From 57d181bad86a5d0a0bf7743c20fb4ebe64b29288 Mon Sep 17 00:00:00 2001 From: Darien Hernandez Date: Tue, 28 Apr 2026 15:26:54 +0200 Subject: [PATCH 1/3] ci: use GitHub App token for node sync workflow Replaces the NODE_REPO_TOKEN PAT with a GitHub App installation token (NODE_SYNC_APP_CLIENT_ID / NODE_SYNC_APP_KEY) scoped to genlayerlabs/genlayer-node. --- .github/workflows/README.md | 15 ++++++++++---- .github/workflows/sync-docs-from-node.yml | 25 ++++++++++++++++++++--- 2 files changed, 33 insertions(+), 7 deletions(-) diff --git a/.github/workflows/README.md b/.github/workflows/README.md index 0c5fb4dd..b5b7a340 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -67,12 +67,19 @@ Add this to a workflow in the genlayer-node repository: - Creating pull requests via GitHub CLI (automatically detected by `gh`) - General workflow authentication +#### GitHub App (User-Managed) + +Access to the private `genlayerlabs/genlayer-node` repository is provided by a GitHub App installed on that repository. The workflow mints a short-lived installation token via `actions/create-github-app-token@v1`. + +Required repository secrets: + +- `NODE_SYNC_APP_CLIENT_ID`: Client ID of the GitHub App +- `NODE_SYNC_APP_KEY`: PEM-encoded private key of the GitHub App + +The App must be installed on `genlayerlabs/genlayer-node` with at least `Contents: Read` permission. Tokens are scoped to that single repository at mint time. + #### Personal Access Tokens (User-Managed) -- `NODE_REPO_TOKEN` (optional): Personal Access Token for accessing private genlayer-node repository. Used for: - - Cloning private genlayer-node repository - - Falls back to `GITHUB_TOKEN` if not provided - - `DOCS_REPO_TOKEN` (in genlayer-node): Token with `repo` scope for triggering this workflow. Used for: - Triggering repository dispatch events from genlayer-node - Must have `repo` scope to trigger workflows diff --git a/.github/workflows/sync-docs-from-node.yml b/.github/workflows/sync-docs-from-node.yml index 17556db0..2876f0e0 100644 --- a/.github/workflows/sync-docs-from-node.yml +++ b/.github/workflows/sync-docs-from-node.yml @@ -52,7 +52,7 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 - + - name: Extract version parameter id: extract run: | @@ -64,11 +64,21 @@ jobs: echo "version=$VERSION" >> $GITHUB_OUTPUT echo "Requested version: $VERSION" + - name: Generate GitHub App token + id: app-token + if: steps.extract.outputs.version == 'latest' + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ secrets.NODE_SYNC_APP_CLIENT_ID }} + private-key: ${{ secrets.NODE_SYNC_APP_KEY }} + owner: genlayerlabs + repositories: genlayer-node + - name: Detect latest version id: detect if: steps.extract.outputs.version == 'latest' env: - GITHUB_TOKEN: ${{ secrets.NODE_REPO_TOKEN || secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} run: | source .github/scripts/version-utils.sh LATEST_TAG=$(detect_latest_version "$GITHUB_TOKEN") @@ -106,11 +116,20 @@ jobs: sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 sudo chmod +x /usr/local/bin/yq + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ secrets.NODE_SYNC_APP_CLIENT_ID }} + private-key: ${{ secrets.NODE_SYNC_APP_KEY }} + owner: genlayerlabs + repositories: genlayer-node + - name: Clone source repository uses: actions/checkout@v4 with: repository: genlayerlabs/genlayer-node - token: ${{ secrets.NODE_REPO_TOKEN || secrets.GITHUB_TOKEN }} + token: ${{ steps.app-token.outputs.token }} fetch-depth: 1 sparse-checkout: | docs From bfa9008112f4b4671f11c6ea19c91d78618f2d6d Mon Sep 17 00:00:00 2001 From: Darien Hernandez Date: Tue, 28 Apr 2026 16:02:14 +0200 Subject: [PATCH 2/3] ci: use client-id input for create-github-app-token Bumps actions/create-github-app-token to v3 and switches the credential input from app-id to client-id, matching the NODE_SYNC_APP_CLIENT_ID secret. --- .github/workflows/sync-docs-from-node.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sync-docs-from-node.yml b/.github/workflows/sync-docs-from-node.yml index 2876f0e0..ea80ab1c 100644 --- a/.github/workflows/sync-docs-from-node.yml +++ b/.github/workflows/sync-docs-from-node.yml @@ -67,9 +67,9 @@ jobs: - name: Generate GitHub App token id: app-token if: steps.extract.outputs.version == 'latest' - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@v3 with: - app-id: ${{ secrets.NODE_SYNC_APP_CLIENT_ID }} + client-id: ${{ secrets.NODE_SYNC_APP_CLIENT_ID }} private-key: ${{ secrets.NODE_SYNC_APP_KEY }} owner: genlayerlabs repositories: genlayer-node @@ -118,9 +118,9 @@ jobs: - name: Generate GitHub App token id: app-token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@v3 with: - app-id: ${{ secrets.NODE_SYNC_APP_CLIENT_ID }} + client-id: ${{ secrets.NODE_SYNC_APP_CLIENT_ID }} private-key: ${{ secrets.NODE_SYNC_APP_KEY }} owner: genlayerlabs repositories: genlayer-node From 984e09ef5b6f28c153f735ea3e7a8208400c5629 Mon Sep 17 00:00:00 2001 From: Darien Hernandez Date: Tue, 28 Apr 2026 16:13:01 +0200 Subject: [PATCH 3/3] docs: bump create-github-app-token reference to v3 --- .github/workflows/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/README.md b/.github/workflows/README.md index b5b7a340..e2b409d8 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -69,7 +69,7 @@ Add this to a workflow in the genlayer-node repository: #### GitHub App (User-Managed) -Access to the private `genlayerlabs/genlayer-node` repository is provided by a GitHub App installed on that repository. The workflow mints a short-lived installation token via `actions/create-github-app-token@v1`. +Access to the private `genlayerlabs/genlayer-node` repository is provided by a GitHub App installed on that repository. The workflow mints a short-lived installation token via `actions/create-github-app-token@v3`. Required repository secrets: