ci: gate node sync on a single approval

[dohernandez]

Description

Restores the goal of one reviewer approval per node-sync run without the broken token propagation introduced in 889b0e4.

That commit emitted the GitHub App token via needs.prepare.outputs.token, but GitHub strips values registered as secrets when they cross job boundaries — every sync-files matrix job received an empty token and failed the genlayer-node checkout with Input required and not supplied: token (see run 25329813918).

This change clones genlayer-node inside the gated prepare job and shares the working tree as a node-source artifact. The sync-files matrix downloads the artifact and runs unchanged — no environment, no secrets, no second approval prompt. The token is confined to the single job that mints it, which aligns with GitHub's masking model: job outputs are not an authorized escape hatch for secrets.

Cleanup of the new artifact is automatic — the existing cleanup job lists every artifact in the run via gh api and deletes them. retention-days: 1 is set as a fallback for runs where cleanup is skipped.

Summary by CodeRabbit

• Chores
  • Optimized the documentation synchronization workflow to improve efficiency by consolidating repository cloning operations and reducing redundant processes.

[netlify]

✅ Deploy Preview for genlayer-docs ready!

Name	Link
🔨 Latest commit	cd12443
🔍 Latest deploy log	https://app.netlify.com/projects/genlayer-docs/deploys/69f8d2e4d2953a00084c6c50
😎 Deploy Preview	https://deploy-preview-404--genlayer-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Warning

Rate limit exceeded

@dohernandez has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 43 minutes and 33 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 294c0991-566f-43f9-8863-47ebbe141a70

📥 Commits

Reviewing files that changed from the base of the PR and between 9802c9d and cd12443.

📒 Files selected for processing (1)

• .github/workflows/sync-docs-from-node.yml

📝 Walkthrough

Walkthrough

The workflow is optimized to clone the source repository once in the prepare job with sparse-checkout filtering, upload the result as an artifact, and have matrix sync-files jobs download the shared artifact instead of each cloning independently. The prepare job's exported token output is removed.

Changes

Workflow Optimization: Single Clone with Artifact Sharing

Layer / File(s)	Summary
Job Output Reduction .github/workflows/sync-docs-from-node.yml	jobs.prepare.outputs.token is removed; only version output is retained.
Prepare Job Enhancement .github/workflows/sync-docs-from-node.yml	prepare job now clones genlayerlabs/genlayer-node at steps.final_version.outputs.version using GitHub App token, applies sparse-checkout to docs/config/release paths, and uploads the cloned source-repo/ directory as a node-source artifact (1-day retention).
Sync-Files Matrix Refactoring .github/workflows/sync-docs-from-node.yml	sync-files matrix job replaces per-job repository cloning with a single download of the shared node-source artifact into source-repo/, before parameter computation and sync composite action invocation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• ci: gate node sync on a single approval #399 — Modifies the same workflow's job outputs and token handling; this PR removes the token output while that PR adds/exposes it.
• chore(workflows): Simplify sync-docs-from-node workflow #257 — Both PRs modify sparse-checkout paths and job output management in the same workflow.
• ci: read app client-id from vars and drop redundant owner #396 — Both PRs change GitHub App token creation and usage patterns in the workflow.

Suggested reviewers

• AgustinRamiroDiaz

Poem

🐰 One clone is wise, not many done,
The artifact flows when prep is done,
Matrix jobs skip their solo quest—
Sharing speeds the test, no jest!
Token freed, the output's lean,
Workflow dreams grow ever keen. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: gate node sync on a single approval' directly describes the main change: restoring the goal of requiring one reviewer approval per node-sync run by fixing token propagation issues.
Description check	✅ Passed	The description provides detailed context explaining the problem (broken token propagation from commit 889b0e4), the solution (cloning inside prepare job and sharing via artifact), and implementation details (artifact cleanup).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/sync-docs-single-approval

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 43 minutes and 33 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/sync-docs-from-node.yml:
- Around line 104-113: The sparse checkout is using cone mode
(sparse-checkout-cone-mode: true) but lists individual files in sparse-checkout,
which cone mode ignores; update either: 1) convert the six file entries
(configs/node/config.yaml.example, configs/node/asimov.yaml.example,
configs/node/bradbury.yaml.example, release/docker-compose.yaml,
release/alloy-config.river, release/greybox-setup-guide.md) into their
containing directories (e.g., configs/node/ and release/) so cone-mode works
with directory-level paths, or 2) disable cone mode by setting
sparse-checkout-cone-mode: false so the current exact file paths in
sparse-checkout are honored; adjust the sparse-checkout block and keep path:
source-repo unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cee0bba0-4736-41df-8e60-c498764011fc

📥 Commits

Reviewing files that changed from the base of the PR and between a567b5d and 9802c9d.

📒 Files selected for processing (1)

• .github/workflows/sync-docs-from-node.yml