitHub App token minting in mathlib4 workflows from actions/create-github-app-token (using private keys in repo secrets) to the new Azure Key Vault-backed action introduced in [mathlib-ci#6](https://github.com/leanprover-community/mathlib-ci/pull/6). Documentation on how to set this up can be found over there. For an example run see https://github.com/leanprover-community/mathlib4/actions/runs/22678441098 Pending migrations because I didn't have access to the keys: MATHLIB_LEAN_PR_TESTING_* (other org; still uses actions/create-github-app-token) LPC_TEAM_CHECK_* in splice_bot_wf_run.yaml (still uses private key for now) Changes:

• Migrated most workflow to Azure-minted tokens
• Added/adjusted workflow permissions for OIDC minting (added id-token: write where Azure minting is used) Prepared with Codex