Skip to content

Commit 4f68df7

Browse files
committed
ci: document pending org-move secret migration in release.yml header
Drop a TODO at the top of release.yml enumerating which secrets need to be re-created on `pilot-protocol/` before the repo transfer, since GitHub secrets do not survive a repo transfer. Currently the only expected secret is GITHUB_TOKEN (auto-issued). HOMEBREW_TAP_TOKEN was removed in #122 when update-homebrew.yml was dropped, and NPM_TOKEN / PYPI_TOKEN / COSIGN_KEY are placeholders for the auto-publish (PILOT-203) and binary-signing (PILOT-114) work that hasn't landed yet. This is documentation only — no behavior change. The comment block is load-bearing for the org migration; deleting it before the new org has its secrets configured will silently break the next release.
1 parent 9e0b713 commit 4f68df7

1 file changed

Lines changed: 33 additions & 0 deletions

File tree

.github/workflows/release.yml

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,36 @@
1+
# ----------------------------------------------------------------------------
2+
# TODO(org-move): re-create secrets on the destination org before this repo
3+
# is transferred to `pilot-protocol/`. None of the secrets below survive a
4+
# repo transfer — they live on the SOURCE org (TeoSlayer) and need to be
5+
# created fresh on `pilot-protocol` so this workflow keeps working.
6+
#
7+
# Secrets currently expected by `release.yml` and other workflows in this
8+
# repo (`ci.yml`, `nightly.yml`, `architecture.yml`, `codeql.yml`):
9+
#
10+
# GITHUB_TOKEN - auto-issued, no action needed
11+
#
12+
# Secrets that need to be added BACK once the matching workflows are
13+
# restored (we removed `update-homebrew.yml` in PR #122 to drop the
14+
# cross-org PAT; auto-publish workflows for npm/PyPI never landed):
15+
#
16+
# HOMEBREW_TAP_TOKEN - PAT or GitHub App token with `contents:write`
17+
# on `pilot-protocol/homebrew-pilot`.
18+
# Prefer a GitHub App over a PAT — see
19+
# `actions/create-github-app-token@v1`.
20+
# NPM_TOKEN - if PILOT-203 lands sdk-node auto-publish.
21+
# PYPI_TOKEN - if PILOT-203 lands sdk-python auto-publish.
22+
# COSIGN_KEY / COSIGN_PASS - if PILOT-114 lands updater binary signing.
23+
#
24+
# When the migration happens, mirror the secrets via:
25+
# gh secret set HOMEBREW_TAP_TOKEN --repo pilot-protocol/<new-repo> --body <value>
26+
# (Reading the value from the old org first; GitHub never exposes secrets,
27+
# so the original cleartext source is required.)
28+
#
29+
# Track the migration in the org-move runbook; do not delete this comment
30+
# until every workflow file that previously referenced a secret has either
31+
# (a) been re-wired against the new secret, or (b) been confirmed retired.
32+
# ----------------------------------------------------------------------------
33+
134
name: Release
235

336
on:

0 commit comments

Comments
 (0)