Commit 48f011c
authored
ci(docs): switch dispatch trigger from GitHub App to fine-grained PAT (with skip-when-unconfigured guard) (sbpp#1347)
* ci(docs): skip dispatch when GitHub App not configured
Adds a job-level `if: vars.DOCS_DEPLOY_APP_ID != ''` guard to
`docs-deploy-trigger.yml` so the workflow no-ops cleanly until
the cutover steps in sbpp#1333 step 2 land (App creation +
`DOCS_DEPLOY_APP_ID` var + `DOCS_DEPLOY_APP_KEY` secret).
Pre-fix, every push to `docs/**` after sbpp#1339 merged ran the
dispatch job, hit `actions/create-github-app-token@v1` with an
empty `app-id` input, and exited red with `Input required and
not supplied: app-id` (run 25646867498). Operators landing
unrelated docs PRs would now see a stream of red runs that
look like real CI failures but are actually the expected
"cutover not done yet" state — exactly the friction the
"Required repo configuration" comment block was meant to
warn about.
The job-level `if:` is the canonical "feature-flag a job"
shape: unset repo variables resolve to empty string in
expressions, so the guard is transparent once the var lands
and the job runs every push as designed. Skipped runs show
up as a grey "Skipped" badge in the Actions tab — the right
visual signal for "intentionally inert until configured".
Comment block above the workflow expanded to call this out
explicitly so future readers don't try to "fix" the guard
by removing it.
* ci(docs): switch dispatch trigger from GitHub App to fine-grained PAT
Replaces the `actions/create-github-app-token@v1` round-trip and
the App-side `vars.DOCS_DEPLOY_APP_ID` + `secrets.DOCS_DEPLOY_APP_KEY`
pair with a direct `secrets.DOCS_DEPLOY_PAT` (a fine-grained PAT
scoped to `Actions: Read and write` on `sbpp.github.io` only).
The previous fix in this PR's first commit (`0bf26262`) gated the
job on `vars.DOCS_DEPLOY_APP_ID`. Renamed the gate variable to
`vars.DOCS_DEPLOY_ENABLED` since "App ID" is no longer the right
mental model — the variable is now a pure feature-flag the operator
sets to opt in once the PAT is configured. (We can't reference
`secrets.*` directly in a job-level `if:` per GitHub Actions'
context-availability rules, so the paired VARIABLE is the canonical
"feature-flag a job" shape.)
Why PAT over App: a fine-grained PAT scoped to one repo + one
permission carries the same blast radius as the org-owned App but
takes ~2 minutes to provision instead of ~10. Tradeoff is the
PAT is tied to a personal account and has a max one-year expiry
that needs rotation; for a project of this size that's a fair
deal. Operator instructions live in the workflow's top-of-file
comment block + `docs/README.md`'s workflow table.
The job-level `if:` guard pattern is unchanged in shape — every
push to `docs/**` shows up as "Skipped" (grey badge) until the
operator sets BOTH `secrets.DOCS_DEPLOY_PAT` and
`vars.DOCS_DEPLOY_ENABLED`. The deploy shell in `sbpp.github.io`
also has a `workflow_dispatch` trigger as a manual fallback while
the PAT is pending.
* ci(docs): drop redundant DOCS_DEPLOY_ENABLED variable
The previous commit on this branch added a paired
`vars.DOCS_DEPLOY_ENABLED` feature flag because I'd convinced
myself `secrets.*` was unavailable in any `if:` context. That's
half-true: it's unavailable in JOB-level `if:` (which is what I
was trying to use), but it IS available in STEP-level `if:`.
Since the trigger job has only one step (the dispatch), gating
that single step on `if: secrets.DOCS_DEPLOY_PAT != ''` is
behaviorally equivalent to a job-level guard — the runner spins
up briefly to evaluate the step, sees no credential, marks the
step Skipped, and the run finishes green-with-skipped instead
of red-failing. The "wasted runner spin" cost I cited as
justification for the variable is real but tiny (a few seconds
of CI minutes vs ~30s of job-startup overhead either way), and
the green-with-skipped status is arguably MORE informative than
a fully-skipped grey job — it tells you "I ran, had no work to
do" rather than "I didn't run".
The variable was the operator's "I've done the cutover" signal,
but the secret being set IS that signal. One source of truth,
one less thing to forget. Cutover is now: create PAT, paste into
`secrets.DOCS_DEPLOY_PAT`, done.
Comment block above the workflow + `docs/README.md` workflow
table updated.1 parent 40e6f54 commit 48f011c
2 files changed
Lines changed: 30 additions & 23 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
5 | 5 | | |
6 | 6 | | |
7 | 7 | | |
8 | | - | |
9 | | - | |
| 8 | + | |
| 9 | + | |
10 | 10 | | |
11 | | - | |
12 | | - | |
13 | | - | |
14 | | - | |
15 | | - | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
16 | 17 | | |
17 | | - | |
18 | | - | |
19 | | - | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
20 | 28 | | |
21 | 29 | | |
22 | 30 | | |
| |||
44 | 52 | | |
45 | 53 | | |
46 | 54 | | |
47 | | - | |
48 | | - | |
49 | | - | |
50 | | - | |
51 | | - | |
52 | | - | |
53 | | - | |
54 | | - | |
55 | | - | |
56 | 55 | | |
57 | 56 | | |
58 | | - | |
59 | | - | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
60 | 66 | | |
| 67 | + | |
61 | 68 | | |
62 | | - | |
| 69 | + | |
63 | 70 | | |
64 | 71 | | |
65 | 72 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
87 | 87 | | |
88 | 88 | | |
89 | 89 | | |
90 | | - | |
| 90 | + | |
91 | 91 | | |
92 | 92 | | |
93 | 93 | | |
| |||
0 commit comments