diff --git a/.github/workflows/check-broken-links-github-github.yml b/.github/workflows/check-broken-links-github-github.yml index 04be7a9b5a..97791b30ca 100644 --- a/.github/workflows/check-broken-links-github-github.yml +++ b/.github/workflows/check-broken-links-github-github.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest env: # need to use a token from a user with access to github/github for this step - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} REPORT_AUTHOR: docs-bot REPORT_LABEL: github github broken link report REPORT_REPOSITORY: github/docs-content @@ -33,7 +33,7 @@ jobs: - uses: ./.github/actions/get-docs-early-access with: - token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} - name: Build server run: npm run build diff --git a/.github/workflows/check-for-spammy-issues.yml b/.github/workflows/check-for-spammy-issues.yml index 94a42e037c..9a0f7be2da 100644 --- a/.github/workflows/check-for-spammy-issues.yml +++ b/.github/workflows/check-for-spammy-issues.yml @@ -19,7 +19,7 @@ jobs: steps: - uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 with: - github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }} + github-token: ${{ secrets.DOCS_BOT_PAT_BASE }} script: | const issue = context.payload.issue diff --git a/.github/workflows/close-bad-repo-sync-prs.yml b/.github/workflows/close-bad-repo-sync-prs.yml index 493f259be3..ec3443d9da 100644 --- a/.github/workflows/close-bad-repo-sync-prs.yml +++ b/.github/workflows/close-bad-repo-sync-prs.yml @@ -24,7 +24,7 @@ jobs: - name: Close pull request if unwanted uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 with: - github-token: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + github-token: ${{ secrets.DOCS_BOT_PAT_BASE }} script: | const { owner, repo } = context.repo const prCreator = context.actor diff --git a/.github/workflows/confirm-internal-staff-work-in-docs.yml b/.github/workflows/confirm-internal-staff-work-in-docs.yml index af3f546418..ece489d124 100644 --- a/.github/workflows/confirm-internal-staff-work-in-docs.yml +++ b/.github/workflows/confirm-internal-staff-work-in-docs.yml @@ -28,7 +28,7 @@ jobs: env: TEAM_CONTENT_REPO: ${{ secrets.TEAM_CONTENT_REPO }} with: - github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }} + github-token: ${{ secrets.DOCS_BOT_PAT_BASE }} script: | // Only perform this action with GitHub employees try { diff --git a/.github/workflows/copy-api-issue-to-internal.yml b/.github/workflows/copy-api-issue-to-internal.yml index 01713bf0b5..d51b3383d6 100644 --- a/.github/workflows/copy-api-issue-to-internal.yml +++ b/.github/workflows/copy-api-issue-to-internal.yml @@ -22,7 +22,7 @@ jobs: uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 id: triggered-by-member with: - github-token: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}} + github-token: ${{secrets.DOCS_BOT_PAT_BASE}} result-encoding: string script: | const triggerer_login = context.payload.sender.login @@ -48,26 +48,26 @@ jobs: new_issue_url="$(gh issue create --title "$ISSUE_TITLE" --body "$ISSUE_BODY" --repo github/docs-content)" echo 'NEW_ISSUE='$new_issue_url >> $GITHUB_ENV env: - GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}} + GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_BASE}} ISSUE_TITLE: ${{ github.event.issue.title }} ISSUE_BODY: ${{ github.event.issue.body }} - name: Comment on the old issue run: gh issue comment $OLD_ISSUE --body "Thank you for opening this issue! Updates to this documentation must be made internally. I have copied your issue to an internal issue, so I will close this issue." env: - GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}} + GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_BASE}} OLD_ISSUE: ${{ github.event.issue.html_url }} - name: Close the old issue run: gh issue close $OLD_ISSUE env: - GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}} + GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_BASE}} OLD_ISSUE: ${{ github.event.issue.html_url }} - name: Comment on the new issue run: gh issue comment $NEW_ISSUE --body "This issue was originally opened in the open source repo as $OLD_ISSUE" env: - GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}} + GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_BASE}} NEW_ISSUE: ${{ env.NEW_ISSUE }} OLD_ISSUE: ${{ github.event.issue.html_url }} diff --git a/.github/workflows/count-translation-corruptions.yml b/.github/workflows/count-translation-corruptions.yml index 56e57e0871..7e3ec57da6 100644 --- a/.github/workflows/count-translation-corruptions.yml +++ b/.github/workflows/count-translation-corruptions.yml @@ -28,7 +28,7 @@ jobs: with: # Using a PAT is necessary so that the new commit will trigger the # CI in the PR. (Events from GITHUB_TOKEN don't trigger new workflows.) - token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} # It's important because translations are often a bit behind. # So if a translation is a bit behind, it might still be referencing @@ -36,7 +36,7 @@ jobs: - name: Clone all translations uses: ./.github/actions/clone-translations with: - token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} - uses: ./.github/actions/node-npm-setup diff --git a/.github/workflows/delete-orphan-translation-files.yml b/.github/workflows/delete-orphan-translation-files.yml index 350f9992cf..beade49d74 100644 --- a/.github/workflows/delete-orphan-translation-files.yml +++ b/.github/workflows/delete-orphan-translation-files.yml @@ -66,7 +66,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: ${{ matrix.language_repo }} - token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} path: ${{ matrix.language_dir }} - uses: ./.github/actions/node-npm-setup @@ -89,7 +89,7 @@ jobs: working-directory: ${{ matrix.language_dir }} env: # Needed for gh - GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} run: | # If nothing to commit, exit now. It's fine. No orphans. changes=$(git diff --name-only | wc -l) diff --git a/.github/workflows/docs-review-collect.yml b/.github/workflows/docs-review-collect.yml index e9fc809aea..421b5eb43b 100644 --- a/.github/workflows/docs-review-collect.yml +++ b/.github/workflows/docs-review-collect.yml @@ -35,7 +35,7 @@ jobs: run: | npm run fr-add-docs-reviewers-requests env: - TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} PROJECT_NUMBER: 2936 ORGANIZATION: 'github' REPO: 'audit-log-allowlists' diff --git a/.github/workflows/enterprise-dates.yml b/.github/workflows/enterprise-dates.yml index 092d9aa967..2dd15f3dc0 100644 --- a/.github/workflows/enterprise-dates.yml +++ b/.github/workflows/enterprise-dates.yml @@ -31,7 +31,7 @@ jobs: - name: Run src/ghes-releases/scripts/update-enterprise-dates.js run: npm run update-enterprise-dates env: - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} - name: Create pull request id: create-pull-request @@ -41,7 +41,7 @@ jobs: HUSKY: '0' with: # need to use a token with repo and workflow scopes for this step - token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} commit-message: '🤖 ran src/ghes-releases/scripts/update-enterprise-dates.js' title: 🤖 src/ghes-releases/lib/enterprise-dates.json update body: @@ -54,7 +54,7 @@ jobs: - name: Enable GitHub auto-merge if: ${{ steps.create-pull-request.outputs.pull-request-number }} env: - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} AUTOMERGE_PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }} run: npm run enable-automerge diff --git a/.github/workflows/enterprise-release-issue.yml b/.github/workflows/enterprise-release-issue.yml index 72b6684ddb..2dbc8064d3 100644 --- a/.github/workflows/enterprise-release-issue.yml +++ b/.github/workflows/enterprise-release-issue.yml @@ -26,12 +26,12 @@ jobs: - name: Create an enterprise release issue run: npm run create-enterprise-issue -- release env: - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} - name: Create an enterprise deprecation issue run: npm run create-enterprise-issue -- deprecation env: - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} - uses: ./.github/actions/slack-alert if: ${{ failure() && github.event_name != 'workflow_dispatch' }} diff --git a/.github/workflows/first-responder-v2-prs-collect.yml b/.github/workflows/first-responder-v2-prs-collect.yml index 26f02d2cf1..47589a9ea5 100644 --- a/.github/workflows/first-responder-v2-prs-collect.yml +++ b/.github/workflows/first-responder-v2-prs-collect.yml @@ -27,7 +27,7 @@ jobs: uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 id: check-membership with: - github-token: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}} + github-token: ${{secrets.DOCS_BOT_PAT_BASE}} result-encoding: string script: | const repoName = context.payload.repository.name @@ -71,7 +71,7 @@ jobs: - name: Triage to docs-content FR project if: steps.check-membership.outputs.result == 'false' env: - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} PR_URL: ${{ github.event.pull_request.html_url }} PROJECT_NUMBER: 11672 PROJECT_ID: PVT_kwDNJr_OAGNkBg diff --git a/.github/workflows/generate-code-scanning-query-lists.yml b/.github/workflows/generate-code-scanning-query-lists.yml index 2b022eb4bb..a0bd5f22a2 100644 --- a/.github/workflows/generate-code-scanning-query-lists.yml +++ b/.github/workflows/generate-code-scanning-query-lists.yml @@ -69,7 +69,7 @@ jobs: - uses: ./.github/actions/install-cocofix with: - token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} - name: Lint the code (eslint) if: ${{ github.event_name == 'pull_request' }} @@ -103,7 +103,7 @@ jobs: - name: Create pull request env: - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} DRY_RUN: ${{ github.event_name == 'pull_request'}} run: | diff --git a/.github/workflows/hubber-contribution-help.yml b/.github/workflows/hubber-contribution-help.yml index e3896a7130..8440f38810 100644 --- a/.github/workflows/hubber-contribution-help.yml +++ b/.github/workflows/hubber-contribution-help.yml @@ -28,7 +28,7 @@ jobs: - id: membership_check uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 with: - github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }} + github-token: ${{ secrets.DOCS_BOT_PAT_BASE }} script: | try { await github.rest.teams.getMembershipForUserInOrg({ diff --git a/.github/workflows/index-autocomplete-search.yml b/.github/workflows/index-autocomplete-search.yml index da837deec7..8d116a66ca 100644 --- a/.github/workflows/index-autocomplete-search.yml +++ b/.github/workflows/index-autocomplete-search.yml @@ -32,7 +32,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} repository: github/docs-internal-data path: docs-internal-data diff --git a/.github/workflows/index-general-search-pr.yml b/.github/workflows/index-general-search-pr.yml index 3f819ce556..97204b69a8 100644 --- a/.github/workflows/index-general-search-pr.yml +++ b/.github/workflows/index-general-search-pr.yml @@ -44,7 +44,7 @@ jobs: with: repository: github/docs-internal-data # This works because user `docs-bot` has read access to that private repo. - token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} path: docs-internal-data - uses: ./.github/actions/setup-elasticsearch diff --git a/.github/workflows/index-general-search.yml b/.github/workflows/index-general-search.yml index dd74f7af55..cbc60585b4 100644 --- a/.github/workflows/index-general-search.yml +++ b/.github/workflows/index-general-search.yml @@ -120,14 +120,14 @@ jobs: with: repository: github/docs-internal-data # This works because user `docs-bot` has read access to that private repo. - token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} path: docs-internal-data - name: Clone all translations if: ${{ matrix.language != 'en' }} uses: ./.github/actions/clone-translations with: - token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} - uses: ./.github/actions/node-npm-setup diff --git a/.github/workflows/link-check-daily.yml b/.github/workflows/link-check-daily.yml index 25ec2ff6b7..f97a282a8c 100644 --- a/.github/workflows/link-check-daily.yml +++ b/.github/workflows/link-check-daily.yml @@ -32,7 +32,7 @@ jobs: id: check-early-access env: BRANCH_NAME: ${{ github.head_ref || github.ref_name }} - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} run: npm run what-docs-early-access-branch - name: Check out docs-early-access too, if internal repo @@ -40,7 +40,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: github/docs-early-access - token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} path: docs-early-access ref: ${{ steps.check-early-access.outputs.branch }} @@ -71,7 +71,7 @@ jobs: # Set this to true in repo scope to enable debug logs # ACTIONS_RUNNER_DEBUG = true ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} REPORT_AUTHOR: docs-bot REPORT_LABEL: broken link report REPORT_REPOSITORY: github/docs-content diff --git a/.github/workflows/link-check-on-pr.yml b/.github/workflows/link-check-on-pr.yml index a82d0c1f84..3aee13ca6f 100644 --- a/.github/workflows/link-check-on-pr.yml +++ b/.github/workflows/link-check-on-pr.yml @@ -33,14 +33,14 @@ jobs: - uses: ./.github/actions/get-docs-early-access if: ${{ github.repository == 'github/docs-internal' }} with: - token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} - name: Link check all pages (internal links only) env: LEVEL: 'critical' ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} - SHOULD_COMMENT: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT != '' }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} + SHOULD_COMMENT: ${{ secrets.DOCS_BOT_PAT_BASE != '' }} CHECK_EXTERNAL_LINKS: false CREATE_REPORT: false CHECK_ANCHORS: true diff --git a/.github/workflows/lint-entire-content-data-markdown.yml b/.github/workflows/lint-entire-content-data-markdown.yml index 9fd3631020..63418377d9 100644 --- a/.github/workflows/lint-entire-content-data-markdown.yml +++ b/.github/workflows/lint-entire-content-data-markdown.yml @@ -37,7 +37,7 @@ jobs: - name: Open issue in docs-content if: ${{ always() && steps.linting-content-data.outcome == 'failure' }} env: - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} REPORT_AUTHOR: docs-bot REPORT_LABEL: broken content markdown report REPORT_REPOSITORY: github/docs-content diff --git a/.github/workflows/local-dev.yml b/.github/workflows/local-dev.yml index cfbbbe4be5..b4060307b9 100644 --- a/.github/workflows/local-dev.yml +++ b/.github/workflows/local-dev.yml @@ -26,7 +26,7 @@ jobs: - uses: ./.github/actions/get-docs-early-access if: ${{ github.repository == 'github/docs-internal' }} with: - token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} # Note that we don't check out docs-early-access, Elasticsearch, # or any remote translations. Nothing fancy here! diff --git a/.github/workflows/moda-ci.yaml b/.github/workflows/moda-ci.yaml index 3506f30875..43240c6dcd 100644 --- a/.github/workflows/moda-ci.yaml +++ b/.github/workflows/moda-ci.yaml @@ -24,12 +24,12 @@ jobs: id: modify_vault_keys run: | if [ -z "${{ vars.VAULT_KEYS }}" ]; then - # We want to add the DOCS_BOT_PAT_READPUBLICKEY to the list of keys + # We want to add the DOCS_BOT_PAT_BASE to the list of keys # so that builds fetch the secret from the docs-internal vault # where --environment is "ci" - echo "modified=DOCS_BOT_PAT_READPUBLICKEY" >> $GITHUB_OUTPUT + echo "modified=DOCS_BOT_PAT_BASE" >> $GITHUB_OUTPUT else - echo "modified=${{ vars.VAULT_KEYS }},DOCS_BOT_PAT_READPUBLICKEY" >> $GITHUB_OUTPUT + echo "modified=${{ vars.VAULT_KEYS }},DOCS_BOT_PAT_BASE" >> $GITHUB_OUTPUT fi ############# @@ -66,9 +66,9 @@ jobs: with: ci-formatted-job-name: ${{ matrix.ci_job.job }} vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }} - # Passes 'DOCS_BOT_PAT_READPUBLICKEY' secret from Vault to docker as --secret id=DOCS_BOT_PAT_READPUBLICKEY,src= + # Passes 'DOCS_BOT_PAT_BASE' secret from Vault to docker as --secret id=DOCS_BOT_PAT_BASE,src= attest: true - docker-build-env-secrets: 'DOCS_BOT_PAT_READPUBLICKEY' + docker-build-env-secrets: 'DOCS_BOT_PAT_BASE' secrets: dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }} datadog-api-key: ${{ secrets.DATADOG_API_KEY }} @@ -88,8 +88,8 @@ jobs: with: ci-formatted-job-name: ${{ matrix.ci_job.job }} vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }} - # Passes 'DOCS_BOT_PAT_READPUBLICKEY' secret from Vault to docker as --secret id=DOCS_BOT_PAT_READPUBLICKEY,src= - docker-build-env-secrets: 'DOCS_BOT_PAT_READPUBLICKEY' + # Passes 'DOCS_BOT_PAT_BASE' secret from Vault to docker as --secret id=DOCS_BOT_PAT_BASE,src= + docker-build-env-secrets: 'DOCS_BOT_PAT_BASE' secrets: dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }} datadog-api-key: ${{ secrets.DATADOG_API_KEY }} diff --git a/.github/workflows/move-existing-issues-to-the-correct-repo.yml b/.github/workflows/move-existing-issues-to-the-correct-repo.yml index 217d595e0f..8214dbbc50 100644 --- a/.github/workflows/move-existing-issues-to-the-correct-repo.yml +++ b/.github/workflows/move-existing-issues-to-the-correct-repo.yml @@ -21,7 +21,7 @@ jobs: TEAM_ENGINEERING_REPO: ${{ secrets.TEAM_ENGINEERING_REPO }} TEAM_CONTENT_REPO: ${{ secrets.TEAM_CONTENT_REPO }} with: - github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }} + github-token: ${{ secrets.DOCS_BOT_PAT_BASE }} script: | const owner = 'github' const originalRepo = 'docs-internal' diff --git a/.github/workflows/move-help-wanted-issues.yml b/.github/workflows/move-help-wanted-issues.yml index 7e065b1046..78fa8dbbad 100644 --- a/.github/workflows/move-help-wanted-issues.yml +++ b/.github/workflows/move-help-wanted-issues.yml @@ -25,4 +25,4 @@ jobs: with: project: Docs open source board column: Help wanted - repo-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }} + repo-token: ${{ secrets.DOCS_BOT_PAT_BASE }} diff --git a/.github/workflows/move-ready-to-merge-pr.yaml b/.github/workflows/move-ready-to-merge-pr.yaml index dd2bea65c2..d493d59a58 100644 --- a/.github/workflows/move-ready-to-merge-pr.yaml +++ b/.github/workflows/move-ready-to-merge-pr.yaml @@ -28,7 +28,7 @@ jobs: with: project: Docs open source board column: Triage - repo-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }} + repo-token: ${{ secrets.DOCS_BOT_PAT_BASE }} - name: Check out repo uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/notify-about-deployment.yml b/.github/workflows/notify-about-deployment.yml index 1849bdf540..3b33db8f03 100644 --- a/.github/workflows/notify-about-deployment.yml +++ b/.github/workflows/notify-about-deployment.yml @@ -42,7 +42,7 @@ jobs: id: get-number timeout-minutes: 5 env: - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} run: npm run find-past-built-pr - name: Find content directory changes comment diff --git a/.github/workflows/orphaned-features-check.yml b/.github/workflows/orphaned-features-check.yml index ee239cebf8..4567a4d6b1 100644 --- a/.github/workflows/orphaned-features-check.yml +++ b/.github/workflows/orphaned-features-check.yml @@ -30,7 +30,7 @@ jobs: with: # Using a PAT is necessary so that the new commit will trigger the # CI in the PR. (Events from GITHUB_TOKEN don't trigger new workflows.) - token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} # It's important because translations are often a bit behind. # So if a translation is a bit behind, it might still be referencing @@ -38,14 +38,14 @@ jobs: - name: Clone all translations uses: ./.github/actions/clone-translations with: - token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} - uses: ./.github/actions/node-npm-setup - name: Check for orphaned features env: # Needed for gh - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} DRY_RUN: ${{ github.event_name == 'pull_request'}} run: | set -e diff --git a/.github/workflows/orphaned-files-check.yml b/.github/workflows/orphaned-files-check.yml index d2e56fdafa..ec26c4a5d9 100644 --- a/.github/workflows/orphaned-files-check.yml +++ b/.github/workflows/orphaned-files-check.yml @@ -34,7 +34,7 @@ jobs: with: # Using a PAT is necessary so that the new commit will trigger the # CI in the PR. (Events from GITHUB_TOKEN don't trigger new workflows.) - token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} # It's important because translations are often a bit behind. # So if a translation is a bit behind, it might still be referencing @@ -42,14 +42,14 @@ jobs: - name: Clone all translations uses: ./.github/actions/clone-translations with: - token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} - uses: ./.github/actions/node-npm-setup - name: Check for orphaned assets and reusables env: # Needed for gh - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} DRY_RUN: ${{ github.event_name == 'pull_request'}} run: | set -e @@ -92,11 +92,11 @@ jobs: body=$(cat <<-EOM Found with the `npm run find-orphaned-assets` and `npm run -s reusables -- find unused` scripts. - + The orphaned files workflow file .github/workflows/orphaned-files-check.yml runs every Monday at 16:20 UTC / 8:20 PST. - + If you are the first responder, please spot check some of the unused assets to make sure they aren't referenced anywhere. Then, approve and merge the pull request. - + For more information, see [Doc: Orphaned Assets](https://github.com/github/docs-engineering/blob/main/docs/orphaned-assets.md) and [Doc: Reusables CLI](https://github.com/github/docs-internal/tree/main/src/content-render/scripts/reusables-cli). EOM ) diff --git a/.github/workflows/os-ready-for-review.yml b/.github/workflows/os-ready-for-review.yml index c8cc72bc8c..0db8495e71 100644 --- a/.github/workflows/os-ready-for-review.yml +++ b/.github/workflows/os-ready-for-review.yml @@ -26,7 +26,7 @@ jobs: uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 id: triggered-by-member with: - github-token: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}} + github-token: ${{secrets.DOCS_BOT_PAT_BASE}} result-encoding: string script: | const triggerer_login = context.payload.sender.login @@ -60,7 +60,7 @@ jobs: run: | npm run ready-for-docs-review env: - TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} PROJECT_NUMBER: 2936 ORGANIZATION: 'github' ITEM_NODE_ID: ${{ github.event.pull_request.node_id || github.event.issue.node_id }} diff --git a/.github/workflows/purge-old-workflow-runs.yml b/.github/workflows/purge-old-workflow-runs.yml index 25ce4784dc..5eaf38634e 100644 --- a/.github/workflows/purge-old-workflow-runs.yml +++ b/.github/workflows/purge-old-workflow-runs.yml @@ -25,7 +25,7 @@ jobs: - name: Run purge script env: # Necessary to be able to delete deployment environments - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} run: npm run purge-old-workflow-runs - uses: ./.github/actions/slack-alert diff --git a/.github/workflows/ready-for-doc-review.yml b/.github/workflows/ready-for-doc-review.yml index 4b7366442e..420832ccf2 100644 --- a/.github/workflows/ready-for-doc-review.yml +++ b/.github/workflows/ready-for-doc-review.yml @@ -24,7 +24,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: github/docs-internal - token: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} - name: Setup Node.js uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 @@ -47,7 +47,7 @@ jobs: run: | npm run ready-for-docs-review env: - TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} PROJECT_NUMBER: 2936 ORGANIZATION: 'github' ITEM_NODE_ID: ${{ github.event.pull_request.node_id }} diff --git a/.github/workflows/remove-fr-label-remove-from-fr-v2.yml b/.github/workflows/remove-fr-label-remove-from-fr-v2.yml index 0b5db89f4d..76a0b9bed8 100644 --- a/.github/workflows/remove-fr-label-remove-from-fr-v2.yml +++ b/.github/workflows/remove-fr-label-remove-from-fr-v2.yml @@ -28,7 +28,7 @@ jobs: steps: - name: Remove issue from FR v2 project env: - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} PR_NUMBER: ${{ github.event.pull_request.number || inputs.PR_NUMBER }} PROJECT_NUMBER: 11672 run: | diff --git a/.github/workflows/repo-sync.yml b/.github/workflows/repo-sync.yml index d4f549a1f7..ec8cad263a 100644 --- a/.github/workflows/repo-sync.yml +++ b/.github/workflows/repo-sync.yml @@ -28,15 +28,15 @@ jobs: - name: Sync repo to branch uses: repo-sync/github-sync@3832fe8e2be32372e1b3970bbae8e7079edeec88 with: - source_repo: https://${{ secrets.DOCS_BOT_PAT_WORKFLOW }}@github.com/github/${{ github.repository == 'github/docs-internal' && 'docs' || 'docs-internal' }}.git + source_repo: https://${{ secrets.DOCS_BOT_PAT_BASE }}@github.com/github/${{ github.repository == 'github/docs-internal' && 'docs' || 'docs-internal' }}.git source_branch: main destination_branch: repo-sync - github_token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW }} + github_token: ${{ secrets.DOCS_BOT_PAT_BASE }} - name: Ship pull request uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 with: - github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW }} + github-token: ${{ secrets.DOCS_BOT_PAT_BASE }} result-encoding: string script: | const { owner, repo } = context.repo diff --git a/.github/workflows/reviewers-content-systems.yml b/.github/workflows/reviewers-content-systems.yml index 22e347ed90..3f0bc7cb3c 100644 --- a/.github/workflows/reviewers-content-systems.yml +++ b/.github/workflows/reviewers-content-systems.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest env: PR: ${{ github.event.pull_request.html_url }} - GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} steps: - name: Add content systems as a reviewer diff --git a/.github/workflows/reviewers-dependabot.yml b/.github/workflows/reviewers-dependabot.yml index 805f7d49e5..9f3cc8c115 100644 --- a/.github/workflows/reviewers-dependabot.yml +++ b/.github/workflows/reviewers-dependabot.yml @@ -26,7 +26,7 @@ jobs: github.event.pull_request.head.ref != 'repo-sync' }} runs-on: ubuntu-latest env: - GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} PR: ${{ github.event.pull_request.html_url }} steps: diff --git a/.github/workflows/reviewers-docs-engineering.yml b/.github/workflows/reviewers-docs-engineering.yml index a5915f55f8..5c15a5cd3c 100644 --- a/.github/workflows/reviewers-docs-engineering.yml +++ b/.github/workflows/reviewers-docs-engineering.yml @@ -44,7 +44,7 @@ jobs: runs-on: ubuntu-latest env: PR: ${{ github.event.pull_request.html_url }} - GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} steps: - name: Add docs engineering as a reviewer diff --git a/.github/workflows/reviewers-legal.yml b/.github/workflows/reviewers-legal.yml index 2ed17743e3..d53467c2a8 100644 --- a/.github/workflows/reviewers-legal.yml +++ b/.github/workflows/reviewers-legal.yml @@ -55,7 +55,7 @@ jobs: - name: Check for reviewers-legal label, add if missing and request review if: steps.checkContentType.outputs.containsContentType == 'true' env: - GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} PR: ${{ github.event.pull_request.html_url }} run: | gh pr edit $PR --add-reviewer github/legal-product diff --git a/.github/workflows/site-policy-sync.yml b/.github/workflows/site-policy-sync.yml index e1ed69e53c..0776e8f165 100644 --- a/.github/workflows/site-policy-sync.yml +++ b/.github/workflows/site-policy-sync.yml @@ -56,7 +56,7 @@ jobs: - name: If there are changes to push, create a branch in the public repo and push changes env: - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} run: | cd public-repo git config --local user.name 'site-policy-bot' diff --git a/.github/workflows/sme-review-tracking-issue.yml b/.github/workflows/sme-review-tracking-issue.yml index 51ca9edec8..cb0ab2338d 100644 --- a/.github/workflows/sme-review-tracking-issue.yml +++ b/.github/workflows/sme-review-tracking-issue.yml @@ -26,7 +26,7 @@ jobs: URL: ${{ github.event.pull_request.html_url || github.event.issue.html_url }} uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 with: - github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }} + github-token: ${{ secrets.DOCS_BOT_PAT_BASE }} script: |- const issueNo = context.number || context.issue.number diff --git a/.github/workflows/sync-audit-logs.yml b/.github/workflows/sync-audit-logs.yml index 8ae0705622..486265d962 100644 --- a/.github/workflows/sync-audit-logs.yml +++ b/.github/workflows/sync-audit-logs.yml @@ -31,7 +31,7 @@ jobs: - name: Run updater script env: # need to use a token from a user with access to github/audit-log-allowlists for this step - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} run: | npm run sync-audit-log @@ -49,7 +49,7 @@ jobs: - name: Create and merge pull request env: # Needed for gh - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} run: | # If nothing to commit, exit now. It's fine. No orphans. changes=$(git diff --name-only | wc -l) @@ -97,7 +97,7 @@ jobs: # Actions can't merge the PR so back to docs-bot to merge the PR unset GITHUB_TOKEN - gh auth login --with-token <<< "${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}" + gh auth login --with-token <<< "${{ secrets.DOCS_BOT_PAT_BASE }}" gh pr merge --auto - uses: ./.github/actions/slack-alert diff --git a/.github/workflows/sync-codeql-cli.yml b/.github/workflows/sync-codeql-cli.yml index 15a4c12a1d..f69f3ef16b 100644 --- a/.github/workflows/sync-codeql-cli.yml +++ b/.github/workflows/sync-codeql-cli.yml @@ -38,7 +38,7 @@ jobs: with: # By default, only the most recent commit of the `main` branch # will be checked out - token: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} repository: github/semmle-code path: semmle-code ref: ${{ inputs.SOURCE_BRANCH }} @@ -75,7 +75,7 @@ jobs: - name: Create pull request env: # Needed for gh - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} run: | # If nothing to commit, exit now. It's fine. No orphans. changes=$(git diff --name-only | wc -l) diff --git a/.github/workflows/sync-graphql.yml b/.github/workflows/sync-graphql.yml index b0d964b8d0..efae9591db 100644 --- a/.github/workflows/sync-graphql.yml +++ b/.github/workflows/sync-graphql.yml @@ -24,7 +24,7 @@ jobs: - name: Run updater scripts env: # need to use a token from a user with access to github/github for this step - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} run: npm run sync-graphql - name: Create pull request id: create-pull-request @@ -37,7 +37,7 @@ jobs: # Token should be a PAT because actions performed with GITHUB_TOKEN # don't trigger other workflows and this action force pushes updates # from the default branch. - token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} commit-message: 'Update GraphQL data files' title: GraphQL schema update body: @@ -50,7 +50,7 @@ jobs: - name: Enable GitHub auto-merge if: ${{ steps.create-pull-request.outputs.pull-request-number }} env: - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} AUTOMERGE_PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }} run: npm run enable-automerge diff --git a/.github/workflows/sync-openapi.yml b/.github/workflows/sync-openapi.yml index 339fb7eac1..bbf7a83119 100644 --- a/.github/workflows/sync-openapi.yml +++ b/.github/workflows/sync-openapi.yml @@ -47,7 +47,7 @@ jobs: - name: Sync the REST, Webhooks, and GitHub Apps schemas env: # Needed for gh - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} run: | npm run sync-rest -- --source-repo rest-api-description --output rest github-apps webhooks rest-redirects git status @@ -68,7 +68,7 @@ jobs: - name: Create pull request env: # Needed for gh - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} run: | # If nothing to commit, exit now. It's fine. No orphans. changes=$(git diff --name-only | wc -l) diff --git a/.github/workflows/sync-secret-scanning.yml b/.github/workflows/sync-secret-scanning.yml index 9d90f9b960..d255017396 100644 --- a/.github/workflows/sync-secret-scanning.yml +++ b/.github/workflows/sync-secret-scanning.yml @@ -33,14 +33,14 @@ jobs: env: # need to use a token from a user with access to # github/token-scanning-service for this step - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} run: | npm run sync-secret-scanning - name: Create a pull request env: # Needed for gh - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} run: | # If nothing to commit, exit now. It's fine. changes=$(git diff --name-only | wc -l) @@ -70,8 +70,8 @@ jobs: echo "Creating pull request..." gh pr create \ --title "Sync secret scanning data" \ - --body '👋 humans. This PR updates the secret scanning data with the latest changes from github/token-scanning-service. - + --body '👋 humans. This PR updates the secret scanning data with the latest changes from github/token-scanning-service. + /cc @github/docs-content-security-products If CI does not pass or other problems arise, contact #docs-engineering on Slack.' \ diff --git a/.github/workflows/test-changed-content.yml b/.github/workflows/test-changed-content.yml index 6c02028c92..9375cc8b04 100644 --- a/.github/workflows/test-changed-content.yml +++ b/.github/workflows/test-changed-content.yml @@ -34,7 +34,7 @@ jobs: - uses: ./.github/actions/get-docs-early-access if: ${{ github.repository == 'github/docs-internal' }} with: - token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} - uses: ./.github/actions/cache-nextjs diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index daa09c7efd..548f7fd569 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -101,7 +101,7 @@ jobs: - uses: ./.github/actions/get-docs-early-access if: ${{ github.repository == 'github/docs-internal' }} with: - token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} - name: Check the test fixture data (if applicable) if: ${{ matrix.name == 'fixtures' }} @@ -126,7 +126,7 @@ jobs: if: ${{ matrix.name == 'languages' }} uses: ./.github/actions/clone-translations with: - token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} - name: Gather files changed if: ${{ matrix.name == 'content-linter' }} diff --git a/.github/workflows/validate-github-github-docs-urls.yml b/.github/workflows/validate-github-github-docs-urls.yml index 3f5ddcedb2..391362a64b 100644 --- a/.github/workflows/validate-github-github-docs-urls.yml +++ b/.github/workflows/validate-github-github-docs-urls.yml @@ -39,7 +39,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} + token: ${{ secrets.DOCS_BOT_PAT_BASE }} repository: github/github ref: master path: github @@ -55,7 +55,7 @@ jobs: - name: Update config/docs-urls.json in github/github (possibly) if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }} env: - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} run: | npm run validate-github-github-docs-urls -- generate-new-json checks.json github/config/docs-urls.json @@ -86,7 +86,7 @@ jobs: - name: Clean up old branches in github/github if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }} env: - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} run: | npm run validate-github-github-docs-urls -- clean-up-old-branches --prefix update-docs-urls @@ -117,7 +117,7 @@ jobs: # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable CHANGED_FILES: |- ${{ steps.changed_files.outputs.filtered_changed_files }} - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} ISSUE_NUMBER: ${{ github.event.pull_request.number }} REPOSITORY: ${{ github.repository }} run: | diff --git a/Dockerfile b/Dockerfile index 465d6191ee..0bad2e636b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -48,7 +48,7 @@ COPY --chown=node:node --chmod=+x \ # - 3. Fetch each translations repo to the repo/translations directory # We use --mount-type=secret to avoid the secret being copied into the image layers for security # The secret passed via --secret can only be used in this RUN command -RUN --mount=type=secret,id=DOCS_BOT_PAT_READPUBLICKEY,mode=0444 \ +RUN --mount=type=secret,id=DOCS_BOT_PAT_BASE,mode=0444 \ # We don't cache because Docker can't know if we need to fetch new content from remote repos echo "Don't cache this step by printing date: $(date)" && \ . ./build-scripts/fetch-repos.sh diff --git a/src/code-scanning/scripts/generate-code-scanning-query-list.ts b/src/code-scanning/scripts/generate-code-scanning-query-list.ts index 9f7e574146..b5c066c38e 100644 --- a/src/code-scanning/scripts/generate-code-scanning-query-list.ts +++ b/src/code-scanning/scripts/generate-code-scanning-query-list.ts @@ -28,12 +28,12 @@ * /Users/peterbe/.local/share/gh/extensions/gh-codeql/dist/nightly/codeql-bundle-20231204/codeql * * Finally, you need to install `@github/cocofix`. This is a private package, - * so you first need to get the `DOCS_BOT_PAT_WORKFLOW` PAT from the vault and - * store it in the environment variable `DOCS_BOT_PAT_WORKFLOW`. + * so you first need to get the `DOCS_BOT_PAT_BASE` PAT from the vault and + * store it in the environment variable `DOCS_BOT_PAT_BASE`. * Then run the following command from the root of this repo: * * ```sh - * npm i --no-save '--@github:registry=https://npm.pkg.github.com' '--//npm.pkg.github.com/:_authToken=${DOCS_BOT_PAT_WORKFLOW}' @github/cocofix + * npm i --no-save '--@github:registry=https://npm.pkg.github.com' '--//npm.pkg.github.com/:_authToken=${DOCS_BOT_PAT_BASE}' @github/cocofix * ``` * * If you've git cloned github/codeql in /tmp/ now you can execute this script. diff --git a/src/deployments/production/README.md b/src/deployments/production/README.md index 12892b0dde..37de6f4250 100644 --- a/src/deployments/production/README.md +++ b/src/deployments/production/README.md @@ -13,7 +13,7 @@ The status of deployments are posted in the `#docs-ops` Slack channel. Build the production Docker image locally, ```bash -docker build -t docs:latest . --secret id=DOCS_BOT_PAT_READPUBLICKEY,src=<(echo "") +docker build -t docs:latest . --secret id=DOCS_BOT_PAT_BASE,src=<(echo "") ``` Where `` must be a PAT with `contents: read` access to: @@ -28,4 +28,4 @@ docker run -p 4000:4000 docs:latest ``` > [!NOTE] -> We require `DOCKER_BUILDKIT=1` to support passing `--secret` to the Dockerfile which allows us to clone private repos at build time. This is done in Moda via the `docker-build-env-secrets` argument in the [.github/workflows/moda-ci.yaml](../../.github/workflows/moda-ci.yaml) workflow. \ No newline at end of file +> We require `DOCKER_BUILDKIT=1` to support passing `--secret` to the Dockerfile which allows us to clone private repos at build time. This is done in Moda via the `docker-build-env-secrets` argument in the [.github/workflows/moda-ci.yaml](../../.github/workflows/moda-ci.yaml) workflow. diff --git a/src/deployments/production/build-scripts/fetch-repos.sh b/src/deployments/production/build-scripts/fetch-repos.sh index 01c41e0faa..286ae556e0 100644 --- a/src/deployments/production/build-scripts/fetch-repos.sh +++ b/src/deployments/production/build-scripts/fetch-repos.sh @@ -16,7 +16,7 @@ set -e . ./build-scripts/clone-or-use-cached-repo.sh # Set the GITHUB_TOKEN environment variable from the mounted --secret passed to Docker build -GITHUB_TOKEN=$(cat /run/secrets/DOCS_BOT_PAT_READPUBLICKEY) +GITHUB_TOKEN=$(cat /run/secrets/DOCS_BOT_PAT_BASE) # - - - - - - - - - - # Early access