From 25e78bf95de68637fbe7d254ea1d0dc10591ebbc Mon Sep 17 00:00:00 2001
From: Darien Hernandez <dohernandez@gmail.com>
Date: Wed, 29 Apr 2026 10:22:58 +0200
Subject: [PATCH] ci: scope sync jobs to Node Sync environment

Credentials are stored as environment secrets in the Node Sync environment,
so jobs minting the App token must declare environment: Node Sync at the job
level. Reverts the client-id source from vars to secrets to match the
environment's actual storage.
---
 .github/workflows/README.md               | 8 +++++---
 .github/workflows/sync-docs-from-node.yml | 6 ++++--
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/README.md b/.github/workflows/README.md
index 7b92ce49..b9c91b44 100644
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@@ -71,10 +71,12 @@ Add this to a workflow in the genlayer-node repository:
 
 Access to the private `genlayerlabs/genlayer-node` repository is provided by a GitHub App installed on that repository. The workflow mints a short-lived installation token via `actions/create-github-app-token@v3`.
 
-Required configuration:
+Credentials live in the **`Node Sync`** GitHub Environment (Settings → Environments → Node Sync). Any job that needs the App token must declare `environment: Node Sync` at the job level — without it, `secrets.NODE_SYNC_APP_*` resolves to empty.
 
-- `NODE_SYNC_APP_CLIENT_ID` (repository variable): Client ID of the GitHub App
-- `NODE_SYNC_APP_KEY` (repository secret): PEM-encoded private key of the GitHub App
+Required environment secrets:
+
+- `NODE_SYNC_APP_CLIENT_ID`: Client ID of the GitHub App
+- `NODE_SYNC_APP_KEY`: PEM-encoded private key of the GitHub App
 
 The App must be installed on `genlayerlabs/genlayer-node` with at least `Contents: Read` permission. Tokens are scoped to that single repository at mint time.
 
diff --git a/.github/workflows/sync-docs-from-node.yml b/.github/workflows/sync-docs-from-node.yml
index 63c59056..232e8cd7 100644
--- a/.github/workflows/sync-docs-from-node.yml
+++ b/.github/workflows/sync-docs-from-node.yml
@@ -47,6 +47,7 @@ jobs:
   prepare:
     name: 'Determine Version'
     runs-on: ubuntu-latest
+    environment: Node Sync
     outputs:
       version: ${{ steps.final_version.outputs.version }}
     steps:
@@ -69,7 +70,7 @@ jobs:
         if: steps.extract.outputs.version == 'latest'
         uses: actions/create-github-app-token@v3
         with:
-          client-id: ${{ vars.NODE_SYNC_APP_CLIENT_ID }}
+          client-id: ${{ secrets.NODE_SYNC_APP_CLIENT_ID }}
           private-key: ${{ secrets.NODE_SYNC_APP_KEY }}
           repositories: genlayer-node
 
@@ -99,6 +100,7 @@ jobs:
     name: 'Sync Files'
     runs-on: ubuntu-latest
     needs: prepare
+    environment: Node Sync
     strategy:
       matrix:
         sync_type: [changelog, config, config_asimov, config_bradbury, docker_compose, docker_compose_monitoring, alloy_config, greybox_setup, api_gen, api_debug, api_ops]
@@ -119,7 +121,7 @@ jobs:
         id: app-token
         uses: actions/create-github-app-token@v3
         with:
-          client-id: ${{ vars.NODE_SYNC_APP_CLIENT_ID }}
+          client-id: ${{ secrets.NODE_SYNC_APP_CLIENT_ID }}
           private-key: ${{ secrets.NODE_SYNC_APP_KEY }}
           repositories: genlayer-node