Replace SITE_DEPLOY_PAT with gh-cli-site-deployer App#13492
Open
williammartin wants to merge 1 commit into
Open
Replace SITE_DEPLOY_PAT with gh-cli-site-deployer App#13492williammartin wants to merge 1 commit into
williammartin wants to merge 1 commit into
Conversation
accc615 to
07f27b2
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Replaces the release workflow’s use of a long-lived, personally held SITE_DEPLOY_PAT with a short-lived installation token minted from the gh-cli-site-deployer GitHub App when running in the production environment.
Changes:
- Add a step to generate a GitHub App installation token for
github/cli.github.comduring production releases. - Update the documentation-site checkout to use the generated token instead of
SITE_DEPLOY_PAT. - Mirror the workflow change in the release process deep-dive documentation excerpt.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/deployment.yml |
Switch documentation-site checkout authentication from PAT to GitHub App installation token. |
docs/release-process-deep-dive.md |
Update the documented workflow excerpt to reflect the move from PAT to GitHub App token. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 2
The release workflow currently checks out github/cli.github.com using a personal access token (SITE_DEPLOY_PAT) owned by an individual maintainer to push generated docs, the index.html version stamp, and RPM/DEB package metadata. Replace that with a short-lived installation token minted at runtime from the new gh-cli-site-deployer GitHub App, owned by the github org and installed only on github/cli.github.com with Contents:write permission. The App's credentials live in the production environment as SITE_DEPLOY_APP_CLIENT_ID and SITE_DEPLOY_APP_PRIVATE_KEY, federated from the github-cli Vault. The token mint step is guarded on inputs.environment == 'production' because non-production environments don't have the App credentials and don't push to the site anyway (the Publish site step is already gated on DO_PUBLISH which requires production). github/cli.github.com is public, so the checkout in non-production falls back to GITHUB_TOKEN for anonymous read access, matching existing behavior. Also update docs/release-process-deep-dive.md to reflect the new flow. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
07f27b2 to
7138ed3
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces the personally-held
SITE_DEPLOY_PATused by the release workflow with an installation token from the newgh-cli-site-deployerGitHub App that is installed on thegithub/cli.github.comrepository.An example of this working can be seen for @babakks and @BagToad at https://github.com/williammartin/gh-cli-site-deployer-smoke-test/actions/runs/26300057269
Note: the secrets aren't in the production environment yet, awaiting federation, or manual addition, but would like review of this first.