From ef2084b3ac6db6c56ec1c472e9f7af269f51b7b1 Mon Sep 17 00:00:00 2001
From: David <12414531+DavidBellamy@users.noreply.github.com>
Date: Fri, 15 May 2026 20:02:59 -0700
Subject: [PATCH 1/2] ci: notify RL360 to bump submodule pointer on prod push

---
 .github/workflows/notify-rl360-prod-bump.yml | 38 ++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 .github/workflows/notify-rl360-prod-bump.yml

diff --git a/.github/workflows/notify-rl360-prod-bump.yml b/.github/workflows/notify-rl360-prod-bump.yml
new file mode 100644
index 0000000000..7ce0f2b906
--- /dev/null
+++ b/.github/workflows/notify-rl360-prod-bump.yml
@@ -0,0 +1,38 @@
+name: Notify RL360 of prod update
+
+# When prod moves on this fork, fire a repository_dispatch into LLM360/RL360
+# so the auto-bump workflow there can open a PR bumping the corresponding
+# submodules/<this-repo>/ gitlink to the new prod HEAD.
+#
+# Auth: GitHub App llm360-deploy-bot (App ID in vars.DEPLOY_BOT_APP_ID,
+# private key in secrets.DEPLOY_BOT_PRIVATE_KEY). App must be installed on
+# both this repo and LLM360/RL360.
+
+on:
+  push:
+    branches: [prod]
+
+jobs:
+  dispatch:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Mint App token for RL360
+        id: token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.DEPLOY_BOT_APP_ID }}
+          private-key: ${{ secrets.DEPLOY_BOT_PRIVATE_KEY }}
+          owner: LLM360
+          repositories: RL360
+
+      - name: Fire submodule-prod-updated dispatch
+        uses: peter-evans/repository-dispatch@v3
+        with:
+          token: ${{ steps.token.outputs.token }}
+          repository: LLM360/RL360
+          event-type: submodule-prod-updated
+          client-payload: |
+            {
+              "submodule": "${{ github.event.repository.name }}",
+              "sha": "${{ github.sha }}"
+            }

From 2e4ecba524a6c5ef72e239e1ebe9c1fdc653c39e Mon Sep 17 00:00:00 2001
From: David <12414531+DavidBellamy@users.noreply.github.com>
Date: Tue, 19 May 2026 10:22:59 -0700
Subject: [PATCH 2/2] ci: set permissions: {} on notify-rl360-prod-bump
 workflow

Workflow authenticates as the llm360-deploy-bot GitHub App and dispatches
via the resulting installation token; GITHUB_TOKEN is never used. Strip
its scopes to zero (least privilege) and silence CodeQL alert #30
(rule: actions/missing-workflow-permissions).
---
 .github/workflows/notify-rl360-prod-bump.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/notify-rl360-prod-bump.yml b/.github/workflows/notify-rl360-prod-bump.yml
index 7ce0f2b906..96a0da75e7 100644
--- a/.github/workflows/notify-rl360-prod-bump.yml
+++ b/.github/workflows/notify-rl360-prod-bump.yml
@@ -8,6 +8,11 @@ name: Notify RL360 of prod update
 # private key in secrets.DEPLOY_BOT_PRIVATE_KEY). App must be installed on
 # both this repo and LLM360/RL360.
 
+# This workflow never uses GITHUB_TOKEN: it authenticates as the
+# llm360-deploy-bot App (private key) and dispatches via the resulting App
+# installation token. Strip GITHUB_TOKEN to zero scopes.
+permissions: {}
+
 on:
   push:
     branches: [prod]