Use DOCS_BOT_PAT_BASE (#55464)

2025-12-19 18:10:59 -05:00 · 2025-04-30 11:58:01 -07:00
parent 9e6ef2eefd
commit 02e2e2dacc
50 changed files with 100 additions and 100 deletions
--- a/.github/workflows/check-broken-links-github-github.yml
+++ b/.github/workflows/check-broken-links-github-github.yml
@@ -18,7 +18,7 @@ jobs:
    runs-on: ubuntu-latest
    env:
      # need to use a token from a user with access to github/github for this step
-      GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+      GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
      REPORT_AUTHOR: docs-bot
      REPORT_LABEL: github github broken link report
      REPORT_REPOSITORY: github/docs-content
@@ -33,7 +33,7 @@ jobs:

      - uses: ./.github/actions/get-docs-early-access
        with:
-          token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}

      - name: Build server
        run: npm run build
--- a/.github/workflows/check-for-spammy-issues.yml
+++ b/.github/workflows/check-for-spammy-issues.yml
@@ -19,7 +19,7 @@ jobs:
    steps:
      - uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
        with:
-          github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}
+          github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
          script: |

            const issue = context.payload.issue
--- a/.github/workflows/close-bad-repo-sync-prs.yml
+++ b/.github/workflows/close-bad-repo-sync-prs.yml
@@ -24,7 +24,7 @@ jobs:
      - name: Close pull request if unwanted
        uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
        with:
-          github-token: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
          script: |
            const { owner, repo } = context.repo
            const prCreator = context.actor
--- a/.github/workflows/confirm-internal-staff-work-in-docs.yml
+++ b/.github/workflows/confirm-internal-staff-work-in-docs.yml
@@ -28,7 +28,7 @@ jobs:
        env:
          TEAM_CONTENT_REPO: ${{ secrets.TEAM_CONTENT_REPO }}
        with:
-          github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}
+          github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
          script: |
            // Only perform this action with GitHub employees
            try {
--- a/.github/workflows/copy-api-issue-to-internal.yml
+++ b/.github/workflows/copy-api-issue-to-internal.yml
@@ -22,7 +22,7 @@ jobs:
        uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
        id: triggered-by-member
        with:
-          github-token: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}}
+          github-token: ${{secrets.DOCS_BOT_PAT_BASE}}
          result-encoding: string
          script: |
            const triggerer_login = context.payload.sender.login
@@ -48,26 +48,26 @@ jobs:
          new_issue_url="$(gh issue create --title "$ISSUE_TITLE" --body "$ISSUE_BODY" --repo github/docs-content)"
          echo 'NEW_ISSUE='$new_issue_url >> $GITHUB_ENV
        env:
-          GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}}
+          GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_BASE}}
          ISSUE_TITLE: ${{ github.event.issue.title }}
          ISSUE_BODY: ${{ github.event.issue.body }}

      - name: Comment on the old issue
        run: gh issue comment $OLD_ISSUE --body "Thank you for opening this issue! Updates to this documentation must be made internally. I have copied your issue to an internal issue, so I will close this issue."
        env:
-          GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}}
+          GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_BASE}}
          OLD_ISSUE: ${{ github.event.issue.html_url }}

      - name: Close the old issue
        run: gh issue close $OLD_ISSUE
        env:
-          GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}}
+          GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_BASE}}
          OLD_ISSUE: ${{ github.event.issue.html_url }}

      - name: Comment on the new issue
        run: gh issue comment $NEW_ISSUE --body "This issue was originally opened in the open source repo as $OLD_ISSUE"
        env:
-          GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}}
+          GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_BASE}}
          NEW_ISSUE: ${{ env.NEW_ISSUE }}
          OLD_ISSUE: ${{ github.event.issue.html_url }}

--- a/.github/workflows/count-translation-corruptions.yml
+++ b/.github/workflows/count-translation-corruptions.yml
@@ -28,7 +28,7 @@ jobs:
        with:
          # Using a PAT is necessary so that the new commit will trigger the
          # CI in the PR. (Events from GITHUB_TOKEN don't trigger new workflows.)
-          token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}

      # It's important because translations are often a bit behind.
      # So if a translation is a bit behind, it might still be referencing
@@ -36,7 +36,7 @@ jobs:
      - name: Clone all translations
        uses: ./.github/actions/clone-translations
        with:
-          token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}

      - uses: ./.github/actions/node-npm-setup

--- a/.github/workflows/delete-orphan-translation-files.yml
+++ b/.github/workflows/delete-orphan-translation-files.yml
@@ -66,7 +66,7 @@ jobs:
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          repository: ${{ matrix.language_repo }}
-          token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
          path: ${{ matrix.language_dir }}

      - uses: ./.github/actions/node-npm-setup
@@ -89,7 +89,7 @@ jobs:
        working-directory: ${{ matrix.language_dir }}
        env:
          # Needed for gh
-          GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
        run: |
          # If nothing to commit, exit now. It's fine. No orphans.
          changes=$(git diff --name-only | wc -l)
--- a/.github/workflows/docs-review-collect.yml
+++ b/.github/workflows/docs-review-collect.yml
@@ -35,7 +35,7 @@ jobs:
        run: |
          npm run fr-add-docs-reviewers-requests
        env:
-          TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
          PROJECT_NUMBER: 2936
          ORGANIZATION: 'github'
          REPO: 'audit-log-allowlists'
--- a/.github/workflows/enterprise-dates.yml
+++ b/.github/workflows/enterprise-dates.yml
@@ -31,7 +31,7 @@ jobs:
      - name: Run src/ghes-releases/scripts/update-enterprise-dates.js
        run: npm run update-enterprise-dates
        env:
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}

      - name: Create pull request
        id: create-pull-request
@@ -41,7 +41,7 @@ jobs:
          HUSKY: '0'
        with:
          # need to use a token with repo and workflow scopes for this step
-          token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
          commit-message: '🤖 ran src/ghes-releases/scripts/update-enterprise-dates.js'
          title: 🤖 src/ghes-releases/lib/enterprise-dates.json update
          body:
@@ -54,7 +54,7 @@ jobs:
      - name: Enable GitHub auto-merge
        if: ${{ steps.create-pull-request.outputs.pull-request-number }}
        env:
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
          AUTOMERGE_PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }}
        run: npm run enable-automerge

--- a/.github/workflows/enterprise-release-issue.yml
+++ b/.github/workflows/enterprise-release-issue.yml
@@ -26,12 +26,12 @@ jobs:
      - name: Create an enterprise release issue
        run: npm run create-enterprise-issue -- release
        env:
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}

      - name: Create an enterprise deprecation issue
        run: npm run create-enterprise-issue -- deprecation
        env:
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}

      - uses: ./.github/actions/slack-alert
        if: ${{ failure() && github.event_name != 'workflow_dispatch' }}
--- a/.github/workflows/first-responder-v2-prs-collect.yml
+++ b/.github/workflows/first-responder-v2-prs-collect.yml
@@ -27,7 +27,7 @@ jobs:
        uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
        id: check-membership
        with:
-          github-token: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}}
+          github-token: ${{secrets.DOCS_BOT_PAT_BASE}}
          result-encoding: string
          script: |
            const repoName = context.payload.repository.name
@@ -71,7 +71,7 @@ jobs:
      - name: Triage to docs-content FR project
        if: steps.check-membership.outputs.result == 'false'
        env:
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
          PR_URL: ${{ github.event.pull_request.html_url }}
          PROJECT_NUMBER: 11672
          PROJECT_ID: PVT_kwDNJr_OAGNkBg
--- a/.github/workflows/generate-code-scanning-query-lists.yml
+++ b/.github/workflows/generate-code-scanning-query-lists.yml
@@ -69,7 +69,7 @@ jobs:

      - uses: ./.github/actions/install-cocofix
        with:
-          token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}

      - name: Lint the code (eslint)
        if: ${{ github.event_name == 'pull_request' }}
@@ -103,7 +103,7 @@ jobs:

      - name: Create pull request
        env:
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
          DRY_RUN: ${{ github.event_name == 'pull_request'}}
        run: |

--- a/.github/workflows/hubber-contribution-help.yml
+++ b/.github/workflows/hubber-contribution-help.yml
@@ -28,7 +28,7 @@ jobs:
      - id: membership_check
        uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
        with:
-          github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}
+          github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
          script: |
            try {
              await github.rest.teams.getMembershipForUserInOrg({
--- a/.github/workflows/index-autocomplete-search.yml
+++ b/.github/workflows/index-autocomplete-search.yml
@@ -32,7 +32,7 @@ jobs:

      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
-          token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
          repository: github/docs-internal-data
          path: docs-internal-data

--- a/.github/workflows/index-general-search-pr.yml
+++ b/.github/workflows/index-general-search-pr.yml
@@ -44,7 +44,7 @@ jobs:
        with:
          repository: github/docs-internal-data
          # This works because user `docs-bot` has read access to that private repo.
-          token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
          path: docs-internal-data

      - uses: ./.github/actions/setup-elasticsearch
--- a/.github/workflows/index-general-search.yml
+++ b/.github/workflows/index-general-search.yml
@@ -120,14 +120,14 @@ jobs:
        with:
          repository: github/docs-internal-data
          # This works because user `docs-bot` has read access to that private repo.
-          token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
          path: docs-internal-data

      - name: Clone all translations
        if: ${{ matrix.language != 'en' }}
        uses: ./.github/actions/clone-translations
        with:
-          token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}

      - uses: ./.github/actions/node-npm-setup

--- a/.github/workflows/link-check-daily.yml
+++ b/.github/workflows/link-check-daily.yml
@@ -32,7 +32,7 @@ jobs:
        id: check-early-access
        env:
          BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
        run: npm run what-docs-early-access-branch

      - name: Check out docs-early-access too, if internal repo
@@ -40,7 +40,7 @@ jobs:
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          repository: github/docs-early-access
-          token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
          path: docs-early-access
          ref: ${{ steps.check-early-access.outputs.branch }}

@@ -71,7 +71,7 @@ jobs:
          # Set this to true in repo scope to enable debug logs
          # ACTIONS_RUNNER_DEBUG = true
          ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
          REPORT_AUTHOR: docs-bot
          REPORT_LABEL: broken link report
          REPORT_REPOSITORY: github/docs-content
--- a/.github/workflows/link-check-on-pr.yml
+++ b/.github/workflows/link-check-on-pr.yml
@@ -33,14 +33,14 @@ jobs:
      - uses: ./.github/actions/get-docs-early-access
        if: ${{ github.repository == 'github/docs-internal' }}
        with:
-          token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}

      - name: Link check all pages (internal links only)
        env:
          LEVEL: 'critical'
          ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
-          SHOULD_COMMENT: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT != '' }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          SHOULD_COMMENT: ${{ secrets.DOCS_BOT_PAT_BASE != '' }}
          CHECK_EXTERNAL_LINKS: false
          CREATE_REPORT: false
          CHECK_ANCHORS: true
--- a/.github/workflows/lint-entire-content-data-markdown.yml
+++ b/.github/workflows/lint-entire-content-data-markdown.yml
@@ -37,7 +37,7 @@ jobs:
      - name: Open issue in docs-content
        if: ${{ always() && steps.linting-content-data.outcome == 'failure' }}
        env:
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
          REPORT_AUTHOR: docs-bot
          REPORT_LABEL: broken content markdown report
          REPORT_REPOSITORY: github/docs-content
--- a/.github/workflows/local-dev.yml
+++ b/.github/workflows/local-dev.yml
@@ -26,7 +26,7 @@ jobs:
      - uses: ./.github/actions/get-docs-early-access
        if: ${{ github.repository == 'github/docs-internal' }}
        with:
-          token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}

      # Note that we don't check out docs-early-access, Elasticsearch,
      # or any remote translations. Nothing fancy here!
--- a/.github/workflows/moda-ci.yaml
+++ b/.github/workflows/moda-ci.yaml
@@ -24,12 +24,12 @@ jobs:
        id: modify_vault_keys
        run: |
          if [ -z "${{ vars.VAULT_KEYS }}" ]; then
-            # We want to add the DOCS_BOT_PAT_READPUBLICKEY to the list of keys
+            # We want to add the DOCS_BOT_PAT_BASE to the list of keys
            # so that builds fetch the secret from the docs-internal vault
            # where --environment is "ci"
-            echo "modified=DOCS_BOT_PAT_READPUBLICKEY" >> $GITHUB_OUTPUT
+            echo "modified=DOCS_BOT_PAT_BASE" >> $GITHUB_OUTPUT
          else
-            echo "modified=${{ vars.VAULT_KEYS }},DOCS_BOT_PAT_READPUBLICKEY" >> $GITHUB_OUTPUT
+            echo "modified=${{ vars.VAULT_KEYS }},DOCS_BOT_PAT_BASE" >> $GITHUB_OUTPUT
          fi

  #############
@@ -66,9 +66,9 @@ jobs:
    with:
      ci-formatted-job-name: ${{ matrix.ci_job.job }}
      vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }}
-      # Passes 'DOCS_BOT_PAT_READPUBLICKEY' secret from Vault to docker as --secret id=DOCS_BOT_PAT_READPUBLICKEY,src=<PAT value>
+      # Passes 'DOCS_BOT_PAT_BASE' secret from Vault to docker as --secret id=DOCS_BOT_PAT_BASE,src=<PAT value>
      attest: true
-      docker-build-env-secrets: 'DOCS_BOT_PAT_READPUBLICKEY'
+      docker-build-env-secrets: 'DOCS_BOT_PAT_BASE'
    secrets:
      dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }}
      datadog-api-key: ${{ secrets.DATADOG_API_KEY }}
@@ -88,8 +88,8 @@ jobs:
    with:
      ci-formatted-job-name: ${{ matrix.ci_job.job }}
      vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }}
-      # Passes 'DOCS_BOT_PAT_READPUBLICKEY' secret from Vault to docker as --secret id=DOCS_BOT_PAT_READPUBLICKEY,src=<PAT value>
-      docker-build-env-secrets: 'DOCS_BOT_PAT_READPUBLICKEY'
+      # Passes 'DOCS_BOT_PAT_BASE' secret from Vault to docker as --secret id=DOCS_BOT_PAT_BASE,src=<PAT value>
+      docker-build-env-secrets: 'DOCS_BOT_PAT_BASE'
    secrets:
      dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }}
      datadog-api-key: ${{ secrets.DATADOG_API_KEY }}
--- a/.github/workflows/move-existing-issues-to-the-correct-repo.yml
+++ b/.github/workflows/move-existing-issues-to-the-correct-repo.yml
@@ -21,7 +21,7 @@ jobs:
          TEAM_ENGINEERING_REPO: ${{ secrets.TEAM_ENGINEERING_REPO }}
          TEAM_CONTENT_REPO: ${{ secrets.TEAM_CONTENT_REPO }}
        with:
-          github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}
+          github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
          script: |
            const owner = 'github'
            const originalRepo = 'docs-internal'
--- a/.github/workflows/move-help-wanted-issues.yml
+++ b/.github/workflows/move-help-wanted-issues.yml
@@ -25,4 +25,4 @@ jobs:
        with:
          project: Docs open source board
          column: Help wanted
-          repo-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}
+          repo-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
--- a/.github/workflows/move-ready-to-merge-pr.yaml
+++ b/.github/workflows/move-ready-to-merge-pr.yaml
@@ -28,7 +28,7 @@ jobs:
        with:
          project: Docs open source board
          column: Triage
-          repo-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}
+          repo-token: ${{ secrets.DOCS_BOT_PAT_BASE }}

      - name: Check out repo
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
--- a/.github/workflows/notify-about-deployment.yml
+++ b/.github/workflows/notify-about-deployment.yml
@@ -42,7 +42,7 @@ jobs:
        id: get-number
        timeout-minutes: 5
        env:
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
        run: npm run find-past-built-pr

      - name: Find content directory changes comment
--- a/.github/workflows/orphaned-features-check.yml
+++ b/.github/workflows/orphaned-features-check.yml
@@ -30,7 +30,7 @@ jobs:
        with:
          # Using a PAT is necessary so that the new commit will trigger the
          # CI in the PR. (Events from GITHUB_TOKEN don't trigger new workflows.)
-          token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}

      # It's important because translations are often a bit behind.
      # So if a translation is a bit behind, it might still be referencing
@@ -38,14 +38,14 @@ jobs:
      - name: Clone all translations
        uses: ./.github/actions/clone-translations
        with:
-          token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}

      - uses: ./.github/actions/node-npm-setup

      - name: Check for orphaned features
        env:
          # Needed for gh
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
          DRY_RUN: ${{ github.event_name == 'pull_request'}}
        run: |
          set -e
--- a/.github/workflows/orphaned-files-check.yml
+++ b/.github/workflows/orphaned-files-check.yml
@@ -34,7 +34,7 @@ jobs:
        with:
          # Using a PAT is necessary so that the new commit will trigger the
          # CI in the PR. (Events from GITHUB_TOKEN don't trigger new workflows.)
-          token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}

      # It's important because translations are often a bit behind.
      # So if a translation is a bit behind, it might still be referencing
@@ -42,14 +42,14 @@ jobs:
      - name: Clone all translations
        uses: ./.github/actions/clone-translations
        with:
-          token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}

      - uses: ./.github/actions/node-npm-setup

      - name: Check for orphaned assets and reusables
        env:
          # Needed for gh
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
          DRY_RUN: ${{ github.event_name == 'pull_request'}}
        run: |
          set -e
@@ -92,11 +92,11 @@ jobs:

          body=$(cat <<-EOM
            Found with the `npm run find-orphaned-assets` and `npm run -s reusables -- find unused` scripts.
-            
+
            The orphaned files workflow file .github/workflows/orphaned-files-check.yml runs every Monday at 16:20 UTC / 8:20 PST.
-            
+
            If you are the first responder, please spot check some of the unused assets to make sure they aren't referenced anywhere. Then, approve and merge the pull request.
-            
+
            For more information, see [Doc: Orphaned Assets](https://github.com/github/docs-engineering/blob/main/docs/orphaned-assets.md) and [Doc: Reusables CLI](https://github.com/github/docs-internal/tree/main/src/content-render/scripts/reusables-cli).
          EOM
          )
--- a/.github/workflows/os-ready-for-review.yml
+++ b/.github/workflows/os-ready-for-review.yml
@@ -26,7 +26,7 @@ jobs:
        uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
        id: triggered-by-member
        with:
-          github-token: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}}
+          github-token: ${{secrets.DOCS_BOT_PAT_BASE}}
          result-encoding: string
          script: |
            const triggerer_login = context.payload.sender.login
@@ -60,7 +60,7 @@ jobs:
        run: |
          npm run ready-for-docs-review
        env:
-          TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
          PROJECT_NUMBER: 2936
          ORGANIZATION: 'github'
          ITEM_NODE_ID: ${{ github.event.pull_request.node_id || github.event.issue.node_id }}
--- a/.github/workflows/purge-old-workflow-runs.yml
+++ b/.github/workflows/purge-old-workflow-runs.yml
@@ -25,7 +25,7 @@ jobs:
      - name: Run purge script
        env:
          # Necessary to be able to delete deployment environments
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
        run: npm run purge-old-workflow-runs

      - uses: ./.github/actions/slack-alert
--- a/.github/workflows/ready-for-doc-review.yml
+++ b/.github/workflows/ready-for-doc-review.yml
@@ -24,7 +24,7 @@ jobs:
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          repository: github/docs-internal
-          token: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}

      - name: Setup Node.js
        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
@@ -47,7 +47,7 @@ jobs:
        run: |
          npm run ready-for-docs-review
        env:
-          TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
          PROJECT_NUMBER: 2936
          ORGANIZATION: 'github'
          ITEM_NODE_ID: ${{ github.event.pull_request.node_id }}
--- a/.github/workflows/remove-fr-label-remove-from-fr-v2.yml
+++ b/.github/workflows/remove-fr-label-remove-from-fr-v2.yml
@@ -28,7 +28,7 @@ jobs:
    steps:
      - name: Remove issue from FR v2 project
        env:
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
          PR_NUMBER: ${{ github.event.pull_request.number || inputs.PR_NUMBER }}
          PROJECT_NUMBER: 11672
        run: |
--- a/.github/workflows/repo-sync.yml
+++ b/.github/workflows/repo-sync.yml
@@ -28,15 +28,15 @@ jobs:
      - name: Sync repo to branch
        uses: repo-sync/github-sync@3832fe8e2be32372e1b3970bbae8e7079edeec88
        with:
-          source_repo: https://${{ secrets.DOCS_BOT_PAT_WORKFLOW }}@github.com/github/${{ github.repository == 'github/docs-internal' && 'docs' || 'docs-internal' }}.git
+          source_repo: https://${{ secrets.DOCS_BOT_PAT_BASE }}@github.com/github/${{ github.repository == 'github/docs-internal' && 'docs' || 'docs-internal' }}.git
          source_branch: main
          destination_branch: repo-sync
-          github_token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW }}
+          github_token: ${{ secrets.DOCS_BOT_PAT_BASE }}

      - name: Ship pull request
        uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
        with:
-          github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW }}
+          github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
          result-encoding: string
          script: |
            const { owner, repo } = context.repo
--- a/.github/workflows/reviewers-content-systems.yml
+++ b/.github/workflows/reviewers-content-systems.yml
@@ -26,7 +26,7 @@ jobs:
    runs-on: ubuntu-latest
    env:
      PR: ${{ github.event.pull_request.html_url }}
-      GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+      GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}

    steps:
      - name: Add content systems as a reviewer
--- a/.github/workflows/reviewers-dependabot.yml
+++ b/.github/workflows/reviewers-dependabot.yml
@@ -26,7 +26,7 @@ jobs:
          github.event.pull_request.head.ref != 'repo-sync' }}
    runs-on: ubuntu-latest
    env:
-      GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+      GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
      PR: ${{ github.event.pull_request.html_url }}

    steps:
--- a/.github/workflows/reviewers-docs-engineering.yml
+++ b/.github/workflows/reviewers-docs-engineering.yml
@@ -44,7 +44,7 @@ jobs:
    runs-on: ubuntu-latest
    env:
      PR: ${{ github.event.pull_request.html_url }}
-      GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+      GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}

    steps:
      - name: Add docs engineering as a reviewer
--- a/.github/workflows/reviewers-legal.yml
+++ b/.github/workflows/reviewers-legal.yml
@@ -55,7 +55,7 @@ jobs:
      - name: Check for reviewers-legal label, add if missing and request review
        if: steps.checkContentType.outputs.containsContentType == 'true'
        env:
-          GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
          PR: ${{ github.event.pull_request.html_url }}
        run: |
          gh pr edit $PR --add-reviewer github/legal-product
--- a/.github/workflows/site-policy-sync.yml
+++ b/.github/workflows/site-policy-sync.yml
@@ -56,7 +56,7 @@ jobs:

      - name: If there are changes to push, create a branch in the public repo and push changes
        env:
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
        run: |
          cd public-repo
          git config --local user.name 'site-policy-bot'
--- a/.github/workflows/sme-review-tracking-issue.yml
+++ b/.github/workflows/sme-review-tracking-issue.yml
@@ -26,7 +26,7 @@ jobs:
          URL: ${{ github.event.pull_request.html_url || github.event.issue.html_url }}
        uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0
        with:
-          github-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}
+          github-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
          script: |-

            const issueNo = context.number || context.issue.number
--- a/.github/workflows/sync-audit-logs.yml
+++ b/.github/workflows/sync-audit-logs.yml
@@ -31,7 +31,7 @@ jobs:
      - name: Run updater script
        env:
          # need to use a token from a user with access to github/audit-log-allowlists for this step
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
        run: |
          npm run sync-audit-log

@@ -49,7 +49,7 @@ jobs:
      - name: Create and merge pull request
        env:
          # Needed for gh
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
        run: |
          # If nothing to commit, exit now. It's fine. No orphans.
          changes=$(git diff --name-only | wc -l)
@@ -97,7 +97,7 @@ jobs:

          # Actions can't merge the PR so back to docs-bot to merge the PR
          unset GITHUB_TOKEN
-          gh auth login --with-token <<< "${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}"
+          gh auth login --with-token <<< "${{ secrets.DOCS_BOT_PAT_BASE }}"
          gh pr merge --auto

      - uses: ./.github/actions/slack-alert
--- a/.github/workflows/sync-codeql-cli.yml
+++ b/.github/workflows/sync-codeql-cli.yml
@@ -38,7 +38,7 @@ jobs:
        with:
          # By default, only the most recent commit of the `main` branch
          # will be checked out
-          token: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
          repository: github/semmle-code
          path: semmle-code
          ref: ${{ inputs.SOURCE_BRANCH }}
@@ -75,7 +75,7 @@ jobs:
      - name: Create pull request
        env:
          # Needed for gh
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
        run: |
          # If nothing to commit, exit now. It's fine. No orphans.
          changes=$(git diff --name-only | wc -l)
--- a/.github/workflows/sync-graphql.yml
+++ b/.github/workflows/sync-graphql.yml
@@ -24,7 +24,7 @@ jobs:
      - name: Run updater scripts
        env:
          # need to use a token from a user with access to github/github for this step
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
        run: npm run sync-graphql
      - name: Create pull request
        id: create-pull-request
@@ -37,7 +37,7 @@ jobs:
          # Token should be a PAT because actions performed with GITHUB_TOKEN
          # don't trigger other workflows and this action force pushes updates
          # from the default branch.
-          token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
          commit-message: 'Update GraphQL data files'
          title: GraphQL schema update
          body:
@@ -50,7 +50,7 @@ jobs:
      - name: Enable GitHub auto-merge
        if: ${{ steps.create-pull-request.outputs.pull-request-number }}
        env:
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
          AUTOMERGE_PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }}
        run: npm run enable-automerge

--- a/.github/workflows/sync-openapi.yml
+++ b/.github/workflows/sync-openapi.yml
@@ -47,7 +47,7 @@ jobs:
      - name: Sync the REST, Webhooks, and GitHub Apps schemas
        env:
          # Needed for gh
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
        run: |
          npm run sync-rest -- --source-repo rest-api-description --output rest github-apps webhooks rest-redirects
          git status
@@ -68,7 +68,7 @@ jobs:
      - name: Create pull request
        env:
          # Needed for gh
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
        run: |
          # If nothing to commit, exit now. It's fine. No orphans.
          changes=$(git diff --name-only | wc -l)
--- a/.github/workflows/sync-secret-scanning.yml
+++ b/.github/workflows/sync-secret-scanning.yml
@@ -33,14 +33,14 @@ jobs:
        env:
          # need to use a token from a user with access to
          # github/token-scanning-service for this step
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
        run: |
          npm run sync-secret-scanning

      - name: Create a pull request
        env:
          # Needed for gh
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
        run: |
          # If nothing to commit, exit now. It's fine.
          changes=$(git diff --name-only | wc -l)
@@ -70,8 +70,8 @@ jobs:
          echo "Creating pull request..."
          gh pr create \
            --title "Sync secret scanning data" \
-            --body '👋 humans. This PR updates the secret scanning data with the latest changes from github/token-scanning-service. 
-            
+            --body '👋 humans. This PR updates the secret scanning data with the latest changes from github/token-scanning-service.
+
            /cc @github/docs-content-security-products

            If CI does not pass or other problems arise, contact #docs-engineering on Slack.' \
--- a/.github/workflows/test-changed-content.yml
+++ b/.github/workflows/test-changed-content.yml
@@ -34,7 +34,7 @@ jobs:
      - uses: ./.github/actions/get-docs-early-access
        if: ${{ github.repository == 'github/docs-internal' }}
        with:
-          token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}

      - uses: ./.github/actions/cache-nextjs

--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -101,7 +101,7 @@ jobs:
      - uses: ./.github/actions/get-docs-early-access
        if: ${{ github.repository == 'github/docs-internal' }}
        with:
-          token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}

      - name: Check the test fixture data (if applicable)
        if: ${{ matrix.name == 'fixtures' }}
@@ -126,7 +126,7 @@ jobs:
        if: ${{ matrix.name == 'languages' }}
        uses: ./.github/actions/clone-translations
        with:
-          token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}

      - name: Gather files changed
        if: ${{ matrix.name == 'content-linter' }}
--- a/.github/workflows/validate-github-github-docs-urls.yml
+++ b/.github/workflows/validate-github-github-docs-urls.yml
@@ -39,7 +39,7 @@ jobs:

      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
-          token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
          repository: github/github
          ref: master
          path: github
@@ -55,7 +55,7 @@ jobs:
      - name: Update config/docs-urls.json in github/github (possibly)
        if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
        env:
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
        run: |
          npm run validate-github-github-docs-urls -- generate-new-json checks.json github/config/docs-urls.json

@@ -86,7 +86,7 @@ jobs:
      - name: Clean up old branches in github/github
        if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
        env:
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
        run: |
          npm run validate-github-github-docs-urls -- clean-up-old-branches --prefix update-docs-urls

@@ -117,7 +117,7 @@ jobs:
          # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
          CHANGED_FILES: |-
            ${{ steps.changed_files.outputs.filtered_changed_files }}
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
          ISSUE_NUMBER: ${{ github.event.pull_request.number }}
          REPOSITORY: ${{ github.repository }}
        run: |
--- a/2
+++ b/2
@@ -48,7 +48,7 @@ COPY --chown=node:node --chmod=+x \
 # - 3. Fetch each translations repo to the repo/translations directory
 # We use --mount-type=secret to avoid the secret being copied into the image layers for security
 # The secret passed via --secret can only be used in this RUN command
-RUN --mount=type=secret,id=DOCS_BOT_PAT_READPUBLICKEY,mode=0444 \
+RUN --mount=type=secret,id=DOCS_BOT_PAT_BASE,mode=0444 \
  # We don't cache because Docker can't know if we need to fetch new content from remote repos
  echo "Don't cache this step by printing date: $(date)" && \
  . ./build-scripts/fetch-repos.sh
--- a/src/code-scanning/scripts/generate-code-scanning-query-list.ts
+++ b/src/code-scanning/scripts/generate-code-scanning-query-list.ts
@@ -28,12 +28,12 @@
 *   /Users/peterbe/.local/share/gh/extensions/gh-codeql/dist/nightly/codeql-bundle-20231204/codeql
 *
 * Finally, you need to install `@github/cocofix`. This is a private package,
- * so you first need to get the `DOCS_BOT_PAT_WORKFLOW` PAT from the vault and
- * store it in the environment variable `DOCS_BOT_PAT_WORKFLOW`.
+ * so you first need to get the `DOCS_BOT_PAT_BASE` PAT from the vault and
+ * store it in the environment variable `DOCS_BOT_PAT_BASE`.
 * Then run the following command from the root of this repo:
 *
 * ```sh
- * npm i --no-save '--@github:registry=https://npm.pkg.github.com' '--//npm.pkg.github.com/:_authToken=${DOCS_BOT_PAT_WORKFLOW}' @github/cocofix
+ * npm i --no-save '--@github:registry=https://npm.pkg.github.com' '--//npm.pkg.github.com/:_authToken=${DOCS_BOT_PAT_BASE}' @github/cocofix
 * ```
 *
 * If you've git cloned github/codeql in /tmp/ now you can execute this script.
--- a/src/deployments/production/README.md
+++ b/src/deployments/production/README.md
@@ -13,7 +13,7 @@ The status of deployments are posted in the `#docs-ops` Slack channel.
 Build the production Docker image locally,

 ```bash
-docker build -t docs:latest . --secret id=DOCS_BOT_PAT_READPUBLICKEY,src=<(echo "<your GH PAT value>")
+docker build -t docs:latest . --secret id=DOCS_BOT_PAT_BASE,src=<(echo "<your GH PAT value>")
 ```

 Where `<your GH PAT value>` must be a PAT with `contents: read` access to:
@@ -28,4 +28,4 @@ docker run -p 4000:4000 docs:latest
 ```

 > [!NOTE]
-> We require `DOCKER_BUILDKIT=1` to support passing `--secret` to the Dockerfile which allows us to clone private repos at build time. This is done in Moda via the `docker-build-env-secrets` argument in the [.github/workflows/moda-ci.yaml](../../.github/workflows/moda-ci.yaml) workflow.
+> We require `DOCKER_BUILDKIT=1` to support passing `--secret` to the Dockerfile which allows us to clone private repos at build time. This is done in Moda via the `docker-build-env-secrets` argument in the [.github/workflows/moda-ci.yaml](../../.github/workflows/moda-ci.yaml) workflow.
--- a/src/deployments/production/build-scripts/fetch-repos.sh
+++ b/src/deployments/production/build-scripts/fetch-repos.sh
@@ -16,7 +16,7 @@ set -e
 . ./build-scripts/clone-or-use-cached-repo.sh

 # Set the GITHUB_TOKEN environment variable from the mounted --secret passed to Docker build
-GITHUB_TOKEN=$(cat /run/secrets/DOCS_BOT_PAT_READPUBLICKEY)
+GITHUB_TOKEN=$(cat /run/secrets/DOCS_BOT_PAT_BASE)

 # - - - - - - - - - -
 # Early access