ci: gate node sync on a single approval

[dohernandez]

Description

Reduces the docs-sync workflow from two approval prompts per run to one.

The Node Sync GitHub Environment carries a Required-reviewers protection rule, and that rule fires once per job that declares the environment. Previously both prepare and sync-files declared it, so the team had to approve twice for every sync.

Changes

• .github/workflows/sync-docs-from-node.yml:
  • prepare job now mints the App token unconditionally (removed the if: version == 'latest' gate, since downstream jobs need it regardless) and exposes it as outputs.token.
  • sync-files job drops environment: Node Sync and its own duplicate token-mint step. The Clone source repository step now reads the token from needs.prepare.outputs.token.
• .github/workflows/README.md: documents the single-approval pattern and warns against re-introducing the environment on additional jobs.

Security note

actions/create-github-app-token calls core.setSecret() on the token, which masks it in the originating job's logs. GitHub Actions' masking does not propagate across job boundaries, so this pattern relies on no downstream step ever printing needs.prepare.outputs.token. The only consumer is actions/checkout's token: input, which doesn't log it. Token TTL is ~1 hour, well above the workflow's typical runtime.

Summary by CodeRabbit

• Documentation

  • Updated GitHub Actions workflow documentation to clarify token management and environment approval processes.

• Refactor

  • Optimized CI/CD workflow token generation to streamline pipeline operations and improve efficiency while maintaining security requirements.

[netlify]

✅ Deploy Preview for genlayer-docs ready!

Name	Link
🔨 Latest commit	889b0e4
🔍 Latest deploy log	https://app.netlify.com/projects/genlayer-docs/deploys/69f1cd296b90da0008ef81af
😎 Deploy Preview	https://deploy-preview-399--genlayer-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4271b383-3fef-476f-94ad-8c6581928ece

📥 Commits

Reviewing files that changed from the base of the PR and between 4a6012d and 889b0e4.

📒 Files selected for processing (2)

• .github/workflows/README.md
• .github/workflows/sync-docs-from-node.yml

---

📝 Walkthrough

Walkthrough

The documentation and workflow files have been updated to centralize GitHub App token generation. The prepare job now generates the token once and exposes it as a job output, eliminating the need for downstream jobs to declare the Node Sync environment or mint their own tokens. This streamlines the authentication pattern while maintaining security through the approval gate.

Changes

Cohort / File(s)	Summary
Documentation .github/workflows/README.md	Updated documentation to explain that the Node Sync environment enforces required-reviewer approval and that prepare should mint the token once for downstream job consumption.
Workflow Optimization .github/workflows/sync-docs-from-node.yml	Removed conditional gating from prepare job token generation and exposed it as a job output. The sync-files job no longer declares environment or creates per-matrix token steps; it now authenticates using the shared token from needs.prepare.outputs.token.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Fix GitHub Actions workflow PR creation and document authentication #247: Modifies sync-docs-from-node workflow's token handling and documents GitHub App token usage in PR creation.
• ci: read app client-id from vars and drop redundant owner #396: Changes token step inputs and configuration in the same workflow's GitHub App token creation.
• ci: use GitHub App token for node sync workflow #395: Alters token-generation and checkout logic in sync-docs-from-node.yml, switching between per-job and consolidated token minting patterns.

Suggested reviewers

• AgustinRamiroDiaz

Poem

🐰 One token to rule them all, one token to find,
No more approvals for each job in the line,
The prepare now leads with a gift to bestow,
One output to share, watch the workflow go!
Token consolidation hops into the night. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: consolidating GitHub Environment approvals from two to one by gating the sync on a single approval step.
Description check	✅ Passed	The description comprehensively covers the changes, includes security considerations, and explains the rationale; however it lacks the Conventional Commits format specified in the template.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/sync-docs-single-approval

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}