CI: support synch between public and private repo (#347)

JPPortier · web-flow · commit 1c1e5e174d91 · 2026-05-27T18:41:51.000+02:00
* CI: support synch between public and private repo
diff --git a/.github/workflows/notify-private-repo.yml b/.github/workflows/notify-private-repo.yml
@@ -0,0 +1,38 @@
+name: Notify Private Repo of Update
+
+env:
+  SDK_NAME: sinch-sdk-java
+
+on:
+  push:
+
+jobs:
+  ping-private:
+    if: |
+      github.actor != 'sinch-internal-repo-sync-app[bot]' && !endsWith(github.event.repository.name, 'internal')
+
+    runs-on: ubuntu-latest
+    steps:
+      # 1. Generate a temporary token from the GitHub App
+      - name: Generate GitHub App Token
+        uses: actions/create-github-app-token@v3
+        id: app-token
+        with:
+          client-id: ${{ vars.SINCH_INTERNAL_REPO_SYNC_APP_CLIENT_ID }}
+          private-key: ${{ secrets.SINCH_INTERNAL_REPO_SYNC_APP_PRIVATE_KEY }}
+          # Explicitly request access to the internal repository:
+          owner: ${{ github.repository_owner }}
+          repositories: ${{ env.SDK_NAME }}-internal
+
+      # 2. Use that token to send the "ping" to the private repo
+      - name: Send Repository Dispatch to Private Repo
+        env:
+          SYNC_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          curl -X POST --fail-with-body \
+          -H "Content-Type: application/json" \
+          -H "Authorization: Bearer ${SYNC_TOKEN}" \
+          -H "Accept: application/vnd.github.v3+json" \
+          -H "X-GitHub-Api-Version: 2026-03-10" \
+          https://api.github.com/repos/sinch/${SDK_NAME}-internal/dispatches \
+          -d '{"event_type": "public_push_event"}'
diff --git a/.github/workflows/sync-from-public.yml b/.github/workflows/sync-from-public.yml
@@ -0,0 +1,43 @@
+name: Sync From Public
+
+env:
+  SDK_NAME: sinch-sdk-java
+
+# Ensures only one sync runs at a time. Cancels any running sync when a new trigger arrives.
+concurrency:
+  group: sync-repo-${{ github.repository }}
+  cancel-in-progress: true
+  
+on:
+  schedule:
+    # Runs only once a day at midnight to catch any missed updates
+    - cron: '0 0 * * *'
+  repository_dispatch:
+    types: [public_push_event] # Keeps your instant trigger active
+  workflow_dispatch: # Allows manual run
+
+jobs:
+  sync-repo:
+    if: endsWith(github.event.repository.name, 'internal')
+    runs-on: ubuntu-latest
+    steps:
+      # 1. Generate a temporary installation token using the GitHub App
+      - name: Generate GitHub App Token
+        uses: actions/create-github-app-token@v3
+        id: app-token
+        with:
+          client-id: ${{ vars.SINCH_INTERNAL_REPO_SYNC_APP_CLIENT_ID }}
+          private-key: ${{ secrets.SINCH_INTERNAL_REPO_SYNC_APP_PRIVATE_KEY }}
+
+      # 2. Execute the sync using the short-lived token
+      - name: Sync Public to Private
+        env:
+          SYNC_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          # Clone the public repository as a bare repo (read-only, public)
+          git clone --bare https://github.com/sinch/$SDK_NAME.git public_repo
+          cd public_repo
+
+          # Push all branches and tags to the private repo using the App Token
+          git push --all https://x-access-token:${SYNC_TOKEN}@github.com/sinch/${SDK_NAME}-internal.git
+          git push --tags https://x-access-token:${SYNC_TOKEN}@github.com/sinch/${SDK_NAME}-internal.git
