ci: use GitHub App token for node sync workflow

[dohernandez]

Description

Replaces the NODE_REPO_TOKEN PAT with a GitHub App installation token for accessing the private genlayerlabs/genlayer-node repository in the docs sync workflow.

Changes

• .github/workflows/sync-docs-from-node.yml
  • prepare job: added actions/create-github-app-token@v1 step (gated on version == 'latest') and switched the Detect latest version step to use the App token.
  • sync-files job: added the same token-mint step before Clone source repository and switched the checkout to use the App token.
  • Both token steps are scoped to owner: genlayerlabs / repositories: genlayer-node.
  • Removed secrets.NODE_REPO_TOKEN || secrets.GITHUB_TOKEN fallbacks.
• .github/workflows/README.md: replaced the NODE_REPO_TOKEN PAT section with a GitHub App section documenting NODE_SYNC_APP_CLIENT_ID and NODE_SYNC_APP_KEY, plus the required App permission (Contents: Read) and installation target.

Required Repo Secrets

• NODE_SYNC_APP_CLIENT_ID — Client ID of the GitHub App
• NODE_SYNC_APP_KEY — PEM-encoded private key of the GitHub App

The App must be installed on genlayerlabs/genlayer-node with Contents: Read.

Summary by CodeRabbit

• Chores
  • Updated CI/CD authentication mechanism to enhance security and reliability in the deployment pipeline.

[netlify]

✅ Deploy Preview for genlayer-docs ready!

Name	Link
🔨 Latest commit	984e09e
🔍 Latest deploy log	https://app.netlify.com/projects/genlayer-docs/deploys/69f0c07644c42300081cfff5
😎 Deploy Preview	https://deploy-preview-395--genlayer-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Warning

Rate limit exceeded

@dohernandez has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 29 minutes and 24 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8ff759cc-7f4c-48a8-9c06-1c1e79616b3a

📥 Commits

Reviewing files that changed from the base of the PR and between 57d181b and 984e09e.

📒 Files selected for processing (2)

• .github/workflows/README.md
• .github/workflows/sync-docs-from-node.yml

📝 Walkthrough

Walkthrough

The pull request replaces manual token authentication with GitHub App-based token generation in CI/CD workflows. Documentation and workflow configuration are updated to use actions/create-github-app-token@v1 instead of the previously configured NODE_REPO_TOKEN and GITHUB_TOKEN fallback mechanism.

Changes

Cohort / File(s)	Summary
GitHub App Authentication .github/workflows/README.md, .github/workflows/sync-docs-from-node.yml	Transitions from user-managed NODE_REPO_TOKEN fallback to GitHub App installation token generation. README documentation removes the optional token section and adds App token setup instructions. Workflow conditionally generates App tokens in "prepare" job and always in "sync-files" job for repository checkout.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Fix GitHub Actions workflow PR creation and document authentication #247 — Modifies the same workflow and README files to implement GitHub App token authentication, representing a coordinated authentication mechanism update.

Suggested reviewers

• AgustinRamiroDiaz

Poem

🐰 A token most fleeting, GitHub App's way,
No secrets to manage, no worries today!
The workflow now whispers to auth like a friend,
Where temporary keys and fresh tokens blend!
Hop on to security! 🔐✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: use GitHub App token for node sync workflow' accurately and concisely describes the main change—replacing PAT authentication with GitHub App token authentication in the CI workflow.
Description check	✅ Passed	The description is well-structured and comprehensive, covering all key aspects: motivation, specific file changes, scoping details, removed fallbacks, and required secrets/configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/sync-docs-github-app

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/README.md:
- Around line 76-77: Update the README to correctly describe
NODE_SYNC_APP_CLIENT_ID as the "GitHub App ID" (not "Client ID") and clarify
that NODE_SYNC_APP_KEY is the PEM private key for the GitHub App; alternatively,
if you prefer a clearer secret name, rename NODE_SYNC_APP_CLIENT_ID to something
like NODE_SYNC_APP_ID and update every place that references that secret (and
the actions/create-github-app-token input named app-id) so the secret name and
the workflow input remain consistent.

In @.github/workflows/sync-docs-from-node.yml:
- Around line 67-76: Replace the v1 action invocation and wrong credential
input: change uses: actions/create-github-app-token@v1 to uses:
actions/create-github-app-token@v3 and replace the app-id input that currently
uses ${{ secrets.NODE_SYNC_APP_CLIENT_ID }} with the client-id input (client-id:
${{ secrets.NODE_SYNC_APP_CLIENT_ID }}), keeping private-key: ${{
secrets.NODE_SYNC_APP_KEY }}; apply the same changes to the second occurrence of
actions/create-github-app-token in the workflow so both uses and inputs
(client-id vs app-id) match the secret type.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ab401f40-aa98-42cf-a818-523d88d30ff5

📥 Commits

Reviewing files that changed from the base of the PR and between 41fc3ce and 57d181b.

📒 Files selected for processing (2)

• .github/workflows/README.md
• .github/workflows/sync-docs-from-node.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify v1 input contract from upstream action metadata/docs.
curl -sL https://raw.githubusercontent.com/actions/create-github-app-token/v1/action.yml | sed -n '1,40p'
curl -sL https://raw.githubusercontent.com/actions/create-github-app-token/v1/README.md | rg -n "Inputs|app-id|client-id|GitHub App ID|Client ID"

Repository: genlayerlabs/genlayer-docs

Length of output: 2427

---

🏁 Script executed:

#!/bin/bash
# Check the actual workflow file that uses these secrets
cd .github/workflows && ls -la | grep sync && cd - > /dev/null
cat .github/workflows/sync-docs-from-node.yml | grep -A 5 -B 5 "NODE_SYNC_APP_CLIENT_ID\|NODE_SYNC_APP_KEY\|app-id\|private-key"

Repository: genlayerlabs/genlayer-docs

Length of output: 1018

---

🏁 Script executed:

#!/bin/bash
# Check the README.md current state for lines 76-77
cat -n .github/workflows/README.md | sed -n '70,85p'

Repository: genlayerlabs/genlayer-docs

Length of output: 999

---

🌐 Web query:

GitHub App ID vs Client ID difference

💡 Result:

The GitHub App ID and Client ID are two distinct identifiers for GitHub Apps. App ID (numeric, integer): - Unique database/internal identifier for the GitHub App. - Primarily used to generate the JSON Web Token (JWT) with the private key to authenticate the app itself and fetch installation access tokens. - Found on the GitHub App's settings page. - Example: 12345 Client ID (alphanumeric string): - Used for OAuth flows: to sign in users, generate user access tokens, and request installations. - Now (since May 2024) can also be used interchangeably with App ID in the JWT 'iss' claim for minting JWTs to fetch installation tokens, simplifying usage. GitHub recommends transitioning to Client ID for future compatibility, though App ID is not deprecated. - Globally unique, unlike App ID. - Found on the GitHub App's settings page. - Not a secret; safe to expose to end users. - Example: Iv23f8doAlphaNumer1c Key differences: - Type: App ID is an integer; Client ID is a string. - Primary use: App ID traditionally for server-to-server (JWT/installation tokens); Client ID for user OAuth. - Both identify the app but serve different authentication flows. - Recent changes allow Client ID overlap with App ID usage to reduce confusion. Note: These are specific to GitHub Apps. OAuth Apps (separate type) only have a Client ID for their OAuth flow. To view both: Navigate to your GitHub App settings (Developer settings > GitHub Apps > Edit your app).

Citations:

• 1: https://github.blog/changelog/2024-05-01-github-apps-can-now-use-the-client-id-to-fetch-installation-tokens/
• 2: https://github.blog/changelog/2024-08-23-client-ids-are-now-included-in-app-api-responses
• 3: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation
• 4: https://github.blog/changelog/2024-05-01-github-apps-can-now-use-the-client-id-to-fetch-installation-tokens

---

Fix documentation: the input expects GitHub App ID, not Client ID.

The README says NODE_SYNC_APP_CLIENT_ID is a "Client ID," but the workflow passes this secret to the app-id input of actions/create-github-app-token@v1, which is documented as expecting a "GitHub App ID." While Client ID has been interchangeable with App ID for JWT-based installation token generation since May 2024, the documentation should match the input name to avoid maintainer confusion.

Update the README to clarify:

📝 Suggested fix

- `NODE_SYNC_APP_CLIENT_ID`: Client ID of the GitHub App
+ `NODE_SYNC_APP_CLIENT_ID`: GitHub App ID (numeric)

Or rename the secret for clarity:

- `NODE_SYNC_APP_CLIENT_ID`: Client ID of the GitHub App
+ `NODE_SYNC_APP_ID`: GitHub App ID (numeric)

(Requires updating the secret reference in .github/workflows/sync-docs-from-node.yml)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- `NODE_SYNC_APP_CLIENT_ID`: Client ID of the GitHub App
	- `NODE_SYNC_APP_KEY`: PEM-encoded private key of the GitHub App
	- `NODE_SYNC_APP_CLIENT_ID`: GitHub App ID (numeric)
	- `NODE_SYNC_APP_KEY`: PEM-encoded private key of the GitHub App

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/README.md around lines 76 - 77, Update the README to
correctly describe NODE_SYNC_APP_CLIENT_ID as the "GitHub App ID" (not "Client
ID") and clarify that NODE_SYNC_APP_KEY is the PEM private key for the GitHub
App; alternatively, if you prefer a clearer secret name, rename
NODE_SYNC_APP_CLIENT_ID to something like NODE_SYNC_APP_ID and update every
place that references that secret (and the actions/create-github-app-token input
named app-id) so the secret name and the workflow input remain consistent.