jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-19 18:10:59 -05:00
Code Issues Projects Releases Wiki Activity

Use DOCS_BOT_PAT_BASE (#55464)

Browse Source
This commit is contained in:
Kevin Heis
2025-04-30 11:58:01 -07:00
committed by GitHub
parent 9e6ef2eefd
commit 02e2e2dacc
50 changed files with 100 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/check-broken-links-github-github.yml vendored
View File

@@ -18,7 +18,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
env: env:
# need to use a token from a user with access to github/github for this step # need to use a token from a user with access to github/github for this step
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
REPORT_AUTHOR: docs-bot REPORT_AUTHOR: docs-bot
REPORT_LABEL: github github broken link report REPORT_LABEL: github github broken link report
REPORT_REPOSITORY: github/docs-content REPORT_REPOSITORY: github/docs-content
@@ -33,7 +33,7 @@ jobs:
- uses: ./.github/actions/get-docs-early-access - uses: ./.github/actions/get-docs-early-access
with: with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- name: Build server - name: Build server
run: npm run build run: npm run build

2
.github/workflows/check-for-spammy-issues.yml vendored
View File

@@ -19,7 +19,7 @@ jobs:
steps: steps:
- uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 - uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
with: with:
github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }} github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
script: | script: |
const issue = context.payload.issue const issue = context.payload.issue

2
.github/workflows/close-bad-repo-sync-prs.yml vendored
View File

@@ -24,7 +24,7 @@ jobs:
- name: Close pull request if unwanted - name: Close pull request if unwanted
uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
with: with:
github-token: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
script: | script: |
const { owner, repo } = context.repo const { owner, repo } = context.repo
const prCreator = context.actor const prCreator = context.actor

2
.github/workflows/confirm-internal-staff-work-in-docs.yml vendored
View File

@@ -28,7 +28,7 @@ jobs:
env: env:
TEAM_CONTENT_REPO: ${{ secrets.TEAM_CONTENT_REPO }} TEAM_CONTENT_REPO: ${{ secrets.TEAM_CONTENT_REPO }}
with: with:
github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }} github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
script: | script: |
// Only perform this action with GitHub employees // Only perform this action with GitHub employees
try { try {

10
.github/workflows/copy-api-issue-to-internal.yml vendored
View File

@@ -22,7 +22,7 @@ jobs:
uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
id: triggered-by-member id: triggered-by-member
with: with:
github-token: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}} github-token: ${{secrets.DOCS_BOT_PAT_BASE}}
result-encoding: string result-encoding: string
script: | script: |
const triggerer_login = context.payload.sender.login const triggerer_login = context.payload.sender.login
@@ -48,26 +48,26 @@ jobs:
new_issue_url="$(gh issue create --title "$ISSUE_TITLE" --body "$ISSUE_BODY" --repo github/docs-content)" new_issue_url="$(gh issue create --title "$ISSUE_TITLE" --body "$ISSUE_BODY" --repo github/docs-content)"
echo 'NEW_ISSUE='$new_issue_url >> $GITHUB_ENV echo 'NEW_ISSUE='$new_issue_url >> $GITHUB_ENV
env: env:
GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}} GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_BASE}}
ISSUE_TITLE: ${{ github.event.issue.title }} ISSUE_TITLE: ${{ github.event.issue.title }}
ISSUE_BODY: ${{ github.event.issue.body }} ISSUE_BODY: ${{ github.event.issue.body }}
- name: Comment on the old issue - name: Comment on the old issue
run: gh issue comment $OLD_ISSUE --body "Thank you for opening this issue! Updates to this documentation must be made internally. I have copied your issue to an internal issue, so I will close this issue." run: gh issue comment $OLD_ISSUE --body "Thank you for opening this issue! Updates to this documentation must be made internally. I have copied your issue to an internal issue, so I will close this issue."
env: env:
GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}} GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_BASE}}
OLD_ISSUE: ${{ github.event.issue.html_url }} OLD_ISSUE: ${{ github.event.issue.html_url }}
- name: Close the old issue - name: Close the old issue
run: gh issue close $OLD_ISSUE run: gh issue close $OLD_ISSUE
env: env:
GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}} GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_BASE}}
OLD_ISSUE: ${{ github.event.issue.html_url }} OLD_ISSUE: ${{ github.event.issue.html_url }}
- name: Comment on the new issue - name: Comment on the new issue
run: gh issue comment $NEW_ISSUE --body "This issue was originally opened in the open source repo as $OLD_ISSUE" run: gh issue comment $NEW_ISSUE --body "This issue was originally opened in the open source repo as $OLD_ISSUE"
env: env:
GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}} GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_BASE}}
NEW_ISSUE: ${{ env.NEW_ISSUE }} NEW_ISSUE: ${{ env.NEW_ISSUE }}
OLD_ISSUE: ${{ github.event.issue.html_url }} OLD_ISSUE: ${{ github.event.issue.html_url }}

4
.github/workflows/count-translation-corruptions.yml vendored
View File

@@ -28,7 +28,7 @@ jobs:
with: with:
# Using a PAT is necessary so that the new commit will trigger the # Using a PAT is necessary so that the new commit will trigger the
# CI in the PR. (Events from GITHUB_TOKEN don't trigger new workflows.) # CI in the PR. (Events from GITHUB_TOKEN don't trigger new workflows.)
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
# It's important because translations are often a bit behind. # It's important because translations are often a bit behind.
# So if a translation is a bit behind, it might still be referencing # So if a translation is a bit behind, it might still be referencing
@@ -36,7 +36,7 @@ jobs:
- name: Clone all translations - name: Clone all translations
uses: ./.github/actions/clone-translations uses: ./.github/actions/clone-translations
with: with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- uses: ./.github/actions/node-npm-setup - uses: ./.github/actions/node-npm-setup

4
.github/workflows/delete-orphan-translation-files.yml vendored
View File

@@ -66,7 +66,7 @@ jobs:
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with: with:
repository: ${{ matrix.language_repo }} repository: ${{ matrix.language_repo }}
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
path: ${{ matrix.language_dir }} path: ${{ matrix.language_dir }}
- uses: ./.github/actions/node-npm-setup - uses: ./.github/actions/node-npm-setup
@@ -89,7 +89,7 @@ jobs:
working-directory: ${{ matrix.language_dir }} working-directory: ${{ matrix.language_dir }}
env: env:
# Needed for gh # Needed for gh
GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: | run: |
# If nothing to commit, exit now. It's fine. No orphans. # If nothing to commit, exit now. It's fine. No orphans.
changes=$(git diff --name-only | wc -l) changes=$(git diff --name-only | wc -l)

2
.github/workflows/docs-review-collect.yml vendored
View File

@@ -35,7 +35,7 @@ jobs:
run: | run: |
npm run fr-add-docs-reviewers-requests npm run fr-add-docs-reviewers-requests
env: env:
TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
PROJECT_NUMBER: 2936 PROJECT_NUMBER: 2936
ORGANIZATION: 'github' ORGANIZATION: 'github'
REPO: 'audit-log-allowlists' REPO: 'audit-log-allowlists'

6
.github/workflows/enterprise-dates.yml vendored
View File

@@ -31,7 +31,7 @@ jobs:
- name: Run src/ghes-releases/scripts/update-enterprise-dates.js - name: Run src/ghes-releases/scripts/update-enterprise-dates.js
run: npm run update-enterprise-dates run: npm run update-enterprise-dates
env: env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
- name: Create pull request - name: Create pull request
id: create-pull-request id: create-pull-request
@@ -41,7 +41,7 @@ jobs:
HUSKY: '0' HUSKY: '0'
with: with:
# need to use a token with repo and workflow scopes for this step # need to use a token with repo and workflow scopes for this step
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
commit-message: '🤖 ran src/ghes-releases/scripts/update-enterprise-dates.js' commit-message: '🤖 ran src/ghes-releases/scripts/update-enterprise-dates.js'
title: 🤖 src/ghes-releases/lib/enterprise-dates.json update title: 🤖 src/ghes-releases/lib/enterprise-dates.json update
body: body:
@@ -54,7 +54,7 @@ jobs:
- name: Enable GitHub auto-merge - name: Enable GitHub auto-merge
if: ${{ steps.create-pull-request.outputs.pull-request-number }} if: ${{ steps.create-pull-request.outputs.pull-request-number }}
env: env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
AUTOMERGE_PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }} AUTOMERGE_PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }}
run: npm run enable-automerge run: npm run enable-automerge

4
.github/workflows/enterprise-release-issue.yml vendored
View File

@@ -26,12 +26,12 @@ jobs:
- name: Create an enterprise release issue - name: Create an enterprise release issue
run: npm run create-enterprise-issue -- release run: npm run create-enterprise-issue -- release
env: env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
- name: Create an enterprise deprecation issue - name: Create an enterprise deprecation issue
run: npm run create-enterprise-issue -- deprecation run: npm run create-enterprise-issue -- deprecation
env: env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
- uses: ./.github/actions/slack-alert - uses: ./.github/actions/slack-alert
if: ${{ failure() && github.event_name != 'workflow_dispatch' }} if: ${{ failure() && github.event_name != 'workflow_dispatch' }}

4
.github/workflows/first-responder-v2-prs-collect.yml vendored
View File

@@ -27,7 +27,7 @@ jobs:
uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
id: check-membership id: check-membership
with: with:
github-token: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}} github-token: ${{secrets.DOCS_BOT_PAT_BASE}}
result-encoding: string result-encoding: string
script: | script: |
const repoName = context.payload.repository.name const repoName = context.payload.repository.name
@@ -71,7 +71,7 @@ jobs:
- name: Triage to docs-content FR project - name: Triage to docs-content FR project
if: steps.check-membership.outputs.result == 'false' if: steps.check-membership.outputs.result == 'false'
env: env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
PR_URL: ${{ github.event.pull_request.html_url }} PR_URL: ${{ github.event.pull_request.html_url }}
PROJECT_NUMBER: 11672 PROJECT_NUMBER: 11672
PROJECT_ID: PVT_kwDNJr_OAGNkBg PROJECT_ID: PVT_kwDNJr_OAGNkBg

4
.github/workflows/generate-code-scanning-query-lists.yml vendored
View File

@@ -69,7 +69,7 @@ jobs:
- uses: ./.github/actions/install-cocofix - uses: ./.github/actions/install-cocofix
with: with:
token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- name: Lint the code (eslint) - name: Lint the code (eslint)
if: ${{ github.event_name == 'pull_request' }} if: ${{ github.event_name == 'pull_request' }}
@@ -103,7 +103,7 @@ jobs:
- name: Create pull request - name: Create pull request
env: env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
DRY_RUN: ${{ github.event_name == 'pull_request'}} DRY_RUN: ${{ github.event_name == 'pull_request'}}
run: | run: |

2
.github/workflows/hubber-contribution-help.yml vendored
View File

@@ -28,7 +28,7 @@ jobs:
- id: membership_check - id: membership_check
uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
with: with:
github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }} github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
script: | script: |
try { try {
await github.rest.teams.getMembershipForUserInOrg({ await github.rest.teams.getMembershipForUserInOrg({

2
.github/workflows/index-autocomplete-search.yml vendored
View File

@@ -32,7 +32,7 @@ jobs:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with: with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
repository: github/docs-internal-data repository: github/docs-internal-data
path: docs-internal-data path: docs-internal-data

2
.github/workflows/index-general-search-pr.yml vendored
View File

@@ -44,7 +44,7 @@ jobs:
with: with:
repository: github/docs-internal-data repository: github/docs-internal-data
# This works because user `docs-bot` has read access to that private repo. # This works because user `docs-bot` has read access to that private repo.
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
path: docs-internal-data path: docs-internal-data
- uses: ./.github/actions/setup-elasticsearch - uses: ./.github/actions/setup-elasticsearch

4
.github/workflows/index-general-search.yml vendored
View File

@@ -120,14 +120,14 @@ jobs:
with: with:
repository: github/docs-internal-data repository: github/docs-internal-data
# This works because user `docs-bot` has read access to that private repo. # This works because user `docs-bot` has read access to that private repo.
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
path: docs-internal-data path: docs-internal-data
- name: Clone all translations - name: Clone all translations
if: ${{ matrix.language != 'en' }} if: ${{ matrix.language != 'en' }}
uses: ./.github/actions/clone-translations uses: ./.github/actions/clone-translations
with: with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- uses: ./.github/actions/node-npm-setup - uses: ./.github/actions/node-npm-setup

6
.github/workflows/link-check-daily.yml vendored
View File

@@ -32,7 +32,7 @@ jobs:
id: check-early-access id: check-early-access
env: env:
BRANCH_NAME: ${{ github.head_ref || github.ref_name }} BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: npm run what-docs-early-access-branch run: npm run what-docs-early-access-branch
- name: Check out docs-early-access too, if internal repo - name: Check out docs-early-access too, if internal repo
@@ -40,7 +40,7 @@ jobs:
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with: with:
repository: github/docs-early-access repository: github/docs-early-access
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
path: docs-early-access path: docs-early-access
ref: ${{ steps.check-early-access.outputs.branch }} ref: ${{ steps.check-early-access.outputs.branch }}
@@ -71,7 +71,7 @@ jobs:
# Set this to true in repo scope to enable debug logs # Set this to true in repo scope to enable debug logs
# ACTIONS_RUNNER_DEBUG = true # ACTIONS_RUNNER_DEBUG = true
ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
REPORT_AUTHOR: docs-bot REPORT_AUTHOR: docs-bot
REPORT_LABEL: broken link report REPORT_LABEL: broken link report
REPORT_REPOSITORY: github/docs-content REPORT_REPOSITORY: github/docs-content

6
.github/workflows/link-check-on-pr.yml vendored
View File

@@ -33,14 +33,14 @@ jobs:
- uses: ./.github/actions/get-docs-early-access - uses: ./.github/actions/get-docs-early-access
if: ${{ github.repository == 'github/docs-internal' }} if: ${{ github.repository == 'github/docs-internal' }}
with: with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- name: Link check all pages (internal links only) - name: Link check all pages (internal links only)
env: env:
LEVEL: 'critical' LEVEL: 'critical'
ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
SHOULD_COMMENT: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT != '' }} SHOULD_COMMENT: ${{ secrets.DOCS_BOT_PAT_BASE != '' }}
CHECK_EXTERNAL_LINKS: false CHECK_EXTERNAL_LINKS: false
CREATE_REPORT: false CREATE_REPORT: false
CHECK_ANCHORS: true CHECK_ANCHORS: true

2
.github/workflows/lint-entire-content-data-markdown.yml vendored
View File

@@ -37,7 +37,7 @@ jobs:
- name: Open issue in docs-content - name: Open issue in docs-content
if: ${{ always() && steps.linting-content-data.outcome == 'failure' }} if: ${{ always() && steps.linting-content-data.outcome == 'failure' }}
env: env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
REPORT_AUTHOR: docs-bot REPORT_AUTHOR: docs-bot
REPORT_LABEL: broken content markdown report REPORT_LABEL: broken content markdown report
REPORT_REPOSITORY: github/docs-content REPORT_REPOSITORY: github/docs-content

2
.github/workflows/local-dev.yml vendored
View File

@@ -26,7 +26,7 @@ jobs:
- uses: ./.github/actions/get-docs-early-access - uses: ./.github/actions/get-docs-early-access
if: ${{ github.repository == 'github/docs-internal' }} if: ${{ github.repository == 'github/docs-internal' }}
with: with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
# Note that we don't check out docs-early-access, Elasticsearch, # Note that we don't check out docs-early-access, Elasticsearch,
# or any remote translations. Nothing fancy here! # or any remote translations. Nothing fancy here!

14
.github/workflows/moda-ci.yaml vendored
View File

@@ -24,12 +24,12 @@ jobs:
id: modify_vault_keys id: modify_vault_keys
run: | run: |
if [ -z "${{ vars.VAULT_KEYS }}" ]; then if [ -z "${{ vars.VAULT_KEYS }}" ]; then
# We want to add the DOCS_BOT_PAT_READPUBLICKEY to the list of keys # We want to add the DOCS_BOT_PAT_BASE to the list of keys
# so that builds fetch the secret from the docs-internal vault # so that builds fetch the secret from the docs-internal vault
# where --environment is "ci" # where --environment is "ci"
echo "modified=DOCS_BOT_PAT_READPUBLICKEY" >> $GITHUB_OUTPUT echo "modified=DOCS_BOT_PAT_BASE" >> $GITHUB_OUTPUT
else else
echo "modified=${{ vars.VAULT_KEYS }},DOCS_BOT_PAT_READPUBLICKEY" >> $GITHUB_OUTPUT echo "modified=${{ vars.VAULT_KEYS }},DOCS_BOT_PAT_BASE" >> $GITHUB_OUTPUT
fi fi
############# #############
@@ -66,9 +66,9 @@ jobs:
with: with:
ci-formatted-job-name: ${{ matrix.ci_job.job }} ci-formatted-job-name: ${{ matrix.ci_job.job }}
vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }} vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }}
# Passes 'DOCS_BOT_PAT_READPUBLICKEY' secret from Vault to docker as --secret id=DOCS_BOT_PAT_READPUBLICKEY,src=<PAT value> # Passes 'DOCS_BOT_PAT_BASE' secret from Vault to docker as --secret id=DOCS_BOT_PAT_BASE,src=<PAT value>
attest: true attest: true
docker-build-env-secrets: 'DOCS_BOT_PAT_READPUBLICKEY' docker-build-env-secrets: 'DOCS_BOT_PAT_BASE'
secrets: secrets:
dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }} dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }}
datadog-api-key: ${{ secrets.DATADOG_API_KEY }} datadog-api-key: ${{ secrets.DATADOG_API_KEY }}
@@ -88,8 +88,8 @@ jobs:
with: with:
ci-formatted-job-name: ${{ matrix.ci_job.job }} ci-formatted-job-name: ${{ matrix.ci_job.job }}
vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }} vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }}
# Passes 'DOCS_BOT_PAT_READPUBLICKEY' secret from Vault to docker as --secret id=DOCS_BOT_PAT_READPUBLICKEY,src=<PAT value> # Passes 'DOCS_BOT_PAT_BASE' secret from Vault to docker as --secret id=DOCS_BOT_PAT_BASE,src=<PAT value>
docker-build-env-secrets: 'DOCS_BOT_PAT_READPUBLICKEY' docker-build-env-secrets: 'DOCS_BOT_PAT_BASE'
secrets: secrets:
dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }} dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }}
datadog-api-key: ${{ secrets.DATADOG_API_KEY }} datadog-api-key: ${{ secrets.DATADOG_API_KEY }}

2
.github/workflows/move-existing-issues-to-the-correct-repo.yml vendored
View File

@@ -21,7 +21,7 @@ jobs:
TEAM_ENGINEERING_REPO: ${{ secrets.TEAM_ENGINEERING_REPO }} TEAM_ENGINEERING_REPO: ${{ secrets.TEAM_ENGINEERING_REPO }}
TEAM_CONTENT_REPO: ${{ secrets.TEAM_CONTENT_REPO }} TEAM_CONTENT_REPO: ${{ secrets.TEAM_CONTENT_REPO }}
with: with:
github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }} github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
script: | script: |
const owner = 'github' const owner = 'github'
const originalRepo = 'docs-internal' const originalRepo = 'docs-internal'

2
.github/workflows/move-help-wanted-issues.yml vendored
View File

@@ -25,4 +25,4 @@ jobs:
with: with:
project: Docs open source board project: Docs open source board
column: Help wanted column: Help wanted
repo-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }} repo-token: ${{ secrets.DOCS_BOT_PAT_BASE }}

2
.github/workflows/move-ready-to-merge-pr.yaml vendored
View File

@@ -28,7 +28,7 @@ jobs:
with: with:
project: Docs open source board project: Docs open source board
column: Triage column: Triage
repo-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }} repo-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- name: Check out repo - name: Check out repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

2
.github/workflows/notify-about-deployment.yml vendored
View File

@@ -42,7 +42,7 @@ jobs:
id: get-number id: get-number
timeout-minutes: 5 timeout-minutes: 5
env: env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: npm run find-past-built-pr run: npm run find-past-built-pr
- name: Find content directory changes comment - name: Find content directory changes comment

6
.github/workflows/orphaned-features-check.yml vendored
View File

@@ -30,7 +30,7 @@ jobs:
with: with:
# Using a PAT is necessary so that the new commit will trigger the # Using a PAT is necessary so that the new commit will trigger the
# CI in the PR. (Events from GITHUB_TOKEN don't trigger new workflows.) # CI in the PR. (Events from GITHUB_TOKEN don't trigger new workflows.)
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
# It's important because translations are often a bit behind. # It's important because translations are often a bit behind.
# So if a translation is a bit behind, it might still be referencing # So if a translation is a bit behind, it might still be referencing
@@ -38,14 +38,14 @@ jobs:
- name: Clone all translations - name: Clone all translations
uses: ./.github/actions/clone-translations uses: ./.github/actions/clone-translations
with: with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- uses: ./.github/actions/node-npm-setup - uses: ./.github/actions/node-npm-setup
- name: Check for orphaned features - name: Check for orphaned features
env: env:
# Needed for gh # Needed for gh
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
DRY_RUN: ${{ github.event_name == 'pull_request'}} DRY_RUN: ${{ github.event_name == 'pull_request'}}
run: | run: |
set -e set -e

6
.github/workflows/orphaned-files-check.yml vendored
View File

@@ -34,7 +34,7 @@ jobs:
with: with:
# Using a PAT is necessary so that the new commit will trigger the # Using a PAT is necessary so that the new commit will trigger the
# CI in the PR. (Events from GITHUB_TOKEN don't trigger new workflows.) # CI in the PR. (Events from GITHUB_TOKEN don't trigger new workflows.)
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
# It's important because translations are often a bit behind. # It's important because translations are often a bit behind.
# So if a translation is a bit behind, it might still be referencing # So if a translation is a bit behind, it might still be referencing
@@ -42,14 +42,14 @@ jobs:
- name: Clone all translations - name: Clone all translations
uses: ./.github/actions/clone-translations uses: ./.github/actions/clone-translations
with: with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- uses: ./.github/actions/node-npm-setup - uses: ./.github/actions/node-npm-setup
- name: Check for orphaned assets and reusables - name: Check for orphaned assets and reusables
env: env:
# Needed for gh # Needed for gh
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
DRY_RUN: ${{ github.event_name == 'pull_request'}} DRY_RUN: ${{ github.event_name == 'pull_request'}}
run: | run: |
set -e set -e

4
.github/workflows/os-ready-for-review.yml vendored
View File

@@ -26,7 +26,7 @@ jobs:
uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
id: triggered-by-member id: triggered-by-member
with: with:
github-token: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}} github-token: ${{secrets.DOCS_BOT_PAT_BASE}}
result-encoding: string result-encoding: string
script: | script: |
const triggerer_login = context.payload.sender.login const triggerer_login = context.payload.sender.login
@@ -60,7 +60,7 @@ jobs:
run: | run: |
npm run ready-for-docs-review npm run ready-for-docs-review
env: env:
TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
PROJECT_NUMBER: 2936 PROJECT_NUMBER: 2936
ORGANIZATION: 'github' ORGANIZATION: 'github'
ITEM_NODE_ID: ${{ github.event.pull_request.node_id || github.event.issue.node_id }} ITEM_NODE_ID: ${{ github.event.pull_request.node_id || github.event.issue.node_id }}

2
.github/workflows/purge-old-workflow-runs.yml vendored
View File

@@ -25,7 +25,7 @@ jobs:
- name: Run purge script - name: Run purge script
env: env:
# Necessary to be able to delete deployment environments # Necessary to be able to delete deployment environments
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: npm run purge-old-workflow-runs run: npm run purge-old-workflow-runs
- uses: ./.github/actions/slack-alert - uses: ./.github/actions/slack-alert

4
.github/workflows/ready-for-doc-review.yml vendored
View File

@@ -24,7 +24,7 @@ jobs:
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with: with:
repository: github/docs-internal repository: github/docs-internal
token: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- name: Setup Node.js - name: Setup Node.js
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
@@ -47,7 +47,7 @@ jobs:
run: | run: |
npm run ready-for-docs-review npm run ready-for-docs-review
env: env:
TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
PROJECT_NUMBER: 2936 PROJECT_NUMBER: 2936
ORGANIZATION: 'github' ORGANIZATION: 'github'
ITEM_NODE_ID: ${{ github.event.pull_request.node_id }} ITEM_NODE_ID: ${{ github.event.pull_request.node_id }}

2
.github/workflows/remove-fr-label-remove-from-fr-v2.yml vendored
View File

@@ -28,7 +28,7 @@ jobs:
steps: steps:
- name: Remove issue from FR v2 project - name: Remove issue from FR v2 project
env: env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
PR_NUMBER: ${{ github.event.pull_request.number || inputs.PR_NUMBER }} PR_NUMBER: ${{ github.event.pull_request.number || inputs.PR_NUMBER }}
PROJECT_NUMBER: 11672 PROJECT_NUMBER: 11672
run: | run: |

6
.github/workflows/repo-sync.yml vendored
View File

@@ -28,15 +28,15 @@ jobs:
- name: Sync repo to branch - name: Sync repo to branch
uses: repo-sync/github-sync@3832fe8e2be32372e1b3970bbae8e7079edeec88 uses: repo-sync/github-sync@3832fe8e2be32372e1b3970bbae8e7079edeec88
with: with:
source_repo: https://${{ secrets.DOCS_BOT_PAT_WORKFLOW }}@github.com/github/${{ github.repository == 'github/docs-internal' && 'docs' || 'docs-internal' }}.git source_repo: https://${{ secrets.DOCS_BOT_PAT_BASE }}@github.com/github/${{ github.repository == 'github/docs-internal' && 'docs' || 'docs-internal' }}.git
source_branch: main source_branch: main
destination_branch: repo-sync destination_branch: repo-sync
github_token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW }} github_token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- name: Ship pull request - name: Ship pull request
uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
with: with:
github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW }} github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
result-encoding: string result-encoding: string
script: | script: |
const { owner, repo } = context.repo const { owner, repo } = context.repo

2
.github/workflows/reviewers-content-systems.yml vendored
View File

@@ -26,7 +26,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
env: env:
PR: ${{ github.event.pull_request.html_url }} PR: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
steps: steps:
- name: Add content systems as a reviewer - name: Add content systems as a reviewer

2
.github/workflows/reviewers-dependabot.yml vendored
View File

@@ -26,7 +26,7 @@ jobs:
github.event.pull_request.head.ref != 'repo-sync' }} github.event.pull_request.head.ref != 'repo-sync' }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
env: env:
GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
PR: ${{ github.event.pull_request.html_url }} PR: ${{ github.event.pull_request.html_url }}
steps: steps:

2
.github/workflows/reviewers-docs-engineering.yml vendored
View File

@@ -44,7 +44,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
env: env:
PR: ${{ github.event.pull_request.html_url }} PR: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
steps: steps:
- name: Add docs engineering as a reviewer - name: Add docs engineering as a reviewer

2
.github/workflows/reviewers-legal.yml vendored
View File

@@ -55,7 +55,7 @@ jobs:
- name: Check for reviewers-legal label, add if missing and request review - name: Check for reviewers-legal label, add if missing and request review
if: steps.checkContentType.outputs.containsContentType == 'true' if: steps.checkContentType.outputs.containsContentType == 'true'
env: env:
GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
PR: ${{ github.event.pull_request.html_url }} PR: ${{ github.event.pull_request.html_url }}
run: | run: |
gh pr edit $PR --add-reviewer github/legal-product gh pr edit $PR --add-reviewer github/legal-product

2
.github/workflows/site-policy-sync.yml vendored
View File

@@ -56,7 +56,7 @@ jobs:
- name: If there are changes to push, create a branch in the public repo and push changes - name: If there are changes to push, create a branch in the public repo and push changes
env: env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: | run: |
cd public-repo cd public-repo
git config --local user.name 'site-policy-bot' git config --local user.name 'site-policy-bot'

2
.github/workflows/sme-review-tracking-issue.yml vendored
View File

@@ -26,7 +26,7 @@ jobs:
URL: ${{ github.event.pull_request.html_url || github.event.issue.html_url }} URL: ${{ github.event.pull_request.html_url || github.event.issue.html_url }}
uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
with: with:
github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }} github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
script: |- script: |-
const issueNo = context.number || context.issue.number const issueNo = context.number || context.issue.number

6
.github/workflows/sync-audit-logs.yml vendored
View File

@@ -31,7 +31,7 @@ jobs:
- name: Run updater script - name: Run updater script
env: env:
# need to use a token from a user with access to github/audit-log-allowlists for this step # need to use a token from a user with access to github/audit-log-allowlists for this step
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: | run: |
npm run sync-audit-log npm run sync-audit-log
@@ -49,7 +49,7 @@ jobs:
- name: Create and merge pull request - name: Create and merge pull request
env: env:
# Needed for gh # Needed for gh
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: | run: |
# If nothing to commit, exit now. It's fine. No orphans. # If nothing to commit, exit now. It's fine. No orphans.
changes=$(git diff --name-only | wc -l) changes=$(git diff --name-only | wc -l)
@@ -97,7 +97,7 @@ jobs:
# Actions can't merge the PR so back to docs-bot to merge the PR # Actions can't merge the PR so back to docs-bot to merge the PR
unset GITHUB_TOKEN unset GITHUB_TOKEN
gh auth login --with-token <<< "${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}" gh auth login --with-token <<< "${{ secrets.DOCS_BOT_PAT_BASE }}"
gh pr merge --auto gh pr merge --auto
- uses: ./.github/actions/slack-alert - uses: ./.github/actions/slack-alert

4
.github/workflows/sync-codeql-cli.yml vendored
View File

@@ -38,7 +38,7 @@ jobs:
with: with:
# By default, only the most recent commit of the `main` branch # By default, only the most recent commit of the `main` branch
# will be checked out # will be checked out
token: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
repository: github/semmle-code repository: github/semmle-code
path: semmle-code path: semmle-code
ref: ${{ inputs.SOURCE_BRANCH }} ref: ${{ inputs.SOURCE_BRANCH }}
@@ -75,7 +75,7 @@ jobs:
- name: Create pull request - name: Create pull request
env: env:
# Needed for gh # Needed for gh
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: | run: |
# If nothing to commit, exit now. It's fine. No orphans. # If nothing to commit, exit now. It's fine. No orphans.
changes=$(git diff --name-only | wc -l) changes=$(git diff --name-only | wc -l)

6
.github/workflows/sync-graphql.yml vendored
View File

@@ -24,7 +24,7 @@ jobs:
- name: Run updater scripts - name: Run updater scripts
env: env:
# need to use a token from a user with access to github/github for this step # need to use a token from a user with access to github/github for this step
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: npm run sync-graphql run: npm run sync-graphql
- name: Create pull request - name: Create pull request
id: create-pull-request id: create-pull-request
@@ -37,7 +37,7 @@ jobs:
# Token should be a PAT because actions performed with GITHUB_TOKEN # Token should be a PAT because actions performed with GITHUB_TOKEN
# don't trigger other workflows and this action force pushes updates # don't trigger other workflows and this action force pushes updates
# from the default branch. # from the default branch.
token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
commit-message: 'Update GraphQL data files' commit-message: 'Update GraphQL data files'
title: GraphQL schema update title: GraphQL schema update
body: body:
@@ -50,7 +50,7 @@ jobs:
- name: Enable GitHub auto-merge - name: Enable GitHub auto-merge
if: ${{ steps.create-pull-request.outputs.pull-request-number }} if: ${{ steps.create-pull-request.outputs.pull-request-number }}
env: env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
AUTOMERGE_PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }} AUTOMERGE_PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }}
run: npm run enable-automerge run: npm run enable-automerge

4
.github/workflows/sync-openapi.yml vendored
View File

@@ -47,7 +47,7 @@ jobs:
- name: Sync the REST, Webhooks, and GitHub Apps schemas - name: Sync the REST, Webhooks, and GitHub Apps schemas
env: env:
# Needed for gh # Needed for gh
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: | run: |
npm run sync-rest -- --source-repo rest-api-description --output rest github-apps webhooks rest-redirects npm run sync-rest -- --source-repo rest-api-description --output rest github-apps webhooks rest-redirects
git status git status
@@ -68,7 +68,7 @@ jobs:
- name: Create pull request - name: Create pull request
env: env:
# Needed for gh # Needed for gh
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: | run: |
# If nothing to commit, exit now. It's fine. No orphans. # If nothing to commit, exit now. It's fine. No orphans.
changes=$(git diff --name-only | wc -l) changes=$(git diff --name-only | wc -l)

4
.github/workflows/sync-secret-scanning.yml vendored
View File

@@ -33,14 +33,14 @@ jobs:
env: env:
# need to use a token from a user with access to # need to use a token from a user with access to
# github/token-scanning-service for this step # github/token-scanning-service for this step
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: | run: |
npm run sync-secret-scanning npm run sync-secret-scanning
- name: Create a pull request - name: Create a pull request
env: env:
# Needed for gh # Needed for gh
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: | run: |
# If nothing to commit, exit now. It's fine. # If nothing to commit, exit now. It's fine.
changes=$(git diff --name-only | wc -l) changes=$(git diff --name-only | wc -l)

2
.github/workflows/test-changed-content.yml vendored
View File

@@ -34,7 +34,7 @@ jobs:
- uses: ./.github/actions/get-docs-early-access - uses: ./.github/actions/get-docs-early-access
if: ${{ github.repository == 'github/docs-internal' }} if: ${{ github.repository == 'github/docs-internal' }}
with: with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- uses: ./.github/actions/cache-nextjs - uses: ./.github/actions/cache-nextjs

4
.github/workflows/test.yml vendored
View File

@@ -101,7 +101,7 @@ jobs:
- uses: ./.github/actions/get-docs-early-access - uses: ./.github/actions/get-docs-early-access
if: ${{ github.repository == 'github/docs-internal' }} if: ${{ github.repository == 'github/docs-internal' }}
with: with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- name: Check the test fixture data (if applicable) - name: Check the test fixture data (if applicable)
if: ${{ matrix.name == 'fixtures' }} if: ${{ matrix.name == 'fixtures' }}
@@ -126,7 +126,7 @@ jobs:
if: ${{ matrix.name == 'languages' }} if: ${{ matrix.name == 'languages' }}
uses: ./.github/actions/clone-translations uses: ./.github/actions/clone-translations
with: with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- name: Gather files changed - name: Gather files changed
if: ${{ matrix.name == 'content-linter' }} if: ${{ matrix.name == 'content-linter' }}

8
.github/workflows/validate-github-github-docs-urls.yml vendored
View File

@@ -39,7 +39,7 @@ jobs:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with: with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} token: ${{ secrets.DOCS_BOT_PAT_BASE }}
repository: github/github repository: github/github
ref: master ref: master
path: github path: github
@@ -55,7 +55,7 @@ jobs:
- name: Update config/docs-urls.json in github/github (possibly) - name: Update config/docs-urls.json in github/github (possibly)
if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }} if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
env: env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: | run: |
npm run validate-github-github-docs-urls -- generate-new-json checks.json github/config/docs-urls.json npm run validate-github-github-docs-urls -- generate-new-json checks.json github/config/docs-urls.json
@@ -86,7 +86,7 @@ jobs:
- name: Clean up old branches in github/github - name: Clean up old branches in github/github
if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }} if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
env: env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: | run: |
npm run validate-github-github-docs-urls -- clean-up-old-branches --prefix update-docs-urls npm run validate-github-github-docs-urls -- clean-up-old-branches --prefix update-docs-urls
@@ -117,7 +117,7 @@ jobs:
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
CHANGED_FILES: |- CHANGED_FILES: |-
${{ steps.changed_files.outputs.filtered_changed_files }} ${{ steps.changed_files.outputs.filtered_changed_files }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
ISSUE_NUMBER: ${{ github.event.pull_request.number }} ISSUE_NUMBER: ${{ github.event.pull_request.number }}
REPOSITORY: ${{ github.repository }} REPOSITORY: ${{ github.repository }}
run: | run: |

2
Dockerfile
View File

@@ -48,7 +48,7 @@ COPY --chown=node:node --chmod=+x \
# - 3. Fetch each translations repo to the repo/translations directory # - 3. Fetch each translations repo to the repo/translations directory
# We use --mount-type=secret to avoid the secret being copied into the image layers for security # We use --mount-type=secret to avoid the secret being copied into the image layers for security
# The secret passed via --secret can only be used in this RUN command # The secret passed via --secret can only be used in this RUN command
RUN --mount=type=secret,id=DOCS_BOT_PAT_READPUBLICKEY,mode=0444 \ RUN --mount=type=secret,id=DOCS_BOT_PAT_BASE,mode=0444 \
# We don't cache because Docker can't know if we need to fetch new content from remote repos # We don't cache because Docker can't know if we need to fetch new content from remote repos
echo "Don't cache this step by printing date: $(date)" && \ echo "Don't cache this step by printing date: $(date)" && \
. ./build-scripts/fetch-repos.sh . ./build-scripts/fetch-repos.sh

6
src/code-scanning/scripts/generate-code-scanning-query-list.ts
View File

@@ -28,12 +28,12 @@
* /Users/peterbe/.local/share/gh/extensions/gh-codeql/dist/nightly/codeql-bundle-20231204/codeql * /Users/peterbe/.local/share/gh/extensions/gh-codeql/dist/nightly/codeql-bundle-20231204/codeql
* *
* Finally, you need to install `@github/cocofix`. This is a private package, * Finally, you need to install `@github/cocofix`. This is a private package,
* so you first need to get the `DOCS_BOT_PAT_WORKFLOW` PAT from the vault and * so you first need to get the `DOCS_BOT_PAT_BASE` PAT from the vault and
* store it in the environment variable `DOCS_BOT_PAT_WORKFLOW`. * store it in the environment variable `DOCS_BOT_PAT_BASE`.
* Then run the following command from the root of this repo: * Then run the following command from the root of this repo:
* *
* ```sh * ```sh
* npm i --no-save '--@github:registry=https://npm.pkg.github.com' '--//npm.pkg.github.com/:_authToken=${DOCS_BOT_PAT_WORKFLOW}' @github/cocofix * npm i --no-save '--@github:registry=https://npm.pkg.github.com' '--//npm.pkg.github.com/:_authToken=${DOCS_BOT_PAT_BASE}' @github/cocofix
* ``` * ```
* *
* If you've git cloned github/codeql in /tmp/ now you can execute this script. * If you've git cloned github/codeql in /tmp/ now you can execute this script.

2
src/deployments/production/README.md
View File

@@ -13,7 +13,7 @@ The status of deployments are posted in the `#docs-ops` Slack channel.
Build the production Docker image locally, Build the production Docker image locally,
```bash ```bash
docker build -t docs:latest . --secret id=DOCS_BOT_PAT_READPUBLICKEY,src=<(echo "<your GH PAT value>") docker build -t docs:latest . --secret id=DOCS_BOT_PAT_BASE,src=<(echo "<your GH PAT value>")
``` ```
Where `<your GH PAT value>` must be a PAT with `contents: read` access to: Where `<your GH PAT value>` must be a PAT with `contents: read` access to:

2
src/deployments/production/build-scripts/fetch-repos.sh
View File

@@ -16,7 +16,7 @@ set -e
. ./build-scripts/clone-or-use-cached-repo.sh . ./build-scripts/clone-or-use-cached-repo.sh
# Set the GITHUB_TOKEN environment variable from the mounted --secret passed to Docker build # Set the GITHUB_TOKEN environment variable from the mounted --secret passed to Docker build
GITHUB_TOKEN=$(cat /run/secrets/DOCS_BOT_PAT_READPUBLICKEY) GITHUB_TOKEN=$(cat /run/secrets/DOCS_BOT_PAT_BASE)
# - - - - - - - - - - # - - - - - - - - - -
# Early access # Early access