jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-19 18:10:59 -05:00
Code Issues Projects Releases Wiki Activity

Use DOCS_BOT_PAT_BASE (#55464)

Browse Source
This commit is contained in:
Kevin Heis
2025-04-30 11:58:01 -07:00
committed by GitHub
parent 9e6ef2eefd
commit 02e2e2dacc
50 changed files with 100 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/check-broken-links-github-github.yml vendored
View File

@@ -18,7 +18,7 @@ jobs:
runs-on: ubuntu-latest
env:
# need to use a token from a user with access to github/github for this step
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
REPORT_AUTHOR: docs-bot
REPORT_LABEL: github github broken link report
REPORT_REPOSITORY: github/docs-content
@@ -33,7 +33,7 @@ jobs:
- uses: ./.github/actions/get-docs-early-access
with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- name: Build server
run: npm run build

2
.github/workflows/check-for-spammy-issues.yml vendored
View File

@@ -19,7 +19,7 @@ jobs:
steps:
- uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
with:
github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}
github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
script: |
const issue = context.payload.issue

2
.github/workflows/close-bad-repo-sync-prs.yml vendored
View File

@@ -24,7 +24,7 @@ jobs:
- name: Close pull request if unwanted
uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
with:
github-token: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
script: |
const { owner, repo } = context.repo
const prCreator = context.actor

2
.github/workflows/confirm-internal-staff-work-in-docs.yml vendored
View File

@@ -28,7 +28,7 @@ jobs:
env:
TEAM_CONTENT_REPO: ${{ secrets.TEAM_CONTENT_REPO }}
with:
github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}
github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
script: |
// Only perform this action with GitHub employees
try {

10
.github/workflows/copy-api-issue-to-internal.yml vendored
View File

@@ -22,7 +22,7 @@ jobs:
uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
id: triggered-by-member
with:
github-token: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}}
github-token: ${{secrets.DOCS_BOT_PAT_BASE}}
result-encoding: string
script: |
const triggerer_login = context.payload.sender.login
@@ -48,26 +48,26 @@ jobs:
new_issue_url="$(gh issue create --title "$ISSUE_TITLE" --body "$ISSUE_BODY" --repo github/docs-content)"
echo 'NEW_ISSUE='$new_issue_url >> $GITHUB_ENV
env:
GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}}
GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_BASE}}
ISSUE_TITLE: ${{ github.event.issue.title }}
ISSUE_BODY: ${{ github.event.issue.body }}
- name: Comment on the old issue
run: gh issue comment $OLD_ISSUE --body "Thank you for opening this issue! Updates to this documentation must be made internally. I have copied your issue to an internal issue, so I will close this issue."
env:
GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}}
GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_BASE}}
OLD_ISSUE: ${{ github.event.issue.html_url }}
- name: Close the old issue
run: gh issue close $OLD_ISSUE
env:
GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}}
GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_BASE}}
OLD_ISSUE: ${{ github.event.issue.html_url }}
- name: Comment on the new issue
run: gh issue comment $NEW_ISSUE --body "This issue was originally opened in the open source repo as $OLD_ISSUE"
env:
GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}}
GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_BASE}}
NEW_ISSUE: ${{ env.NEW_ISSUE }}
OLD_ISSUE: ${{ github.event.issue.html_url }}

4
.github/workflows/count-translation-corruptions.yml vendored
View File

@@ -28,7 +28,7 @@ jobs:
with:
# Using a PAT is necessary so that the new commit will trigger the
# CI in the PR. (Events from GITHUB_TOKEN don't trigger new workflows.)
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
# It's important because translations are often a bit behind.
# So if a translation is a bit behind, it might still be referencing
@@ -36,7 +36,7 @@ jobs:
- name: Clone all translations
uses: ./.github/actions/clone-translations
with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- uses: ./.github/actions/node-npm-setup

4
.github/workflows/delete-orphan-translation-files.yml vendored
View File

@@ -66,7 +66,7 @@ jobs:
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
repository: ${{ matrix.language_repo }}
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
path: ${{ matrix.language_dir }}
- uses: ./.github/actions/node-npm-setup
@@ -89,7 +89,7 @@ jobs:
working-directory: ${{ matrix.language_dir }}
env:
# Needed for gh
GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: |
# If nothing to commit, exit now. It's fine. No orphans.
changes=$(git diff --name-only | wc -l)

2
.github/workflows/docs-review-collect.yml vendored
View File

@@ -35,7 +35,7 @@ jobs:
run: |
npm run fr-add-docs-reviewers-requests
env:
TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
PROJECT_NUMBER: 2936
ORGANIZATION: 'github'
REPO: 'audit-log-allowlists'

6
.github/workflows/enterprise-dates.yml vendored
View File

@@ -31,7 +31,7 @@ jobs:
- name: Run src/ghes-releases/scripts/update-enterprise-dates.js
run: npm run update-enterprise-dates
env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
- name: Create pull request
id: create-pull-request
@@ -41,7 +41,7 @@ jobs:
HUSKY: '0'
with:
# need to use a token with repo and workflow scopes for this step
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
commit-message: '🤖 ran src/ghes-releases/scripts/update-enterprise-dates.js'
title: 🤖 src/ghes-releases/lib/enterprise-dates.json update
body:
@@ -54,7 +54,7 @@ jobs:
- name: Enable GitHub auto-merge
if: ${{ steps.create-pull-request.outputs.pull-request-number }}
env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
AUTOMERGE_PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }}
run: npm run enable-automerge

4
.github/workflows/enterprise-release-issue.yml vendored
View File

@@ -26,12 +26,12 @@ jobs:
- name: Create an enterprise release issue
run: npm run create-enterprise-issue -- release
env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
- name: Create an enterprise deprecation issue
run: npm run create-enterprise-issue -- deprecation
env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
- uses: ./.github/actions/slack-alert
if: ${{ failure() && github.event_name != 'workflow_dispatch' }}

4
.github/workflows/first-responder-v2-prs-collect.yml vendored
View File

@@ -27,7 +27,7 @@ jobs:
uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
id: check-membership
with:
github-token: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}}
github-token: ${{secrets.DOCS_BOT_PAT_BASE}}
result-encoding: string
script: |
const repoName = context.payload.repository.name
@@ -71,7 +71,7 @@ jobs:
- name: Triage to docs-content FR project
if: steps.check-membership.outputs.result == 'false'
env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
PR_URL: ${{ github.event.pull_request.html_url }}
PROJECT_NUMBER: 11672
PROJECT_ID: PVT_kwDNJr_OAGNkBg

4
.github/workflows/generate-code-scanning-query-lists.yml vendored
View File

@@ -69,7 +69,7 @@ jobs:
- uses: ./.github/actions/install-cocofix
with:
token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- name: Lint the code (eslint)
if: ${{ github.event_name == 'pull_request' }}
@@ -103,7 +103,7 @@ jobs:
- name: Create pull request
env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
DRY_RUN: ${{ github.event_name == 'pull_request'}}
run: |

2
.github/workflows/hubber-contribution-help.yml vendored
View File

@@ -28,7 +28,7 @@ jobs:
- id: membership_check
uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
with:
github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}
github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
script: |
try {
await github.rest.teams.getMembershipForUserInOrg({

2
.github/workflows/index-autocomplete-search.yml vendored
View File

@@ -32,7 +32,7 @@ jobs:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
repository: github/docs-internal-data
path: docs-internal-data

2
.github/workflows/index-general-search-pr.yml vendored
View File

@@ -44,7 +44,7 @@ jobs:
with:
repository: github/docs-internal-data
# This works because user `docs-bot` has read access to that private repo.
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
path: docs-internal-data
- uses: ./.github/actions/setup-elasticsearch

4
.github/workflows/index-general-search.yml vendored
View File

@@ -120,14 +120,14 @@ jobs:
with:
repository: github/docs-internal-data
# This works because user `docs-bot` has read access to that private repo.
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
path: docs-internal-data
- name: Clone all translations
if: ${{ matrix.language != 'en' }}
uses: ./.github/actions/clone-translations
with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- uses: ./.github/actions/node-npm-setup

6
.github/workflows/link-check-daily.yml vendored
View File

@@ -32,7 +32,7 @@ jobs:
id: check-early-access
env:
BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: npm run what-docs-early-access-branch
- name: Check out docs-early-access too, if internal repo
@@ -40,7 +40,7 @@ jobs:
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
repository: github/docs-early-access
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
path: docs-early-access
ref: ${{ steps.check-early-access.outputs.branch }}
@@ -71,7 +71,7 @@ jobs:
# Set this to true in repo scope to enable debug logs
# ACTIONS_RUNNER_DEBUG = true
ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
REPORT_AUTHOR: docs-bot
REPORT_LABEL: broken link report
REPORT_REPOSITORY: github/docs-content

6
.github/workflows/link-check-on-pr.yml vendored
View File

@@ -33,14 +33,14 @@ jobs:
- uses: ./.github/actions/get-docs-early-access
if: ${{ github.repository == 'github/docs-internal' }}
with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- name: Link check all pages (internal links only)
env:
LEVEL: 'critical'
ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
SHOULD_COMMENT: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT != '' }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
SHOULD_COMMENT: ${{ secrets.DOCS_BOT_PAT_BASE != '' }}
CHECK_EXTERNAL_LINKS: false
CREATE_REPORT: false
CHECK_ANCHORS: true

2
.github/workflows/lint-entire-content-data-markdown.yml vendored
View File

@@ -37,7 +37,7 @@ jobs:
- name: Open issue in docs-content
if: ${{ always() && steps.linting-content-data.outcome == 'failure' }}
env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
REPORT_AUTHOR: docs-bot
REPORT_LABEL: broken content markdown report
REPORT_REPOSITORY: github/docs-content

2
.github/workflows/local-dev.yml vendored
View File

@@ -26,7 +26,7 @@ jobs:
- uses: ./.github/actions/get-docs-early-access
if: ${{ github.repository == 'github/docs-internal' }}
with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
# Note that we don't check out docs-early-access, Elasticsearch,
# or any remote translations. Nothing fancy here!

14
.github/workflows/moda-ci.yaml vendored
View File

@@ -24,12 +24,12 @@ jobs:
id: modify_vault_keys
run: |
if [ -z "${{ vars.VAULT_KEYS }}" ]; then
# We want to add the DOCS_BOT_PAT_READPUBLICKEY to the list of keys
# We want to add the DOCS_BOT_PAT_BASE to the list of keys
# so that builds fetch the secret from the docs-internal vault
# where --environment is "ci"
echo "modified=DOCS_BOT_PAT_READPUBLICKEY" >> $GITHUB_OUTPUT
echo "modified=DOCS_BOT_PAT_BASE" >> $GITHUB_OUTPUT
else
echo "modified=${{ vars.VAULT_KEYS }},DOCS_BOT_PAT_READPUBLICKEY" >> $GITHUB_OUTPUT
echo "modified=${{ vars.VAULT_KEYS }},DOCS_BOT_PAT_BASE" >> $GITHUB_OUTPUT
fi
#############
@@ -66,9 +66,9 @@ jobs:
with:
ci-formatted-job-name: ${{ matrix.ci_job.job }}
vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }}
# Passes 'DOCS_BOT_PAT_READPUBLICKEY' secret from Vault to docker as --secret id=DOCS_BOT_PAT_READPUBLICKEY,src=<PAT value>
# Passes 'DOCS_BOT_PAT_BASE' secret from Vault to docker as --secret id=DOCS_BOT_PAT_BASE,src=<PAT value>
attest: true
docker-build-env-secrets: 'DOCS_BOT_PAT_READPUBLICKEY'
docker-build-env-secrets: 'DOCS_BOT_PAT_BASE'
secrets:
dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }}
datadog-api-key: ${{ secrets.DATADOG_API_KEY }}
@@ -88,8 +88,8 @@ jobs:
with:
ci-formatted-job-name: ${{ matrix.ci_job.job }}
vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }}
# Passes 'DOCS_BOT_PAT_READPUBLICKEY' secret from Vault to docker as --secret id=DOCS_BOT_PAT_READPUBLICKEY,src=<PAT value>
docker-build-env-secrets: 'DOCS_BOT_PAT_READPUBLICKEY'
# Passes 'DOCS_BOT_PAT_BASE' secret from Vault to docker as --secret id=DOCS_BOT_PAT_BASE,src=<PAT value>
docker-build-env-secrets: 'DOCS_BOT_PAT_BASE'
secrets:
dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }}
datadog-api-key: ${{ secrets.DATADOG_API_KEY }}

2
.github/workflows/move-existing-issues-to-the-correct-repo.yml vendored
View File

@@ -21,7 +21,7 @@ jobs:
TEAM_ENGINEERING_REPO: ${{ secrets.TEAM_ENGINEERING_REPO }}
TEAM_CONTENT_REPO: ${{ secrets.TEAM_CONTENT_REPO }}
with:
github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}
github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
script: |
const owner = 'github'
const originalRepo = 'docs-internal'

2
.github/workflows/move-help-wanted-issues.yml vendored
View File

@@ -25,4 +25,4 @@ jobs:
with:
project: Docs open source board
column: Help wanted
repo-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}
repo-token: ${{ secrets.DOCS_BOT_PAT_BASE }}

2
.github/workflows/move-ready-to-merge-pr.yaml vendored
View File

@@ -28,7 +28,7 @@ jobs:
with:
project: Docs open source board
column: Triage
repo-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}
repo-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- name: Check out repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

2
.github/workflows/notify-about-deployment.yml vendored
View File

@@ -42,7 +42,7 @@ jobs:
id: get-number
timeout-minutes: 5
env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: npm run find-past-built-pr
- name: Find content directory changes comment

6
.github/workflows/orphaned-features-check.yml vendored
View File

@@ -30,7 +30,7 @@ jobs:
with:
# Using a PAT is necessary so that the new commit will trigger the
# CI in the PR. (Events from GITHUB_TOKEN don't trigger new workflows.)
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
# It's important because translations are often a bit behind.
# So if a translation is a bit behind, it might still be referencing
@@ -38,14 +38,14 @@ jobs:
- name: Clone all translations
uses: ./.github/actions/clone-translations
with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- uses: ./.github/actions/node-npm-setup
- name: Check for orphaned features
env:
# Needed for gh
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
DRY_RUN: ${{ github.event_name == 'pull_request'}}
run: |
set -e

6
.github/workflows/orphaned-files-check.yml vendored
View File

@@ -34,7 +34,7 @@ jobs:
with:
# Using a PAT is necessary so that the new commit will trigger the
# CI in the PR. (Events from GITHUB_TOKEN don't trigger new workflows.)
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
# It's important because translations are often a bit behind.
# So if a translation is a bit behind, it might still be referencing
@@ -42,14 +42,14 @@ jobs:
- name: Clone all translations
uses: ./.github/actions/clone-translations
with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- uses: ./.github/actions/node-npm-setup
- name: Check for orphaned assets and reusables
env:
# Needed for gh
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
DRY_RUN: ${{ github.event_name == 'pull_request'}}
run: |
set -e

4
.github/workflows/os-ready-for-review.yml vendored
View File

@@ -26,7 +26,7 @@ jobs:
uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
id: triggered-by-member
with:
github-token: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}}
github-token: ${{secrets.DOCS_BOT_PAT_BASE}}
result-encoding: string
script: |
const triggerer_login = context.payload.sender.login
@@ -60,7 +60,7 @@ jobs:
run: |
npm run ready-for-docs-review
env:
TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
PROJECT_NUMBER: 2936
ORGANIZATION: 'github'
ITEM_NODE_ID: ${{ github.event.pull_request.node_id || github.event.issue.node_id }}

2
.github/workflows/purge-old-workflow-runs.yml vendored
View File

@@ -25,7 +25,7 @@ jobs:
- name: Run purge script
env:
# Necessary to be able to delete deployment environments
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: npm run purge-old-workflow-runs
- uses: ./.github/actions/slack-alert

4
.github/workflows/ready-for-doc-review.yml vendored
View File

@@ -24,7 +24,7 @@ jobs:
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
repository: github/docs-internal
token: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- name: Setup Node.js
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
@@ -47,7 +47,7 @@ jobs:
run: |
npm run ready-for-docs-review
env:
TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
PROJECT_NUMBER: 2936
ORGANIZATION: 'github'
ITEM_NODE_ID: ${{ github.event.pull_request.node_id }}

2
.github/workflows/remove-fr-label-remove-from-fr-v2.yml vendored
View File

@@ -28,7 +28,7 @@ jobs:
steps:
- name: Remove issue from FR v2 project
env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
PR_NUMBER: ${{ github.event.pull_request.number || inputs.PR_NUMBER }}
PROJECT_NUMBER: 11672
run: |

6
.github/workflows/repo-sync.yml vendored
View File

@@ -28,15 +28,15 @@ jobs:
- name: Sync repo to branch
uses: repo-sync/github-sync@3832fe8e2be32372e1b3970bbae8e7079edeec88
with:
source_repo: https://${{ secrets.DOCS_BOT_PAT_WORKFLOW }}@github.com/github/${{ github.repository == 'github/docs-internal' && 'docs' || 'docs-internal' }}.git
source_repo: https://${{ secrets.DOCS_BOT_PAT_BASE }}@github.com/github/${{ github.repository == 'github/docs-internal' && 'docs' || 'docs-internal' }}.git
source_branch: main
destination_branch: repo-sync
github_token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW }}
github_token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- name: Ship pull request
uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
with:
github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW }}
github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
result-encoding: string
script: |
const { owner, repo } = context.repo

2
.github/workflows/reviewers-content-systems.yml vendored
View File

@@ -26,7 +26,7 @@ jobs:
runs-on: ubuntu-latest
env:
PR: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
steps:
- name: Add content systems as a reviewer

2
.github/workflows/reviewers-dependabot.yml vendored
View File

@@ -26,7 +26,7 @@ jobs:
github.event.pull_request.head.ref != 'repo-sync' }}
runs-on: ubuntu-latest
env:
GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
PR: ${{ github.event.pull_request.html_url }}
steps:

2
.github/workflows/reviewers-docs-engineering.yml vendored
View File

@@ -44,7 +44,7 @@ jobs:
runs-on: ubuntu-latest
env:
PR: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
steps:
- name: Add docs engineering as a reviewer

2
.github/workflows/reviewers-legal.yml vendored
View File

@@ -55,7 +55,7 @@ jobs:
- name: Check for reviewers-legal label, add if missing and request review
if: steps.checkContentType.outputs.containsContentType == 'true'
env:
GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
PR: ${{ github.event.pull_request.html_url }}
run: |
gh pr edit $PR --add-reviewer github/legal-product

2
.github/workflows/site-policy-sync.yml vendored
View File

@@ -56,7 +56,7 @@ jobs:
- name: If there are changes to push, create a branch in the public repo and push changes
env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: |
cd public-repo
git config --local user.name 'site-policy-bot'

2
.github/workflows/sme-review-tracking-issue.yml vendored
View File

@@ -26,7 +26,7 @@ jobs:
URL: ${{ github.event.pull_request.html_url || github.event.issue.html_url }}
uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
with:
github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}
github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
script: |-
const issueNo = context.number || context.issue.number

6
.github/workflows/sync-audit-logs.yml vendored
View File

@@ -31,7 +31,7 @@ jobs:
- name: Run updater script
env:
# need to use a token from a user with access to github/audit-log-allowlists for this step
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: |
npm run sync-audit-log
@@ -49,7 +49,7 @@ jobs:
- name: Create and merge pull request
env:
# Needed for gh
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: |
# If nothing to commit, exit now. It's fine. No orphans.
changes=$(git diff --name-only | wc -l)
@@ -97,7 +97,7 @@ jobs:
# Actions can't merge the PR so back to docs-bot to merge the PR
unset GITHUB_TOKEN
gh auth login --with-token <<< "${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}"
gh auth login --with-token <<< "${{ secrets.DOCS_BOT_PAT_BASE }}"
gh pr merge --auto
- uses: ./.github/actions/slack-alert

4
.github/workflows/sync-codeql-cli.yml vendored
View File

@@ -38,7 +38,7 @@ jobs:
with:
# By default, only the most recent commit of the `main` branch
# will be checked out
token: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
repository: github/semmle-code
path: semmle-code
ref: ${{ inputs.SOURCE_BRANCH }}
@@ -75,7 +75,7 @@ jobs:
- name: Create pull request
env:
# Needed for gh
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: |
# If nothing to commit, exit now. It's fine. No orphans.
changes=$(git diff --name-only | wc -l)

6
.github/workflows/sync-graphql.yml vendored
View File

@@ -24,7 +24,7 @@ jobs:
- name: Run updater scripts
env:
# need to use a token from a user with access to github/github for this step
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: npm run sync-graphql
- name: Create pull request
id: create-pull-request
@@ -37,7 +37,7 @@ jobs:
# Token should be a PAT because actions performed with GITHUB_TOKEN
# don't trigger other workflows and this action force pushes updates
# from the default branch.
token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
commit-message: 'Update GraphQL data files'
title: GraphQL schema update
body:
@@ -50,7 +50,7 @@ jobs:
- name: Enable GitHub auto-merge
if: ${{ steps.create-pull-request.outputs.pull-request-number }}
env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
AUTOMERGE_PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }}
run: npm run enable-automerge

4
.github/workflows/sync-openapi.yml vendored
View File

@@ -47,7 +47,7 @@ jobs:
- name: Sync the REST, Webhooks, and GitHub Apps schemas
env:
# Needed for gh
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: |
npm run sync-rest -- --source-repo rest-api-description --output rest github-apps webhooks rest-redirects
git status
@@ -68,7 +68,7 @@ jobs:
- name: Create pull request
env:
# Needed for gh
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: |
# If nothing to commit, exit now. It's fine. No orphans.
changes=$(git diff --name-only | wc -l)

4
.github/workflows/sync-secret-scanning.yml vendored
View File

@@ -33,14 +33,14 @@ jobs:
env:
# need to use a token from a user with access to
# github/token-scanning-service for this step
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: |
npm run sync-secret-scanning
- name: Create a pull request
env:
# Needed for gh
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: |
# If nothing to commit, exit now. It's fine.
changes=$(git diff --name-only | wc -l)

2
.github/workflows/test-changed-content.yml vendored
View File

@@ -34,7 +34,7 @@ jobs:
- uses: ./.github/actions/get-docs-early-access
if: ${{ github.repository == 'github/docs-internal' }}
with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- uses: ./.github/actions/cache-nextjs

4
.github/workflows/test.yml vendored
View File

@@ -101,7 +101,7 @@ jobs:
- uses: ./.github/actions/get-docs-early-access
if: ${{ github.repository == 'github/docs-internal' }}
with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- name: Check the test fixture data (if applicable)
if: ${{ matrix.name == 'fixtures' }}
@@ -126,7 +126,7 @@ jobs:
if: ${{ matrix.name == 'languages' }}
uses: ./.github/actions/clone-translations
with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
- name: Gather files changed
if: ${{ matrix.name == 'content-linter' }}

8
.github/workflows/validate-github-github-docs-urls.yml vendored
View File

@@ -39,7 +39,7 @@ jobs:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
token: ${{ secrets.DOCS_BOT_PAT_BASE }}
repository: github/github
ref: master
path: github
@@ -55,7 +55,7 @@ jobs:
- name: Update config/docs-urls.json in github/github (possibly)
if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: |
npm run validate-github-github-docs-urls -- generate-new-json checks.json github/config/docs-urls.json
@@ -86,7 +86,7 @@ jobs:
- name: Clean up old branches in github/github
if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
env:
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
run: |
npm run validate-github-github-docs-urls -- clean-up-old-branches --prefix update-docs-urls
@@ -117,7 +117,7 @@ jobs:
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
CHANGED_FILES: |-
${{ steps.changed_files.outputs.filtered_changed_files }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
ISSUE_NUMBER: ${{ github.event.pull_request.number }}
REPOSITORY: ${{ github.repository }}
run: |

2
Dockerfile
View File

@@ -48,7 +48,7 @@ COPY --chown=node:node --chmod=+x \
# - 3. Fetch each translations repo to the repo/translations directory
# We use --mount-type=secret to avoid the secret being copied into the image layers for security
# The secret passed via --secret can only be used in this RUN command
RUN --mount=type=secret,id=DOCS_BOT_PAT_READPUBLICKEY,mode=0444 \
RUN --mount=type=secret,id=DOCS_BOT_PAT_BASE,mode=0444 \
# We don't cache because Docker can't know if we need to fetch new content from remote repos
echo "Don't cache this step by printing date: $(date)" && \
. ./build-scripts/fetch-repos.sh

6
src/code-scanning/scripts/generate-code-scanning-query-list.ts
View File

@@ -28,12 +28,12 @@
* /Users/peterbe/.local/share/gh/extensions/gh-codeql/dist/nightly/codeql-bundle-20231204/codeql
*
* Finally, you need to install `@github/cocofix`. This is a private package,
* so you first need to get the `DOCS_BOT_PAT_WORKFLOW` PAT from the vault and
* store it in the environment variable `DOCS_BOT_PAT_WORKFLOW`.
* so you first need to get the `DOCS_BOT_PAT_BASE` PAT from the vault and
* store it in the environment variable `DOCS_BOT_PAT_BASE`.
* Then run the following command from the root of this repo:
*
* ```sh
* npm i --no-save '--@github:registry=https://npm.pkg.github.com' '--//npm.pkg.github.com/:_authToken=${DOCS_BOT_PAT_WORKFLOW}' @github/cocofix
* npm i --no-save '--@github:registry=https://npm.pkg.github.com' '--//npm.pkg.github.com/:_authToken=${DOCS_BOT_PAT_BASE}' @github/cocofix
* ```
*
* If you've git cloned github/codeql in /tmp/ now you can execute this script.

2
src/deployments/production/README.md
View File

@@ -13,7 +13,7 @@ The status of deployments are posted in the `#docs-ops` Slack channel.
Build the production Docker image locally,
```bash
docker build -t docs:latest . --secret id=DOCS_BOT_PAT_READPUBLICKEY,src=<(echo "<your GH PAT value>")
docker build -t docs:latest . --secret id=DOCS_BOT_PAT_BASE,src=<(echo "<your GH PAT value>")
```
Where `<your GH PAT value>` must be a PAT with `contents: read` access to:

2
src/deployments/production/build-scripts/fetch-repos.sh
View File

@@ -16,7 +16,7 @@ set -e
. ./build-scripts/clone-or-use-cached-repo.sh
# Set the GITHUB_TOKEN environment variable from the mounted --secret passed to Docker build
GITHUB_TOKEN=$(cat /run/secrets/DOCS_BOT_PAT_READPUBLICKEY)
GITHUB_TOKEN=$(cat /run/secrets/DOCS_BOT_PAT_BASE)
# - - - - - - - - - -
# Early access