ci: scope down release/sync-docs to dedicated GitHub Apps

[rrabenda]

Summary

Reduce the attack surface of release & docs-sync workflows by replacing the shared, over-privileged CI bot with two dedicated, minimally scoped GitHub Apps gated behind protected environments. Mirrors the same change in genlayer-testing-suite#78 and genlayer-cli#297.

• publish.yml — environment renamed npm → Publish, switched from the archived tibdex/github-app-token@v1 to the official actions/create-github-app-token@v3. Reads vars.PUBLISH_CI_APP_CLIENT_ID and secrets.PUBLISH_CI_APP_KEY.
• sync-docs.yml — bumped actions/create-github-app-token to @v3, switched to the explicit client-id parameter, gated behind the Sync-docs environment. Reads vars.DOCS_SYNC_APP_CLIENT_ID and secrets.DOCS_SYNC_APP_KEY. Cross-repo repositories: genlayer-docs token request is preserved.

Each App should be installed only on the repos it needs (Publish: this repo only; Sync-docs: this repo + genlayer-docs) with Contents: Read & write as the only permission.

Pre-merge checklist (GitHub side)

• Publish environment exists with PUBLISH_CI_APP_CLIENT_ID (variable) and PUBLISH_CI_APP_KEY (secret)
• Move/recreate the existing NPM_TOKEN (or whatever release-it uses for npm publish) from the old npm environment into the new Publish environment, then delete the npm environment
• Sync-docs environment exists with DOCS_SYNC_APP_CLIENT_ID (variable) and DOCS_SYNC_APP_KEY (secret)
• Both Apps installed on genlayer-js (sync-docs App also on genlayer-docs) with only Contents: Read & write
• Publish App added to branch-protection bypass list on main (release-it pushes the version-bump commit + tag)
• Sync-docs environment "Deployment branches and tags" allows the v* tag pattern (otherwise release: published on a tag ref will be blocked)

Test plan

• Land a fix: or feat: commit on main and confirm publish.yml mints a token, release-it pushes the version bump + tag, the GitHub Release is created, and the npm upload succeeds
• Confirm sync-docs.yml fires automatically on release: published and pushes the API-reference update to genlayer-docs
• Once verified, decommission the old shared CI App from this repo and rotate / revoke its secrets

[coderabbitai]

Warning

Rate limit exceeded

@rrabenda has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 54 minutes and 7 seconds before requesting another review.

To continue reviewing without waiting, purchase usage credits in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dc2bff31-ba2d-487b-bdb5-27ee3fd9c96b

📥 Commits

Reviewing files that changed from the base of the PR and between 66a1d03 and 13e980c.

📒 Files selected for processing (2)

• .github/workflows/publish.yml
• .github/workflows/sync-docs.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/scope-down-release-app-tokens

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}