Skip to content

ci: use GitHub App token for node sync workflow #395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dohernandez merged 3 commits into from
Apr 28, 2026
Merged

ci: use GitHub App token for node sync workflow #395

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
57d181b
ci: use GitHub App token for node sync workflow
dohernandez Apr 28, 2026
bfa9008
ci: use client-id input for create-github-app-token
dohernandez Apr 28, 2026
984e09e
docs: bump create-github-app-token reference to v3
dohernandez Apr 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 11 additions & 4 deletions .github/workflows/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,12 +67,19 @@ Add this to a workflow in the genlayer-node repository:
- Creating pull requests via GitHub CLI (automatically detected by `gh`)
- General workflow authentication

#### GitHub App (User-Managed)

Access to the private `genlayerlabs/genlayer-node` repository is provided by a GitHub App installed on that repository. The workflow mints a short-lived installation token via `actions/create-github-app-token@v3`.

Required repository secrets:

- `NODE_SYNC_APP_CLIENT_ID`: Client ID of the GitHub App
- `NODE_SYNC_APP_KEY`: PEM-encoded private key of the GitHub App
Comment on lines +76 to +77
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify v1 input contract from upstream action metadata/docs.
curl -sL https://raw.githubusercontent.com/actions/create-github-app-token/v1/action.yml | sed -n '1,40p'
curl -sL https://raw.githubusercontent.com/actions/create-github-app-token/v1/README.md | rg -n "Inputs|app-id|client-id|GitHub App ID|Client ID"

Repository: genlayerlabs/genlayer-docs

Length of output: 2427

🏁 Script executed:

#!/bin/bash
# Check the actual workflow file that uses these secrets
cd .github/workflows && ls -la | grep sync && cd - > /dev/null
cat .github/workflows/sync-docs-from-node.yml | grep -A 5 -B 5 "NODE_SYNC_APP_CLIENT_ID\|NODE_SYNC_APP_KEY\|app-id\|private-key"

Repository: genlayerlabs/genlayer-docs

Length of output: 1018

🏁 Script executed:

#!/bin/bash
# Check the README.md current state for lines 76-77
cat -n .github/workflows/README.md | sed -n '70,85p'

Repository: genlayerlabs/genlayer-docs

Length of output: 999

🌐 Web query:

GitHub App ID vs Client ID difference

💡 Result:

The GitHub App ID and Client ID are two distinct identifiers for GitHub Apps. App ID (numeric, integer): - Unique database/internal identifier for the GitHub App. - Primarily used to generate the JSON Web Token (JWT) with the private key to authenticate the app itself and fetch installation access tokens. - Found on the GitHub App's settings page. - Example: 12345 Client ID (alphanumeric string): - Used for OAuth flows: to sign in users, generate user access tokens, and request installations. - Now (since May 2024) can also be used interchangeably with App ID in the JWT 'iss' claim for minting JWTs to fetch installation tokens, simplifying usage. GitHub recommends transitioning to Client ID for future compatibility, though App ID is not deprecated. - Globally unique, unlike App ID. - Found on the GitHub App's settings page. - Not a secret; safe to expose to end users. - Example: Iv23f8doAlphaNumer1c Key differences: - Type: App ID is an integer; Client ID is a string. - Primary use: App ID traditionally for server-to-server (JWT/installation tokens); Client ID for user OAuth. - Both identify the app but serve different authentication flows. - Recent changes allow Client ID overlap with App ID usage to reduce confusion. Note: These are specific to GitHub Apps. OAuth Apps (separate type) only have a Client ID for their OAuth flow. To view both: Navigate to your GitHub App settings (Developer settings > GitHub Apps > Edit your app).

Citations:

Fix documentation: the input expects GitHub App ID, not Client ID.

The README says NODE_SYNC_APP_CLIENT_ID is a "Client ID," but the workflow passes this secret to the app-id input of actions/create-github-app-token@v1, which is documented as expecting a "GitHub App ID." While Client ID has been interchangeable with App ID for JWT-based installation token generation since May 2024, the documentation should match the input name to avoid maintainer confusion.

Update the README to clarify:

📝 Suggested fix 
- `NODE_SYNC_APP_CLIENT_ID`: Client ID of the GitHub App
+ `NODE_SYNC_APP_CLIENT_ID`: GitHub App ID (numeric)

Or rename the secret for clarity:

- `NODE_SYNC_APP_CLIENT_ID`: Client ID of the GitHub App
+ `NODE_SYNC_APP_ID`: GitHub App ID (numeric)

(Requires updating the secret reference in .github/workflows/sync-docs-from-node.yml)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- `NODE_SYNC_APP_CLIENT_ID`: Client ID of the GitHub App
- `NODE_SYNC_APP_KEY`: PEM-encoded private key of the GitHub App
- `NODE_SYNC_APP_CLIENT_ID`: GitHub App ID (numeric)
- `NODE_SYNC_APP_KEY`: PEM-encoded private key of the GitHub App
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/README.md around lines 76 - 77, Update the README to
correctly describe NODE_SYNC_APP_CLIENT_ID as the "GitHub App ID" (not "Client
ID") and clarify that NODE_SYNC_APP_KEY is the PEM private key for the GitHub
App; alternatively, if you prefer a clearer secret name, rename
NODE_SYNC_APP_CLIENT_ID to something like NODE_SYNC_APP_ID and update every
place that references that secret (and the actions/create-github-app-token input
named app-id) so the secret name and the workflow input remain consistent.


The App must be installed on `genlayerlabs/genlayer-node` with at least `Contents: Read` permission. Tokens are scoped to that single repository at mint time.

#### Personal Access Tokens (User-Managed)

- `NODE_REPO_TOKEN` (optional): Personal Access Token for accessing private genlayer-node repository. Used for:
- Cloning private genlayer-node repository
- Falls back to `GITHUB_TOKEN` if not provided

- `DOCS_REPO_TOKEN` (in genlayer-node): Token with `repo` scope for triggering this workflow. Used for:
- Triggering repository dispatch events from genlayer-node
- Must have `repo` scope to trigger workflows
Expand Down
25 changes: 22 additions & 3 deletions .github/workflows/sync-docs-from-node.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Extract version parameter
id: extract
run: |
Expand All @@ -64,11 +64,21 @@ jobs:
echo "version=$VERSION" >> $GITHUB_OUTPUT
echo "Requested version: $VERSION"

- name: Generate GitHub App token
id: app-token
if: steps.extract.outputs.version == 'latest'
uses: actions/create-github-app-token@v3
with:
client-id: ${{ secrets.NODE_SYNC_APP_CLIENT_ID }}
private-key: ${{ secrets.NODE_SYNC_APP_KEY }}
owner: genlayerlabs
repositories: genlayer-node

Comment thread
coderabbitai[bot] marked this conversation as resolved.
- name: Detect latest version
id: detect
if: steps.extract.outputs.version == 'latest'
env:
GITHUB_TOKEN: ${{ secrets.NODE_REPO_TOKEN || secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
source .github/scripts/version-utils.sh
LATEST_TAG=$(detect_latest_version "$GITHUB_TOKEN")
Expand Down Expand Up @@ -106,11 +116,20 @@ jobs:
sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
sudo chmod +x /usr/local/bin/yq

- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@v3
with:
client-id: ${{ secrets.NODE_SYNC_APP_CLIENT_ID }}
private-key: ${{ secrets.NODE_SYNC_APP_KEY }}
owner: genlayerlabs
repositories: genlayer-node

- name: Clone source repository
uses: actions/checkout@v4
with:
repository: genlayerlabs/genlayer-node
token: ${{ secrets.NODE_REPO_TOKEN || secrets.GITHUB_TOKEN }}
token: ${{ steps.app-token.outputs.token }}
fetch-depth: 1
sparse-checkout: |
docs
Expand Down
Loading